Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
SRG-NET-000205-RTR-000104 | SRG-NET-000205-RTR-000104 | SRG-NET-000205-RTR-000104_rule | Medium |
Description |
---|
The unicast address 0:0:0:0:0:0:0:1, also defined ::1/128 is called the loopback address. A node could use it to send an IPv6 packet to itself. It should never be assigned to any physical interface. It is treated as having link-local scope, and may be thought of as the link-local unicast address of a virtual interface to an imaginary link that goes nowhere. The loopback address must not be used as the source address in IPv6 packets that are sent outside of a single node. An IPv6 packet with a destination address of loopback must never be sent outside of a single node and must never be forwarded by an IPv6 router. A packet received on an interface with destination address of loopback must be dropped. |
STIG | Date |
---|---|
Router Security Requirements Guide | 2013-07-30 |
Check Text ( C-SRG-NET-000205-RTR-000104_chk ) |
---|
Review the perimeter router configuration to verify filters are in place to restrict inbound IPv6 addresses explicitly, or inexplicitly. Verify that an ingress filter for IPv6 has been defined to deny IPv6 Loopback (::1/128), and log all violations. If the ingress filter for IPv6 is not defined to deny IPv6 Loopback address, and log all violations, this is a finding. |
Fix Text (F-SRG-NET-000205-RTR-000104_fix) |
---|
Configure the perimeter router to restrict inbound IPv6 addresses by defining the IPv6 filter to deny IPv6 loopback address (::/128). |