The router must drop IPv6 6-to-4 addresses with a prefix of 2002::/16 at the perimeter by the ingress and egress filters.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000205-RTR-000101	SRG-NET-000205-RTR-000101	SRG-NET-000205-RTR-000101_rule		Medium

Description
"6-to-4" is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism. Drop all inbound IPv6 packets containing a source address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used. Drop all inbound IPv6 packets containing a destination address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used.

Description

"6-to-4" is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism. Drop all inbound IPv6 packets containing a source address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used. Drop all inbound IPv6 packets containing a destination address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used.

STIG	Date
Router Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000205-RTR-000101_chk )
Review the perimeter router and router configurations to verify filters are in place to restrict the IP addresses explicitly, or inexplicitly. Verify that ingress and egress filters for IPv6 have been defined to deny 6-to-4 tunnel addresses (2002::/16) and log all violations. If the ingress and egress filters for IPv6 have not been defined to deny 6-to-4 tunnel addresses, this is a finding.

Fix Text (F-SRG-NET-000205-RTR-000101_fix)
Configure the perimeter router ingress and egress filters for IPv6 to deny 6-to-4 tunnel addresses.