The administrator must ensure the 6-to-4 router is configured to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.

From Infrastructure L3 Switch Secure Technical Implementation Guide - Cisco

Part of 6-to-4 router not filtering invalid source address

SV-40539r1_rule The administrator must ensure the 6-to-4 router is configured to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.

Vulnerability discussion

An automatic 6to4 tunnel allows isolated IPv6 domains to be connected over an IPv4 network and allows connections to remote IPv6 networks. The key difference between this deployment and manually configured tunnels is that the routers are not configured in pairs and thus do not require manual configuration because they treat the IPv4 infrastructure as a virtual non-broadcast link, using an IPv4 address embedded in the IPv6 address to find the remote end of the tunnel. In other words, the tunnel destination is determined by the IPv4 address of the external interface of the 6to4 router that is concatenated to the 2002::/16 prefix in the format 2002: V4ADDR::/48. Hence, the imbedded V4ADDR of the 6to4 prefix must belong to the same ipv4 prefix as configured on the external-facing interface of the 6to4 router.

Check content

If the router is functioning as a 6to4 router, verify that an egress filter (inbound on the internal-facing interface) has been configured to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave. The examples below are using 2002:c612:1::/48 where c612:1 maps to 198.18.0.1 which is the imbedded V4ADDR. The subnet in this example is 2002:c612:1:1::/64. The IPV6 ACL will filter the source address of the IPv6 packets before they are forwarded to the 6to4 tunnel. ipv6 general-prefix 6TO4_PREFIX 6to4 FastEthernet0/1 ! interface Tunnel0 ipv6 address 2000:c0a8:6301::1/64 tunnel source FastEthernet0/0 tunnel mode ipv6ip 6to4 ! interface FastEthernet0/0 ip address 10.1.12.1 255.255.255.0 ipv6 address 6TO4_PREFIX ::1:0:0:0:1/64 ipv6 traffic-filter IPV6_EGRESS_FILTER in ! interface FastEthernet0/1 description DISN CORE facing ip address 198.18.0.1 255.255.255.0 ! ipv6 route 2002::/16 Tunnel0 ! ipv6 access-list IPV6_EGRESS_FILTER permit ipv6 2002:C612:1::/48 any deny ipv6 any any log Note: normally you would want to configure the internal interface dual stack, allthough IPv6 only is possible.

Fix text

If the router is functioning as a 6to4 router, configure an egress filter (inbound on the internal-facing interface) to drop any outbound IPv6 packets from the internal network with a source address that is not within the 6to4 prefix 2002:V4ADDR::/48 where V4ADDR is the designated IPv4 6to4 address for the enclave.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer