The IAO/NSO will ensure the ingress filter drops unexpected protocol 41 packets at the 6to4 site router before sensor inspection.

From Perimeter Router Security Technical Implementation Guide

Part of Ingress filter does not filter protocol 41

SV-16073r1_rule The IAO/NSO will ensure the ingress filter drops unexpected protocol 41 packets at the 6to4 site router before sensor inspection.

Vulnerability discussion

6to4 is an automated tunneling mechanism that provides v6 capability to a dual-stack node or v6 capable site that has only IPv4 connectivity to the site. One key difference between automatic 6to4 tunnels and manually configured tunnels is that the tunnel is not point-to-point; it is point-to-multipoint. Basic 6to4 implementation can be used to connect single nodes too. In 6to4 tunnel implementations, tunnels are not defined in pairs as in manual tunnels. The tunnel destination is determined by the IPv4 address of the border router extracted from the IPv6 address that starts with the prefix 2002::/16, where the format is 2002:IPv4-address in hex::/48. 6to4 traffic takes an asymmetric routing path, outbound traffic and return traffic may take different paths. Although the 6to4 site can select the relay it wants to use, it has no control of the return relay used. See diagram in the STIG. Ensuring reliable operations from relays and knowing who is managing the relay are important and are concerns to preventing against denial of service attacks. 6to4 site routers are not capable of identifying bogus traffic injected from malicious 6to4 relay manufacturing packets. Specifying the exact IPv4 address of the 6to4 relay on the 6to4 router can mitigate these vulnerabilities. 6to4 tunnels are required to discard unexpected protocol 41 packets and inspect IPv6 traffic at the decapsulator end-point.

Check content

Base Procedure: Specifying the IPv4 address of the 6to4 relay on the 6to4 router can mitigate these vulnerabilities.

Fix text

Define a filter that allows 6to4 tunneling from trusted 6to4 relays.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer