NET-IPV6-029 – IPv6 Multicast Source ADDR are not blocked – ‘deny ipv6 ff00::/16 any log’

Details

The network device must block IPv6 multicast addresses used as a source address.

IPv6 multicast addresses should never be a source address. They should only be destination addresses.

NOTE: Change ‘IPV6_INGRESS_ACL’ to the access control list for IPv6 inbound connection filtering.

Solution

Configure the perimeter router access control lists to deny any IPv6 multicast address used as a source address.

Supportive Information

The following resource is also helpful.

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.

References

800-53|SC-7(11)
CAT|II
Rule-ID|SV-15407r3_rule
STIG-ID|NET-IPV6-029
Vuln-ID|V-14697

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles