UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The router must block IPv6 Site-Local Unicast addresses on the ingress filter, (FEC0::/10). Note that this consists of all addresses that begin with FEC, FED, FEE, and FEF.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000205-RTR-000103 SRG-NET-000205-RTR-000103 SRG-NET-000205-RTR-000103_rule Medium
Description
Currently defined, site-local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to affect network security through leaks, ambiguity and potential misrouting, as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix defined in RFC3513, i.e., 1111111011 binary or FEC0::/10. Drop all inbound IPv6 packets with an address FEC0::/10 as its source address. Note that this consists of all addresses that begin with FEC, FED, FEE, or FEF.
STIG Date
Router Security Requirements Guide 2013-07-30

Details

Check Text ( C-SRG-NET-000205-RTR-000103_chk )
Review the perimeter router configuration to verify filters are in place to restrict the IPv6 addresses explicitly, or inexplicitly. Verify that ingress and egress filters for IPv6 have been defined to deny Site-Local Unicast Addresses (FEC0::/10) and log all violations. If ingress and egress filters for IPv6 have not been defined to deny Site Local Unicast Addresses (FEC0::/10) and log all violations, this is a finding.
Fix Text (F-SRG-NET-000205-RTR-000103_fix)
Configure the perimeter router ingress and egress filters for IPv6 to deny Site-Local Unicast Addresses (FEC0::/10) and log all violations.