The firewall implementation must block IPv6 6to4 addresses at the enclave perimeter for inbound and outbound traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-FW-000197	SRG-NET-000019-FW-000197	SRG-NET-000019-FW-000197_rule		Medium

Description
Address spoofing is a major issue on tunnels to a 6to4 relay router. For incoming traffic, the 6to4 router is unable to match the IPv4 address of the relay router with the IPv6 address of the source. The address of the IPv6 host or relay router can easily be spoofed. “6to4” is a tunneling IPv6 transition mechanism [RFC 3056]. 6to4 allows IPv6 packets to be transmitted over the IPv4 Internet without the need to configure tunnels, but it requires special relay servers to allow 6to4 networks to communicate with native IPv6 networks. 6to4 does not allow IPv4-only hosts to communicate with IPv6-only hosts — it only allows IPv6 hosts to communicate to IPv6 networks over an IPv4 network. 6to4 tunnels are automatically configured. A 6to4 connection starts off as an IPv6 packet encapsulated in IPv4, i.e. the protocol field in the IPv4 packet is set to 41. The encapsulated IPv6 packet is decapsulated by a 6to4 relay. Return IPv6 traffic goes to a potentially different 6to4 relay which encapsulates it into an IPv4 packet destined for the original sender.

Description

Address spoofing is a major issue on tunnels to a 6to4 relay router. For incoming traffic, the 6to4 router is unable to match the IPv4 address of the relay router with the IPv6 address of the source. The address of the IPv6 host or relay router can easily be spoofed. “6to4” is a tunneling IPv6 transition mechanism [RFC 3056]. 6to4 allows IPv6 packets to be transmitted over the IPv4 Internet without the need to configure tunnels, but it requires special relay servers to allow 6to4 networks to communicate with native IPv6 networks. 6to4 does not allow IPv4-only hosts to communicate with IPv6-only hosts — it only allows IPv6 hosts to communicate to IPv6 networks over an IPv4 network. 6to4 tunnels are automatically configured. A 6to4 connection starts off as an IPv6 packet encapsulated in IPv4, i.e. the protocol field in the IPv4 packet is set to 41. The encapsulated IPv6 packet is decapsulated by a 6to4 relay. Return IPv6 traffic goes to a potentially different 6to4 relay which encapsulates it into an IPv4 packet destined for the original sender.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000197_chk )
Interview the System Administrator and review the network documentation. If the 6to4 transition mechanism is being used, this is not a finding (the following check does not apply). Review the configuration of the firewall implementation; if ACLs or rules are not in place to explicitly deny IPv6 6to4 addresses, this is a finding.

Fix Text (F-SRG-NET-000019-FW-000197_fix)
Configure the firewall implementation to deny any 6to4 addresses (2002::/16). Drop all inbound IPv6 packets containing a source or destination address of 2002::/16. This requirement is the default case, which assumes that 6to4 is not being used as an IPv6 transition mechanism. If 6to4 is implemented, refer to additional 6to4 guidance defined in the STIG.