The network device must drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols.

From Perimeter Router Security Technical Implementation Guide Juniper

Part of NET-TUNL-001

Associated with IA controls: ECSC-1

SV-47337r1_rule The network device must drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols.

Vulnerability discussion

There are a number of outdated tunneling schemes that should be blocked to avoid importing IPv6 packets. DoD IPv6 IA Guidance for MO3 (S0-C7-2) has identified the following to be blocked at the perimeter:Source Demand Routing Protocol (SDRP)AX.25 IP-within-IP Encapsulation ProtocolEtherIP protocolEncapsulation Header ProtocolPPTP

Check content

Review the network device configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols: Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42) AX.25 - protocol field value of 0x5D (93) IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94) EtherIP protocol - protocol field value of 0x61 (97) Encapsulation Header Protocol - protocol field value of 0x62 (98) PPTP - TCP or UDP destination port (0x06BB) 1723 The following example will block any IPv6 inbound packet using any of the outdated tunneling protocols as previously discussed: interfaces fe-0/0/1 { unit 0 { family inet6 { filter { input IPV6-INGRESS-FILTER; } address 2001:1:0:146::4/64; } } } firewall { filter IPV6-INGRESS-FILTER { term DROP- SDRP { from { protocol 42; } then { syslog; discard; } } term DROP- AX25 { from { protocol 93; } then { syslog; discard; } } term DROP- IPinIP { from { protocol 94; } then { syslog; discard; } } term DROP- EtherIP { from { protocol 97; } then { syslog; discard; } } term DROP- EHP { from { protocol 98; } then { syslog; discard; } } term DROP--PPTP { from { protocol [tcp udp]; destination-port 1723; } then { syslog; discard; } } … … term default-action { then { syslog; discard; } } } }

Fix text

Configure the network device to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols: Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42) AX.25 - protocol field value of 0x5D (93) IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94) EtherIP protocol - protocol field value of 0x61 (97) Encapsulation Header Protocol - protocol field value of 0x62 (98) PPTP - TCP or UDP destination port (0x06BB) 1723

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer