Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-30660 | NET-IPV6-065 | SV-40454r1_rule | ECSC-1 | Medium |
Description |
---|
The 6to4 specific filters accomplish the role of endpoint verification and provide assurance that the tunnels are being used properly. This primary guidance assumes that only the designated 6to4 router is allowed to form tunnel packets. If they are being formed inside an enclave and passed to the 6to4 router, they are suspicious and must be dropped. In accordance with DoD IPv6 IA Guidance for MO3 (S5-C7-8), packets as such must be dropped and logged as a security event. |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide Cisco | 2015-04-06 |
Check Text ( C-39284r1_chk ) |
---|
If the router is functioning as a 6to4 router, verify that there is an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets. Step 1: Determine if the router is functioning as a 6to4 router. You should find a tunnel configuration similar to the following example: interface Tunnel0 no ip address no ip redirects ipv6 address 2000:C0A8:6301::1/64 tunnel source FastEthernet0/1 tunnel mode ipv6ip 6to4 ! … ipv6 route 2002::/16 Tunnel0 Step 2: Verify that there is an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets. You should find a configuration similar to the following example: interface FastEthernet0/1 description internal link ip address 192.168.1.1 255.255.255.0 ipv6 address 6TO4PREFIX ::1:0:0:0:1/64 ip access-group IPV4_EGRESS_FILTER in ! ip access-list extended IPV4_EGRESS_FILTER remark only this 6to4 router can tunnel IPv6 traffic deny 41 any any log … … Note: normally you would want to configure the internal interface for a 6to4 router as dual stack. However IPv6 only is possible and if configured as such, having an IPv4 ACL is irrelevant since the interface will not accept any IPv4 packets. |
Fix Text (F-34388r1_fix) |
---|
If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets. |