Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The router must block IPv6 Unique Local Unicast addresses on the ingress and egress filters, (FC00::/7). Note that this consists of all addresses that begin with FC or FD.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000205-RTR-000107 | SRG-NET-000205-RTR-000107 | SRG-NET-000205-RTR-000107_rule | Medium |
| Description |
|---|
| The IANA has assigned the FC00::/7 prefix to Unique Local Unicast addresses. Unique Local Address (ULA) is a routable address that is not intended to be on the Internet. Site border routers and firewalls should be configured to block any packets with ULA source or destination addresses outside of the site. This will ensure that packets with Local IPv6 destination addresses will not be forwarded outside of the site via a default route. Drop all inbound IPv6 packets with an address FC00::/7 as its source address. Note that includes any address beginning with FC or FD. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000205-RTR-000107_chk ) |
|---|
| Review the perimeter router configuration to verify filters are in place to restrict the IPv6 addresses explicitly, or inexplicitly. Verify that ingress and egress filters for IPv6 have been defined to deny the Unique Local Unicast addresses (FC00::/7), and log all violations. If the ingress and egress filters for IPv6 are not defined to deny the Unique Local Unicast addresses (FC00::/7), and log all violations, this is a finding. |
| Fix Text (F-SRG-NET-000205-RTR-000107_fix) |
|---|
| Configure the perimeter router ingress and egress filters for IPv6 to deny the Unique Local Unicast addresses (FC00::/7), and log all violations. |