NET-IPV6-008 - IPV6 Bogons are not blocked - 'Ingress IPv6 traffic-filter'

Details

The IAO/NSO will ensure IPv6 6bone address space is blocked on the ingress and egress filter, (3FFE--/16).



The decommissioned 6bone allocation (3FFE--/16), RFC 3701 must be blocked. It is no longer a trusted source.



NOTE: Change 'IPV6_INGRESS_ACL' to the access control list for IPv6 inbound connection filter that includes the statements blocking the 6bone address space.


NOTE: The same 'IPV6_INGRESS_ACL' access-list can be applied to the outside and appropriate inside interface to block 6bone traffic as an 'inbound' traffic-filter to reduce CPU load on the router to drop undesired traffic as quickly as possible to reduce unnecessary packet processing.


Solution

The administrator will configure the router ACLs to restrict IP addresses that contain any 6bone addresses.


Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.


References


Source