Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The network element will be configured to ensure IPv6 Site Local Unicast addresses are blocked on the ingress inbound and egress outbound filters, (FEC0::/10). Note that this consist of all addresses that begin with FEC, FED, FEE and FEF.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-14694 | NET-IPV6-026 | SV-15399r2_rule | High |
| Description |
|---|
| As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity and potential misrouting, as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix defined in RFC3513, i.e., 1111111011 binary or FEC0::/10. Drop all inbound and outbound IPv6 packets with an address FEC0::/10 as its source address. Note that this consists of all addresses that begin with FEC, FED, FEE, or FEF. Drop all inbound and outbound IPv6 packets with an address FEC0::/10 as its destination address. Note that this consists of all addresses that begin with FEC, FED, FEE, or FEF. |
| STIG | Date |
|---|---|
| Perimeter Router Security Technical Implementation Guide Cisco | 2017-03-09 |
Details
| Check Text ( C-12865r2_chk ) |
|---|
| Base Procedure: Review the premise router configuration to ensure filters are in place to restrict the IP addresses explicitly, or implicitly. If ingress and egress ACLs for IPv6 have not been defined to deny Site Local Unicast Addresses and log all violations, this is a finding. |
| Fix Text (F-14159r1_fix) |
|---|
| The administrator will configure the router ACLs to restrict IP addresses that contain any Site Local Unicast addresses. |