The firewall implementation must block any packet with a source or destination of the IPv6 local host loopback address (::1/128).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000018-FW-000248 | SRG-NET-000018-FW-000248 | SRG-NET-000018-FW-000248_rule | Medium |
| Description |
|---|
| The IPv6 unicast address 0:0:0:0:0:0:0:1, also defined as ::1/128, is called the loopback address. It should never be used as the source or destination IP address of an inbound or outbound transmission. Packets with a source IP or destination address of ::1/128 are bogus and may be malicious. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000018-FW-000248_chk ) |
|---|
| Review the configuration of the firewall implementation; if the ::1/128 prefix is allowed as a source or destination, this is a finding. |
| Fix Text (F-SRG-NET-000018-FW-000248_fix) |
|---|
| Configure the firewall/ACL to block traffic using the ::1/128 prefix as a source or destination address. |