Details

‘6-to-4’ is a tunneling IPv6 transition mechanism [RFC 3056]. The guidance is the default case, which assumes that 6-to-4 is not being used as an IPv6 transition mechanism. If 6-to-4 is implemented, reference addition 6-to-4 guidance defined in the STIG.

Drop all inbound IPv6 packets containing a source address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used.

Drop all inbound IPv6 packets containing a destination address of type 2002::/16. This assumes the 6-to-4 transition mechanism is not being used.

NOTE: Nessus did not detect IPv6 on the Outside interface so this check is not applicable.

Solution

Configure the device using filters to restrict IP addresses that contain any 6-to-4 addresses.

Supportive Information

The following resource is also helpful.

• https://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R25_STIG.ziphttps://iasecontent.disa.mil/stigs/zip/U_Network_Firewall_V8R25_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.

References

• 800-53|SC-7(5)
• CAT|II
• Rule-ID|SV-20160r2_rule
• STIG-ID|NET-IPV6-024
• Vuln-ID|V-18608

Source

• Tenable.com/audits