The firewall implementation must suppress router advertisements on all external-facing IPv6-enabled interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000019-FW-000191 | SRG-NET-000019-FW-000191 | SRG-NET-000019-FW-000191_rule | Medium |
| Description |
|---|
| IPv6 Neighbor Discovery relies, in part, on Router Advertisement, which can be abused by an attacker to cause either a Denial of Service or to redirect traffic to a rogue IPv6 router. To mitigate this, links that have no hosts connected, such as the interface connecting to external gateways, will be configured to suppress router advertisements. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000019-FW-000191_chk ) |
|---|
| Inspect the device configuration to validate IPv6 router advertisement suppression is enabled on all external-facing interfaces. This is applicable to all IPv6-enabled interfaces connected to an IP backbone (i.e. NIPRNet, SIPRNet, etc.) or an alternate gateway (AG). |
| Fix Text (F-SRG-NET-000019-FW-000191_fix) |
|---|
| Configure the firewall implementation to suppress Router Advertisement on all external facing interfaces that have IPv6 enabled. Disable or do not configure all IPv6 Neighbor Discovery functions across tunnels, including the Neighbor Unreachability Detection (NUD) function. |