Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15293 | NET-TUNL-019 | SV-16074r1_rule | Medium |
Description |
---|
6to4 is an automated tunneling mechanism that provides v6 capability to a dual-stack node or v6 capable site that has only IPv4 connectivity to the site. One key difference between automatic 6to4 tunnels and manually configured tunnels is that the tunnel is not point-to-point; it is point-to-multipoint. Basic 6to4 implementation can be used to connect single nodes too. In 6to4 tunnel implementations, tunnels are not defined in pairs as in manual tunnels. The tunnel destination is determined by the IPv4 address of the border router extracted from the IPv6 address that starts with the prefix 2002::/16, where the format is 2002:IPv4-address in hex::/48. 6to4 traffic takes an asymmetric routing path, outbound traffic and return traffic may take different paths. Although the 6to4 site can select the relay it wants to use, it has no control of the return relay used. See diagram in the STIG. Ensuring reliable operations from relays and knowing who is managing the relay are important and are concerns to preventing against denial of service attacks. 6to4 site routers are not capable of identifying bogus traffic injected from malicious 6to4 relay manufacturing packets. Specifying the exact IPv4 address of the 6to4 relay on the 6to4 router can mitigate these vulnerabilities. 6to4 tunnels are required to discard unexpected protocol 41 packets and inspect IPv6 traffic at the decapsulator end-point. |
STIG | Date |
---|---|
Perimeter L3 Switch Security Technical Implementation Guide - Cisco | 2018-08-22 |
Check Text ( C-13692r1_chk ) |
---|
Base Procedure: Specifying the IPv4 address of the 6to4 relay on the 6to4 router can mitigate these vulnerabilities. |
Fix Text (F-14735r1_fix) |
---|
Define a filter that allows 6to4 tunneling from trusted 6to4 relays. |