UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The router must restrict the device from accepting any inbound IP packets with a local host loopback address, (::1/128).


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000205-RTR-000104 SRG-NET-000205-RTR-000104 SRG-NET-000205-RTR-000104_rule Medium
Description
The unicast address 0:0:0:0:0:0:0:1, also defined ::1/128 is called the loopback address. A node could use it to send an IPv6 packet to itself. It should never be assigned to any physical interface. It is treated as having link-local scope, and may be thought of as the link-local unicast address of a virtual interface to an imaginary link that goes nowhere. The loopback address must not be used as the source address in IPv6 packets that are sent outside of a single node. An IPv6 packet with a destination address of loopback must never be sent outside of a single node and must never be forwarded by an IPv6 router. A packet received on an interface with destination address of loopback must be dropped.
STIG Date
Router Security Requirements Guide 2013-07-30

Details

Check Text ( C-SRG-NET-000205-RTR-000104_chk )
Review the perimeter router configuration to verify filters are in place to restrict inbound IPv6 addresses explicitly, or inexplicitly. Verify that an ingress filter for IPv6 has been defined to deny IPv6 Loopback (::1/128), and log all violations. If the ingress filter for IPv6 is not defined to deny IPv6 Loopback address, and log all violations, this is a finding.
Fix Text (F-SRG-NET-000205-RTR-000104_fix)
Configure the perimeter router to restrict inbound IPv6 addresses by defining the IPv6 filter to deny IPv6 loopback address (::/128).