Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-30660 | NET-IPV6-065 | SV-40455r1_rule | Medium |
Description |
---|
The 6to4 specific filters accomplish the role of endpoint verification and provide assurance that the tunnels are being used properly. This primary guidance assumes that only the designated 6to4 router is allowed to form tunnel packets. If they are being formed inside an enclave and passed to the 6to4 router, they are suspicious and must be dropped. In accordance with DoD IPv6 IA Guidance for MO3 (S5-C7-8), packets as such must be dropped and logged as a security event. |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide Juniper | 2017-06-29 |
Check Text ( C-39285r1_chk ) |
---|
Currently JUNOS does not support 6to4 automatic tunneling so this vulnerability is not applicable |
Fix Text (F-34388r1_fix) |
---|
If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets. |