The network device must block IPv6 Unique Local Unicast Addresses on the enclaves perimeter ingress and egress filter.

From Perimeter Router Security Technical Implementation Guide Cisco

Part of IPv6 Unique Local Unicast ADDR are not blocked

Associated with IA controls: ECSC-1

SV-15420r2_rule The network device must block IPv6 Unique Local Unicast Addresses on the enclaves perimeter ingress and egress filter.

Vulnerability discussion

The IANA has assigned the FC00::/7 prefix to Unique Local Unicast addresses. Unique Local Address (ULA) is a routable address that is not intended to be on the Internet. Site border routers and firewalls should be configured to block any packets with ULA source or destination addresses outside of the site. This will ensure that packets with Local IPv6 destination addresses will not be forwarded outside of the site via a default route.Drop all inbound IPv6 packets with an address FC00::/7 as its source address. Note that includes any address beginning with FC or FD.

Check content

interface FastEthernet 0/0 description upstream link toward DoD Backbone ipv6 address 2001:db8:60::f14:65a1 ipv6 traffic-filter inbound-to-enclave in ipv6 access-list inbound-to-enclave remark block IPv6 Unique Local Unicast Addresses deny ipv6 FC00::7 any log deny ipv6 any FC00::7 log

Fix text

The administrator will configure the router ACLs to restrict IP addresses that contain any Unique Local Unicast addresses.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.