NET-IPV6-034 - The network element must be configured via egress ACL or by enabling uRPF in an IPv6 enclave - uRPF firewall filter log

Information

Unicast Reverse Path Forwarding (uRPF) provides a mechanism for IP address spoof protection. When uRPF is enabled on an interface, the router examines all packets received as input on that interface to make sure that the source address and source interface appear in the routing table and match the interface on which the packet was received. If the packet was received from one of the best reverse path routes, the packet is forwarded as normal. If there is no reverse path route on the same interface from which the packet was received, it might mean that the source address was modified. If Unicast RPF does not find a reverse path for the packet, the packet is dropped.

If internal nodes automatically configure an address based on a prefix from a bogus Router Advertisement a dangerous situation may exist. An internal host may contact an internal server which responds with a packet that could be routed outside of the network via default routing (because the routers do not recognize the destination address as an internal address).

To prevent this, filtering should be applied to network interfaces between internal host LANs and internal server LANs to insure that source addresses have valid prefixes.

Solution

The network element must be configured to ensure that an ACL is configured to restrict the router from accepting any outbound IP packet that contains an external IP address in the source field.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Infrastructure_Router_L3_Switch_V8R29_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, Rule-ID|SV-15430r1_rule, STIG-ID|NET-IPV6-034, Vuln-ID|V-14707

Plugin: Juniper

Control ID: 0c223f91efbb42fd35e62350421e2cf70624353086b591f935f6c1478a52fb6d