The firewall implementation must block IPv6 Unique Local Unicast addresses on the ingress and egress filters, (FC00::/7). Note that this consists of all addresses that begin with FC or FD.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000019-FW-000254 | SRG-NET-000019-FW-000254 | SRG-NET-000019-FW-000254_rule | Medium |
| Description |
|---|
| Packets originating outside the enclave with a source or destination address of the FC00::/7 prefix are bogus and may be malicious. The IANA has assigned the FC00::/7 prefix to Unique Local Unicast addresses. Unique Local Address (ULA) is the IPv6 counterpart of the IPv4 private address and is a routable address that is not intended to be on the Internet. Site border routers and firewalls should be configured to block any packets with ULA source or destination addresses outside of the site. This will ensure that packets with Local IPv6 destination addresses will not be forwarded outside of the site via a default route. Drop all inbound IPv6 packets with an address FC00::/7 as its source address. Note that this includes any address beginning with FC or FD. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000019-FW-000254_chk ) |
|---|
| Review the configuration of the firewall implementation. Verify that ingress and egress filters for IPv6 have been defined to deny the Unique Local Unicast addresses (FC00::/7). If the ingress and egress filters for IPv6 are not defined to deny the Unique Local Unicast addresses (FC00::/7), this is a finding. |
| Fix Text (F-SRG-NET-000019-FW-000254_fix) |
|---|
| Configure the firewall implementation ingress and egress filters for IPv6 to deny the Unique Local Unicast addresses (FC00::/7). |