The network element must be configured so that ICMPv6 unreachable notifications and redirects are disabled on all external facing interfaces.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14670	NET-IPV6-016	SV-30054r2_rule		Medium

Description
The Internet Control Message Protocol version 6 (ICMPv6) supports IPv6 traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMPv6 messages under a wide variety of conditions. ICMPv6 messages are commonly used by attackers for network mapping and diagnosis: Host unreachable, and Redirect.

STIG	Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco	2018-11-28

Details

Check Text ( C-39591r2_chk )
Review the active configuration to determine if controls have been defined to ensure router has ICMPv6 unreachables or redirects disabled any external interfaces. interface FastEthernet 0/0 ipv6 address 2001::0:0:1/64 ip access-group 101 in no ipv6 redirects no ipv6 unreachables no ipv6 mask-reply In addition, host unreachable messages will be sent in reply to black-hole routes. Be sure that the Null0 interface also has no ip unreachable defined if there are static routes destined for this interface. interface null0 no ipv6 unreachables

Check Text ( C-39591r2_chk )

Review the active configuration to determine if controls have been defined to ensure router has ICMPv6 unreachables or redirects disabled any external interfaces.

interface FastEthernet 0/0
ipv6 address 2001::0:0:1/64
ip access-group 101 in
no ipv6 redirects
no ipv6 unreachables
no ipv6 mask-reply

In addition, host unreachable messages will be sent in reply to black-hole routes. Be sure that the Null0 interface also has no ip unreachable defined if there are static routes destined for this interface.

interface null0
no ipv6 unreachables

Fix Text (F-14131r1_fix)
The network element configuration must be changed to ensure ICMPv6 unreachables and redirects are disabled at all external interfaces.