The firewall implementation must block IPv6 Site Local Unicast addresses (FEC0::/10) at the enclave perimeter by the ingress and egress filters.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-FW-000198	SRG-NET-000019-FW-000198	SRG-NET-000019-FW-000198_rule		Medium

Description
The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting, as documented in section 2 of RFC3879. IPv6 Site Local Unicast addresses (FEC0::/10) must not be defined in the enclave. Note that this consists of all addresses that begin with FEC, FED, FEE and FEF. As currently defined, site-local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. RFC3879 formally deprecates the IPv6 site-local Unicast prefix defined in RFC3513, i.e., 1111111011 binary or FEC0::/10.

Description

The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting, as documented in section 2 of RFC3879. IPv6 Site Local Unicast addresses (FEC0::/10) must not be defined in the enclave. Note that this consists of all addresses that begin with FEC, FED, FEE and FEF. As currently defined, site-local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. RFC3879 formally deprecates the IPv6 site-local Unicast prefix defined in RFC3513, i.e., 1111111011 binary or FEC0::/10.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000198_chk )
Review the configuration of the firewall implementation; if ACLs or rules are not in place to explicitly deny Site Local Unicast IP addresses (FEC0::/10), this is a finding.

Fix Text (F-SRG-NET-000019-FW-000198_fix)
Configure the firewall implementation to deny Site Local Unicast IP addresses (FEC0::/10).