The router must protect against Inbound IP packets using RFC5735, RFC6598 and other network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer use by blocking, denying, or dropping them at the perimeter device.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000191-RTR-000080 | SRG-NET-000191-RTR-000080 | SRG-NET-000191-RTR-000080_rule | Medium |
| Description |
|---|
| This type of IP address spoofing occurs when someone outside the network uses an address that should not be routed or has not been officially assigned to an ISP for use by the RIRs to gain access to systems or devices on the internal network. If the intruder is successful, they can intercept data, passwords, etc., and use information to perform destructive acts on or to the network. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000191-RTR-000080_chk ) |
|---|
| Review the perimeter router configuration to verify filters are configured to block, deny, or drop inbound IP addresses using the RFC5735, RFC6598 and network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer. If the router is not configured to block, deny, or drop inbound IP addresses using the RFC5735, RFC6598, and network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer use, this is a finding. |
| Fix Text (F-SRG-NET-000191-RTR-000080_fix) |
|---|
| Configure the perimeter router filters to block, deny, or drop inbound IP addresses using the RFC5735, RFC6598 and network address space allocated by IANA but not assigned by the RIRs for ISP and other end-customer IP address space. |