From Perimeter L3 Switch Security Technical Implementation Guide
Part of NET-TUNL-001
Associated with IA controls: ECSC-1
There are a number of outdated tunneling schemes that should be blocked to avoid importing IPv6 packets. DoD IPv6 IA Guidance for MO3 (S0-C7-2) has identified the following to be blocked at the perimeter:
Review the network device configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols: Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42) AX.25 - protocol field value of 0x5D (93) IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94) EtherIP protocol - protocol field value of 0x61 (97) Encapsulation Header Protocol - protocol field value of 0x62 (98) PPTP - TCP or UDP destination port (0x06BB) 1723 If the appropriate filters are not configured and applied, this is a finding.
Configure the network device to drop all inbound and outbound IPv4 or IPv6 packets with any of the following tunneling protocols: Source Demand Routing Protocol (SDRP) - protocol field value of 0x2A (42) AX.25 - protocol field value of 0x5D (93) IP-within-IP Encapsulation Protocol - protocol field value of 0x5E (94) EtherIP protocol - protocol field value of 0x61 (97) Encapsulation Header Protocol - protocol field value of 0x62 (98) PPTP - TCP or UDP destination port (0x06BB) 1723
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer