UCF STIG Viewer Logo

The network element must be configured restrict to accept the device from accepting any inbound IP packets with a local host loop back address, (0:0:0:0:0:0:0:1 or ::1/128).


Overview

Finding ID Version Rule ID IA Controls Severity
V-14695 NET-IPV6-027 SV-15402r1_rule High
Description
The unicast address 0:0:0:0:0:0:0:1, also defined ::1/128 is called the loopback address. A node could use it to send an IPv6 packet to itself. It should never be assigned to any physical interface. It is treated as having link-local scope, and may be thought of as the link-local unicast address of a virtual interface to an imaginary link that goes nowhere. The loopback address must not be used as the source address in IPv6 packets that are sent outside of a single node. An IPv6 packet with a destination address of loopback must never be sent outside of a single node and must never be forwarded by an IPv6 router. A packet received on an interface with destination address of loopback must be dropped.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2018-11-28

Details

Check Text ( C-12868r2_chk )
Review the device configuration to ensure filters are in place to restrict inbound IP addresses explicitly, or inexplicitly.

Verify that an ingress ACL for IPv6 has been defined to deny IPv6 Loopback, and log all violations.

If the appropriate filters are not configured and applied, this is a finding.
Fix Text (F-14160r2_fix)
Configure and apply the filters to restrict IP addresses that contain any loopback addresses.