The IAO/NSO will ensure in NAT-PT architecture there is no tunneled IPv4 in IPv6 traffic.

From Perimeter L3 Switch Security Technical Implementation Guide - Cisco

Part of Tunneled IPv4 in IPv6 traffic in NAT-PT

SV-16077r1_rule The IAO/NSO will ensure in NAT-PT architecture there is no tunneled IPv4 in IPv6 traffic.

Vulnerability discussion

Network Address Translation with Protocol Translation (NAT-PT), defined in [RFC2766], is a service that can be used to translate data sent between IP-heterogeneous nodes. NAT-PT translates a IPv4 datagram into a semantically equivalent IPv6 datagram or vice versa. For this service to work it has to be located in the connection point between the IPv4 network and the IPv6 network. The PT-part of the NAT-PT handles the interpretation and translation of the semantically equivalent IP header, either from IPv4 to IPv6 or from IPv6 to IPv4. Like NAT, NATPT also uses a pool of addresses which it dynamically assigns to the translated datagrams.The NAT-PT architecture is not one of the preferred DoD IPv6 transition paradigms due to the deprecation of NAT-PT within the DoD community. However, as described in the "DoD IPv6 Guidance for Information Assurance (IA) Milestone Objective 3 (MO3) Requirements, some services/agencies may chose to implement this transition mechanism within an enclave. The following sub-sections provide guidelines for the use of NAT-PT within a controlled enclave.In addition to the single point of failure, the reduced performance of an application level gateway, coupled with limitations on the kinds of applications that work, decreases the overall value and utility of the network. NAT-PT also inhibits the ability to deploy security at the IP layer.

Check content

Base Procedure:Review network diagram in the STIG and ensure the architecture is designed correctly. The interface adjacent to the IPv4 LAN interface must not deploy IPv6 over IPv4. The techniques include using manually configured tunnels, generic routing encapsulation (GRE) tunnels, semiautomatic tunnel mechanisms such as tunnel broker services, and fully automatic tunnel mechanisms such as 6to4 for the WAN and intra-site automatic tunnel addressing protocol (ISATAP).

Fix text

If NAT/PT is required the tunnel needs to be removed.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer