NET-IPV6-008 - IPV6 Bogons are not blocked - 'deny ipv6 3FFE::/16 any log'

Details

The IAO/NSO will ensure IPv6 6bone address space is blocked on the ingress and egress filter, (3FFE--/16).



The decommissioned 6bone allocation (3FFE--/16), RFC 3701 must be blocked. It is no longer a trusted source.



NOTE: Change 'IPV6_INGRESS_ACL' to the access control list for IPv6 inbound connection filtering.


Solution

The administrator will configure the router ACLs to restrict IP addresses that contain any 6bone addresses.


Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.


References


Source