UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The administrator must ensure the 6-to-4 router is configured to drop any IPv4 packets with protocol 41 received from the internal network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30660 NET-IPV6-065 SV-40452r1_rule ECSC-1 Medium
Description
The 6to4 specific filters accomplish the role of endpoint verification and provide assurance that the tunnels are being used properly. This primary guidance assumes that only the designated 6to4 router is allowed to form tunnel packets. If they are being formed inside an enclave and passed to the 6to4 router, they are suspicious and must be dropped. In accordance with DoD IPv6 IA Guidance for MO3 (S5-C7-8), packets as such must be dropped and logged as a security event.
STIG Date
Perimeter Router Security Technical Implementation Guide 2015-12-18

Details

Check Text ( C-39283r1_chk )
If the router is functioning as a 6to4 router, verify that there is an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.
Fix Text (F-34388r1_fix)
If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.