Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14670 | NET-IPV6-016 | SV-30054r2_rule | Medium |
Description |
---|
The Internet Control Message Protocol version 6 (ICMPv6) supports IPv6 traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMPv6 messages under a wide variety of conditions. ICMPv6 messages are commonly used by attackers for network mapping and diagnosis: Host unreachable, and Redirect. |
STIG | Date |
---|---|
Perimeter L3 Switch Security Technical Implementation Guide - Cisco | 2018-11-28 |
Check Text ( C-39591r2_chk ) |
---|
Review the active configuration to determine if controls have been defined to ensure router has ICMPv6 unreachables or redirects disabled any external interfaces. interface FastEthernet 0/0 ipv6 address 2001::0:0:1/64 ip access-group 101 in no ipv6 redirects no ipv6 unreachables no ipv6 mask-reply In addition, host unreachable messages will be sent in reply to black-hole routes. Be sure that the Null0 interface also has no ip unreachable defined if there are static routes destined for this interface. interface null0 no ipv6 unreachables |
Fix Text (F-14131r1_fix) |
---|
The network element configuration must be changed to ensure ICMPv6 unreachables and redirects are disabled at all external interfaces. |