The firewall implementation must block IPv6 6bone address space on the ingress and egress filters (3FEE::/16).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000019-FW-000252 | SRG-NET-000019-FW-000252 | SRG-NET-000019-FW-000252_rule | Medium |
| Description |
|---|
| The decommissioned 6bone allocation (3FFE::/16), RFC 3701 must be blocked. It is no longer a trusted source. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000019-FW-000252_chk ) |
|---|
| Review the firewall implementation configuration to verify filters are in place to restrict the IP addresses explicitly. Verify that ingress and egress filters for IPv6 have been defined to deny the 6bone address space. If the ingress and egress filters do not deny the 6bone address space, this is a finding. |
| Fix Text (F-SRG-NET-000019-FW-000252_fix) |
|---|
| Configure ingress and egress filters to deny the 6bone address space. |