From Perimeter L3 Switch Security Technical Implementation Guide
Part of IPv6 Loopback ADDR is not blocked by the enclave
Associated with IA controls: ECSC-1
The unicast address 0:0:0:0:0:0:0:1, also defined ::1/128 is called the loopback address. A node could use it to send an IPv6 packet to itself. It should never be assigned to any physical interface. It is treated as having link-local scope, and may be thought of as the link-local unicast address of a virtual interface to an imaginary link that goes nowhere. The loopback address must not be used as the source address in IPv6 packets that are sent outside of a single node. An IPv6 packet with a destination address of loopback must never be sent outside of a single node and must never be forwarded by an IPv6 router. A packet received on an interface with destination address of loopback must be dropped.
Review the device configuration to ensure filters are in place to restrict inbound IP addresses explicitly, or inexplicitly. Verify that an ingress ACL for IPv6 has been defined to deny IPv6 Loopback, and log all violations. If the appropriate filters are not configured and applied, this is a finding.
Configure and apply the filters to restrict IP addresses that contain any loopback addresses.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer