NET-IPV6-008 - IPV6 Bogons are not blocked - 'Ingress IPv6 traffic-filter'

Information

The IAO/NSO will ensure IPv6 6bone address space is blocked on the ingress and egress filter, (3FFE--/16).

The decommissioned 6bone allocation (3FFE--/16), RFC 3701 must be blocked. It is no longer a trusted source.

NOTE: Change 'IPV6_INGRESS_ACL' to the access control list for IPv6 inbound connection filter that includes the statements blocking the 6bone address space.
NOTE: The same 'IPV6_INGRESS_ACL' access-list can be applied to the outside and appropriate inside interface to block 6bone traffic as an 'inbound' traffic-filter to reduce CPU load on the router to drop undesired traffic as quickly as possible to reduce unnecessary packet processing.

Solution

The administrator will configure the router ACLs to restrict IP addresses that contain any 6bone addresses.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11), CAT|II, Rule-ID|SV-20166r1_rule, STIG-ID|NET-IPV6-008, Vuln-ID|V-18610

Plugin: Cisco

Control ID: d13ca418dc20161af4a19efea666644f04329ce4b97ed62680bd86165d433a86