Network devices must be configured to restrict the acceptance of any inbound IP packets with a local host loopback address, (0:0:0:0:0:0:0:1 or ::1/128).

From Perimeter Router Security Technical Implementation Guide

Part of IPv6 Loopback ADDR is not blocked by the enclave

Associated with IA controls: ECSC-1

SV-15401r2_rule Network devices must be configured to restrict the acceptance of any inbound IP packets with a local host loopback address, (0:0:0:0:0:0:0:1 or ::1/128).

Vulnerability discussion

The unicast address 0:0:0:0:0:0:0:1, also defined ::1/128 is called the loopback address. A node could use it to send an IPv6 packet to itself. It should never be assigned to any physical interface. It is treated as having link-local scope, and may be thought of as the link-local unicast address of a virtual interface to an imaginary link that goes nowhere. The loopback address must not be used as the source address in IPv6 packets that are sent outside of a single node. An IPv6 packet with a destination address of loopback must never be sent outside of a single node and must never be forwarded by an IPv6 router. A packet received on an interface with destination address of loopback must be dropped.

Check content

Review the device configuration to ensure filters are in place to restrict inbound IP addresses explicitly, or inexplicitly. Verify that an ingress ACL for IPv6 has been defined to deny IPv6 Loopback, and log all violations. If the appropriate filters are not configured and applied, this is a finding.

Fix text

Configure and apply the filters to restrict IP addresses that contain any loopback addresses.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer