Details
The IAO/NSO will ensure IPv6 6-to-4 addresses with a prefix of 2002–/16 are dropped at the enclave perimeter by the ingress and egress filters.
‘6-to-4’ is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism. If 6-to-4 is implemented, reference addition 6-to-4 guidance defined in the STIG. Drop all inbound IPv6 packets containing a source address of type 2002–/16. This assumes the 6-to-4 transition mechanism is not being used. Drop all inbound IPv6 packets containing a destination address of type 2002–/16. This assumes the 6-to-4 transition mechanism is not being used.
NOTE: Change ‘IPV6_INGRESS_ACL’ to the access control list for IPv6 inbound connection filtering.
Solution
The administrator will configure the router ACLs to restrict IP addresses that contain any 6-to-4 addresses.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.
References
- 800-53|SC-7(11)
- CAT|II
- Rule-ID|SV-20161r1_rule
- STIG-ID|NET-IPV6-024
- Vuln-ID|V-18608