The administrator must ensure the 6-to-4 router is configured to drop any IPv4 packets with protocol 41 received from the internal network.

From Infrastructure L3 Switch Security Technical Implementation Guide

Part of The 6-to-4 router is not filtering protocol 41

SV-40452r1_rule The administrator must ensure the 6-to-4 router is configured to drop any IPv4 packets with protocol 41 received from the internal network.

Vulnerability discussion

The 6to4 specific filters accomplish the role of endpoint verification and provide assurance that the tunnels are being used properly. This primary guidance assumes that only the designated 6to4 router is allowed to form tunnel packets. If they are being formed inside an enclave and passed to the 6to4 router, they are suspicious and must be dropped. In accordance with DoD IPv6 IA Guidance for MO3 (S5-C7-8), packets as such must be dropped and logged as a security event.

Check content

If the router is functioning as a 6to4 router, verify that there is an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.

Fix text

If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv4 packets that are tunneling IPv6 packets.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.