ISATAP tunnels must terminate at an interior router.

From Infrastructure Router Security Technical Implementation Guide Cisco

Part of ISATAP tunnels must terminate at interior router.

Associated with IA controls: ECSC-1

SV-16068r2_rule ISATAP tunnels must terminate at an interior router.

Vulnerability discussion

ISATAP is an automatic tunnel mechanism that does not provide authentication such as IPSec. As a result of this limitation, ISATAP is thought of as a tool that is used inside the enclave among trusted hosts, which would limit it to internal attacks. ISATAP is a service versus a product, and is readily available to most users. If a user knows the ISATAP router IP address, they can essentially get onto the IPv6 intranet. To control the vulnerability of this tunnel mechanism, it is critical to control the use of protocol 41 and use IPv4 filters to control what IPv4 nodes can send protocol 41 packets to an ISATAP router interface. Although the ISATAP tunneling mechanism is similar to other automatic tunneling mechanisms, such as IPv6 6to4 tunneling, ISATAP is designed for transporting IPv6 packets between sites within an enclave, not between enclaves.

Check content

Verify ISATAP tunnels are terminated on the infrastructure routers or L3 switches within the enclave. Example configuration of an ISATAP tunnel endpoint: interface tunnel 1 no ip address no ip redirects tunnel source ethernet 1 tunnel mode ipv6ip isatap ipv6 address 2001:0DB8::/64 eui-64 no ipv6 nd suppress-ra

Fix text

Terminate ISATAP tunnels at the infrastructure router to prohibit tunneled traffic from exiting the enclave perimeter prior to inspection by the IDS, IPS, or firewall.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer