The router must block IPv6 Site-Local Unicast addresses on the ingress filter, (FEC0::/10). Note that this consists of all addresses that begin with FEC, FED, FEE, and FEF.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000205-RTR-000103 | SRG-NET-000205-RTR-000103 | SRG-NET-000205-RTR-000103_rule | Medium |
| Description |
|---|
| Currently defined, site-local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to affect network security through leaks, ambiguity and potential misrouting, as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix defined in RFC3513, i.e., 1111111011 binary or FEC0::/10. Drop all inbound IPv6 packets with an address FEC0::/10 as its source address. Note that this consists of all addresses that begin with FEC, FED, FEE, or FEF. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000205-RTR-000103_chk ) |
|---|
| Review the perimeter router configuration to verify filters are in place to restrict the IPv6 addresses explicitly, or inexplicitly. Verify that ingress and egress filters for IPv6 have been defined to deny Site-Local Unicast Addresses (FEC0::/10) and log all violations. If ingress and egress filters for IPv6 have not been defined to deny Site Local Unicast Addresses (FEC0::/10) and log all violations, this is a finding. |
| Fix Text (F-SRG-NET-000205-RTR-000103_fix) |
|---|
| Configure the perimeter router ingress and egress filters for IPv6 to deny Site-Local Unicast Addresses (FEC0::/10) and log all violations. |