NET-IPV6-004 - Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-006 - Ensure the undetermined transport packet is blocked at the perimeter in an IPv6 enclave by the router. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-008 - The IAO/NSO will ensure IPv6 6bone address space is blocked on the ingress and egress filter, (3FFE::/16). | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-010 - Permit inbound ICMPv6 messages Packet-too-big, Time Exceeded, Parameter Problem, Echo Reply, and Neighbor Discovery. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-011 - The network element can permit outbound ICMPv6 Packet-too-big, Echo Request, and Neighborhood Discovery - echo-request | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-011 - The network element can permit outbound ICMPv6 Packet-too-big, Echo Request, and Neighborhood Discovery - neighbor-adv | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-011 - The network element can permit outbound ICMPv6 Packet-too-big, Echo Request, and Neighborhood Discovery - neighbor-solicit | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-011 - The network element can permit outbound ICMPv6 Packet-too-big, Echo Request, and Neighborhood Discovery - packet-too-big | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-016 - The network element must be configured so that ICMPv6 unreachable notifications and redirects are disabled on all external facing interfaces. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-017 - The network element must be configured to ensure the routing header extension type 0, 1, and 3-255 are rejected. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-024 - IPv6 6-to-4 addresses with a prefix of 2002::/16 are dropped by ingress and egress filters - Egress filter | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-024 - IPv6 6-to-4 addresses with a prefix of 2002::/16 are dropped by ingress and egress filters - Ingress filter | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-025 - IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10). | CONFIGURATION MANAGEMENT |
NET-IPV6-026 - IPv6 Site Local Unicast addresses are blocked on the ingress inbound and egress outbound filters, (FEC0::/10). | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-027 - The network element must restrict any inbound IP packets with a local host loop back address, (0:0:0:0:0:0:0:1 or ::1/128). | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-028 - The network element must restrict any IP packets from the unspecified address, (0:0:0:0:0:0:0:0 or ::/128). | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-029 - The network device must block IPv6 multicast addresses used as a source address. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-030 - IPv6 addresses with embedded IPv4-compatible IPv6 addresses are blocked on the ingress and egress filters, (0::/96). | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-031 - IPv6 addresses with embedded IPv4-mapped IPv6 addresses are blocked on the ingress and egress filters, (0::FFFF/96). | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-032 - The network device must block IPv6 Unique Local Unicast Addresses on the enclaves perimeter ingress and egress filter. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-034 - The network element must be configured via egress ACL or by enabling uRPF in an IPv6 enclave - uRPF enabled | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-034 - The network element must be configured via egress ACL or by enabling uRPF in an IPv6 enclave - uRPF interfaces fail-filter | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-034 - The network element must be configured via egress ACL or by enabling uRPF in an IPv6 enclave - uRPF log | AUDIT AND ACCOUNTABILITY |
NET-IPV6-034 - The network element must be configured via egress ACL or by enabling uRPF in an IPv6 enclave - uRPF reject | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-047 - Interfaces supporting IPv4 in NAT-PT Architecture must not receive IPv6 traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-048 - The IAO/NSO will ensure in NAT-PT architecture there is no tunneled IPv4 in IPv6 traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-059 - The administrator must ensure that the maximum hop limit is at least 32. | CONFIGURATION MANAGEMENT |
NET-IPV6-060 -The perimeter router is configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-061 - The perimeter router is configured to drop all inbound and outbound IPv6 packets containing a Destination Option header. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-062 - The router is configured to drop all IPv6 packets containing the Endpoint Identification option - dstops | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-062 - The router is configured to drop all IPv6 packets containing the Endpoint Identification option - hop-by-hop | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-063 - The router is configured to drop all IPv6 packets containing the NSAP address option. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-064 - The router is configured to drop all IPv6 packets IPv6 packets containing a Hop-by-Hop or Destination Option - dstops | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-064 - The router is configured to drop all IPv6 packets IPv6 packets containing a Hop-by-Hop or Destination Option - hop-by-hop | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-065 - The 6-to-4 router is configured to drop any IPv4 packets with protocol 41 received from the internal network. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-IPV6-066 - The 6-to-4 router drops outbound IPv6 packets that is not within the 6to4 prefix 2002:V4ADDR::/48 | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-MCAST-001 - Protocol Independent Multicast (PIM) is disabled on all interfaces that are not required to support multicast routing. | CONFIGURATION MANAGEMENT |
NET-MCAST-002 - A PIM neighbor filter is bound to all interfaces that have PIM enabled - Interfaces | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-MCAST-002 - A PIM neighbor filter is bound to all interfaces that have PIM enabled - PIM Filter Accept | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-MCAST-002 - A PIM neighbor filter is bound to all interfaces that have PIM enabled - PIM Filter Destination Address | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-MCAST-002 - A PIM neighbor filter is bound to all interfaces that have PIM enabled - PIM Filter Protocol PIM | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-MCAST-009 - Ensure that boundaries are established at the enclave perimeter for all administrative scoped multicast traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-MCAST-010 - Ensure that multicast routers are configured to establish boundaries for Admin-local or Site-local scope multicast traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-SRVFRM-003 - Server VLAN interfaces must be protected by restrictive ACLs using a deny-by-default security posture. | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-TUNL-001 - Drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols - Protocol 42 | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-TUNL-001 - Drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols - Protocol 93 | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-TUNL-001 - Drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols - Protocol 94 | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-TUNL-001 - Drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols - Protocol 97 | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-TUNL-001 - Drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols - Protocol 98 | SYSTEM AND COMMUNICATIONS PROTECTION |
NET-TUNL-001 - Drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols - Protocol 1723 | SYSTEM AND COMMUNICATIONS PROTECTION |