UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network device must drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18633 NET-TUNL-001 SV-47336r1_rule ECSC-1 Medium
Description
There are a number of outdated tunneling schemes that should be blocked to avoid importing IPv6 packets. DoD IPv6 IA Guidance for MO3 (S0-C7-2) has identified the following to be blocked at the perimeter: Source Demand Routing Protocol (SDRP) AX.25 IP-within-IP Encapsulation Protocol EtherIP protocol Encapsulation Header Protocol PPTP
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2017-12-07

Details

Check Text ( C-22328r5_chk )
Review the network device configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols:

Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42)
AX.25 - protocol field value of 0x5D (93)
IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94)
EtherIP protocol - protocol field value of 0x61 (97)
Encapsulation Header Protocol - protocol field value of 0x62 (98)
PPTP - TCP or UDP destination port (0x06BB) 1723

The following example will block any IPv6 inbound packet using any of the outdated tunneling protocols as previously discussed:

interface FastEthernet0/1
description DISN CORE facing
ipv6 address 2001:1:0:146::4/64
ipv6 traffic-filter IPV6_INGRESS_ACL in
!

!
ip access-list IPV6_INGRESS_ACL
deny 42 any any
deny 93 any any
deny 94 any any
deny 97 any any
deny 98 any any
deny tcp any any eq 1723
deny udp any any eq 1723
Fix Text (F-19260r3_fix)
Configure the network device to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols:

Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42)
AX.25 - protocol field value of 0x5D (93)
IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94)
EtherIP protocol - protocol field value of 0x61 (97)
Encapsulation Header Protocol - protocol field value of 0x62 (98)
PPTP - TCP or UDP destination port (0x06BB) 1723