Inbound packets using IP addresses specified in the RFC5735 and RFC6598, along with network address space allocated by IANA, but not assigned by the RIRs for ISP and other end-customer use must be blocked, denied, or dropped at the perimeter device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14691	NET0926	SV-47836r2_rule		High

Description
This type of IP address spoofing occurs when someone outside the network uses an address that should not be routed or has not been officially assigned to an ISP for use by the RIR to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data, passwords, etc., and use that information to perform destructive acts on or to the network.

STIG	Date
Perimeter Router Security Technical Implementation Guide Juniper	2018-11-28

Details

Check Text ( C-12856r8_chk )
External Interfaces peering with NIPRNet or SIPRNet: Review the inbound ACLs on external facing interfaces of perimeter devices attached to the NIPR or SIPR to validate access control lists are configured to block, deny, or drop inbound IP addresses using RFC5735 and RFC6598. Examples of address space specified in RFC5735 and RFC6598: 0.0.0.0 255.0.0.0 100.64.0.0 255.192.0.0 192.0.0.0 255.255.255.0 192.0.2.0 255.255.255.0 198.18.0.0 255.254.0.0 198.51.100.0 255.255.255.0 203.0.113.0 255.255.255.0 224.0.0.0 240.0.0.0 240.0.0.0 240.0.0.0 External Interfaces peering with commercial ISPs or other non-DoD network sources: Review the inbound ACLs on external facing interfaces of perimeter devices to validate access control lists are configured to block, deny, or drop inbound IP addresses specified in both RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a full bogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly. If RFC5735 and RFC 6598 address space isn't blocked on the external interface, this is a finding.

Check Text ( C-12856r8_chk )

External Interfaces peering with NIPRNet or SIPRNet:
Review the inbound ACLs on external facing interfaces of perimeter devices attached to the NIPR or SIPR to validate access control lists are configured to block, deny, or drop inbound IP addresses using RFC5735 and RFC6598.

Examples of address space specified in RFC5735 and RFC6598:

0.0.0.0 255.0.0.0
100.64.0.0 255.192.0.0
192.0.0.0 255.255.255.0
192.0.2.0 255.255.255.0
198.18.0.0 255.254.0.0
198.51.100.0 255.255.255.0
203.0.113.0 255.255.255.0
224.0.0.0 240.0.0.0
240.0.0.0 240.0.0.0

External Interfaces peering with commercial ISPs or other non-DoD network sources:
Review the inbound ACLs on external facing interfaces of perimeter devices to validate access control lists are configured to block, deny, or drop inbound IP addresses specified in both RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a full bogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly.

If RFC5735 and RFC 6598 address space isn't blocked on the external interface, this is a finding.

Fix Text (F-14156r5_fix)
Configure inbound ACLs on external facing interfaces of perimeter devices peering with NIPRNet or SIPRNet to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Configure inbound ACLs on external facing interfaces of perimeter devices peering with commercial ISPs or other non-DoD networks to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a fullbogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly. http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

Fix Text (F-14156r5_fix)

Configure inbound ACLs on external facing interfaces of perimeter devices peering with NIPRNet or SIPRNet to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598.

Configure inbound ACLs on external facing interfaces of perimeter devices peering with commercial ISPs or other non-DoD networks to block, deny, or drop inbound IP addresses specified in RFC5735 and RFC6598. Along with network address space specified in RFC5735 and RFC6598, perimeter devices connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a fullbogon list that includes IP space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other end-user can be obtained at the link below, as it is updated regularly.

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt