Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The router must drop IPv6 6-to-4 addresses with a prefix of 2002::/16 at the perimeter by the ingress and egress filters.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000205-RTR-000101 | SRG-NET-000205-RTR-000101 | SRG-NET-000205-RTR-000101_rule | Medium |
| Description |
|---|
| "6-to-4" is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism. Drop all inbound IPv6 packets containing a source address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used. Drop all inbound IPv6 packets containing a destination address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000205-RTR-000101_chk ) |
|---|
| Review the perimeter router and router configurations to verify filters are in place to restrict the IP addresses explicitly, or inexplicitly. Verify that ingress and egress filters for IPv6 have been defined to deny 6-to-4 tunnel addresses (2002::/16) and log all violations. If the ingress and egress filters for IPv6 have not been defined to deny 6-to-4 tunnel addresses, this is a finding. |
| Fix Text (F-SRG-NET-000205-RTR-000101_fix) |
|---|
| Configure the perimeter router ingress and egress filters for IPv6 to deny 6-to-4 tunnel addresses. |