The network device must block IPv6 Unique Local Unicast Addresses on the enclaves perimeter ingress and egress filter.

From Perimeter Router Security Technical Implementation Guide Juniper

Part of IPv6 Unique Local Unicast ADDR are not blocked

Associated with IA controls: ECSC-1

SV-15421r2_rule The network device must block IPv6 Unique Local Unicast Addresses on the enclaves perimeter ingress and egress filter.

Vulnerability discussion

The IANA has assigned the FC00::/7 prefix to Unique Local Unicast addresses. Unique Local Address (ULA) is a routable address that is not intended to be on the Internet. Site border routers and firewalls should be configured to block any packets with ULA source or destination addresses outside of the site. This will ensure that packets with Local IPv6 destination addresses will not be forwarded outside of the site via a default route.Drop all inbound IPv6 packets with an address FC00::/7 as its source address. Note that includes any address beginning with FC or FD.

Check content

[edit interfaces] fe-2/0/10 { description "to NIPRNet core router"; speed 100m; link-mode full-duplex; unit 0 { family inet6 { filter { input ingress-filter; } address 2001:db8:60::f14b:65a1/64; } } } [edit firewall] family inet6 { filter ingress-filter { term term-1 { from { address { FC00::7; } } then discard; } } }

Fix text

The administrator will configure the router ACLs to restrict IP addresses that contain any Unique Local Unicast addresses.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer