UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Inbound packets using IP addresses specified in the RFC5735 and RFC6598, along with network address space allocated by IANA, but not assigned by the RIRs for ISP and other end-customer use must be blocked, denied, or dropped at the perimeter device.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14691 NET0926 SV-47835r2_rule ECSC-1 High
Description
This type of IP address spoofing occurs when someone outside the network uses an address that should not be routed or has not been officially assigned to an ISP for use by the RIR to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data, passwords, etc., and use that information to perform destructive acts on or to the network.
STIG Date
Perimeter Router Security Technical Implementation Guide Cisco 2015-07-01

Details

Check Text ( C-12856r8_chk )
External Interfaces peering with NIPRNet or SIPRNet:
Review the inbound ACLs on external facing interfaces of perimeter devices attached to the NIPR or SIPR to validate access control lists are configured to block, deny, or drop inbound IP addresses using RFC5735 and RFC6598.

Examples of address space specified in RFC5735 and RFC6598:

0.0.0.0 255.0.0.0
100.64.0.0 255.192.0.0
192.0.0.0 255.255.255.0
192.0.2.0 255.255.255.0
198.18.0.0 255.254.0.0
198.51.100.0 255.255.255.0
203.0.113.0 255.255.255.0
224.0.0.0 240.0.0.0
240.0.0.0 240.0.0.0

External Interfaces peering with commercial ISPs or other non-DoD network sources:
Review the inbound ACLs on external facing interfaces of perimeter devices to validate access control lists are configured to block, deny, or drop inbound IP addresses specified in both RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a full bogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly.

If RFC5735 and RFC 6598 address space isn't blocked on the external interface, this is a finding.
Fix Text (F-14156r5_fix)
Configure inbound ACLs on external facing interfaces of perimeter devices peering with NIPRNet or SIPRNet to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598.

Configure inbound ACLs on external facing interfaces of perimeter devices peering with commercial ISPs or other non-DoD networks to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a fullbogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly.

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt