UCF STIG Viewer Logo

Tunnel endpoints must be explicitly defined as auto configuration tunnels are not permitted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18636 NET-TUNL-003 SV-20202r2_rule ECSC-1 Medium
Description
IPv6-in-IPv4 tunnels require explicit configuration (on the tunnel exit point node) of both the tunnel exit point IP address and the corresponding tunnel entry point address . These are the outer IP layer destination and source addresses respectively. Unfortunately, the other three tunnel types (4-in-4, 4-in-6, and 6-in-6) have no such requirement built into the standards. The tunnel exit point address will likely need to be configured for these tunnel types (i.e. nodes are not expected to simply accept tunneling by default) and there MAY be a configuration option to allow the tunnel entry point address to be declared as well. Administrators should attempt to specify both addresses regardless of the IP versions being tunneled if the capability is available for the implementation. There are no requirements in the GRE tunnel standards to check or restrict IP addresses of the tunnel end points (outer IP layer), so it is purely up to the software implementer. The tunnel exit point address will likely need to be configured for these tunnels (i.e. nodes are not expected to simply accept GRE tunneling by default) and there MAY be a configuration option to allow the tunnel entry point address to be declared as well. Administrators should attempt to specify both addresses if the capability is available for the implementation.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2018-11-28

Details

Check Text ( C-22333r1_chk )
This vulnerability description and required safeguard is not applicable to MPLS auto tunnels used in traffic engineering.

The following three tunnel types (4-in-4, 4-in-6, and 6-in-6) do not have requirements built into the standards. Tunnel exit points must be filtered to ensure these protocols have a valid destination address.

If a destination address is not defined for these protocols, than drop the packets via the deny-by-default tunnel policy.

4-in-4 - protocol number: 0x04 (4)
4-in-6 - protocol number: 0x04 (4)
6-in-6 - protocol number: 0x29 (41)
GRE - protocol number: 0x2F (47)
ESP - protocol (50)
AH - protocol (51)


The language in the actions above such as “Drop any ... packet” should be modified as appropriate to account for the packets of any legitimate and deliberately chosen mechanisms. However these deliberate tunnels that do not comply with this policy need to be documented in the SSAA detailing purpose and verification data.
Fix Text (F-19264r1_fix)
Review identified protocols allowed to enter the enclave. If the tunnels do not have explicit IP addresses than drop the tunnel by the deny-by-default tunnel policy, else document the auto configured tunnel in the SSAA describing the activity and perform periodic reviews for the tunnel need.