The router must suppress router advertisements on all external-facing IPv6-enabled interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000202-RTR-000089 | SRG-NET-000202-RTR-000089 | SRG-NET-000202-RTR-000089_rule | Low |
| Description |
|---|
| Many of the known attacks in stateless autoconfiguration defined in RFC 3756 were present in IPv4 ARP attacks. IPSec AH was originally suggested as mitigation for link-local attacks, but has since been found to have bootstrapping problems and to be administrative intensive. Due to first requiring an IP address in order to set up, the IPSec security association creates the chicken-before-the-egg dilemma. To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways will be configured to suppress router advertisements. Disable (or do not configure) all IPv6 Neighbor Discovery functions across tunnels including the Neighbor Unreachability Detection (NUD) function. Note: This is applicable only when the inner IP layer is IPv6 since IPv4 does not have the Neighbor Discovery functionality. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000202-RTR-000089_chk ) |
|---|
| Inspect the device configuration to verify IPv6 router advertisement suppression is enabled on all external-facing interfaces. This is applicable to all IPv6-enabled interfaces connected to an IP backbone (i.e. NIPRNet, SIPRNet, etc), a backdoor link, or an alternate gateway (AG). If IPv6 router advertisement suppression is not enabled on all external-facing interfaces, this is a finding. |
| Fix Text (F-SRG-NET-000202-RTR-000089_fix) |
|---|
| Configure the router to enable route advertisement suppression on all external-facing IPv6-enabled interfaces. |