Details

The IAO/NSO will ensure IPv6 6-to-4 addresses with a prefix of 2002–/16 are dropped at the enclave perimeter by the ingress and egress filters.

‘6-to-4’ is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism. If 6-to-4 is implemented, reference addition 6-to-4 guidance defined in the STIG. Drop all inbound IPv6 packets containing a source address of type 2002–/16. This assumes the 6-to-4 transition mechanism is not being used. Drop all inbound IPv6 packets containing a destination address of type 2002–/16. This assumes the 6-to-4 transition mechanism is not being used.

NOTE: Change ‘IPV6_INGRESS_ACL’ to the access control list for IPv6 inbound connection filtering.

Solution

The administrator will configure the router ACLs to restrict IP addresses that contain any 6-to-4 addresses.

Supportive Information

The following resource is also helpful.

• https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.

References

• 800-53|SC-7(11)
• CAT|II
• Rule-ID|SV-20161r1_rule
• STIG-ID|NET-IPV6-024
• Vuln-ID|V-18608

Source

• Tenable.com/audits