The network device must drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols.

From Perimeter Router Security Technical Implementation Guide Cisco

Part of NET-TUNL-001

Associated with IA controls: ECSC-1

SV-47336r1_rule The network device must drop all inbound and outbound IPv4 and IPv6 packets being tunneled with outdated protocols.

Vulnerability discussion

There are a number of outdated tunneling schemes that should be blocked to avoid importing IPv6 packets. DoD IPv6 IA Guidance for MO3 (S0-C7-2) has identified the following to be blocked at the perimeter:Source Demand Routing Protocol (SDRP)AX.25 IP-within-IP Encapsulation ProtocolEtherIP protocolEncapsulation Header ProtocolPPTP

Check content

Review the network device configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols: Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42) AX.25 - protocol field value of 0x5D (93) IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94) EtherIP protocol - protocol field value of 0x61 (97) Encapsulation Header Protocol - protocol field value of 0x62 (98) PPTP - TCP or UDP destination port (0x06BB) 1723 The following example will block any IPv6 inbound packet using any of the outdated tunneling protocols as previously discussed: interface FastEthernet0/1 description DISN CORE facing ipv6 address 2001:1:0:146::4/64 ipv6 traffic-filter IPV6_INGRESS_ACL in ! … ! ip access-list IPV6_INGRESS_ACL deny 42 any any deny 93 any any deny 94 any any deny 97 any any deny 98 any any deny tcp any any eq 1723 deny udp any any eq 1723

Fix text

Configure the network device to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols: Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42) AX.25 - protocol field value of 0x5D (93) IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94) EtherIP protocol - protocol field value of 0x61 (97) Encapsulation Header Protocol - protocol field value of 0x62 (98) PPTP - TCP or UDP destination port (0x06BB) 1723

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer