STIGQter: STIG Summary: Router Security Requirements Guide Version: 4 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Router Security Requirements Guide Version: 4 Release: 2 Benchmark Date: 23 Apr 2021:SV-207164r648771_rule
V-207164
SRG-NET-000364
SRG-NET-000364-RTR-000110
CAT II
10
This requirement is not applicable for the DODIN Backbone.
Configure the router to block inbound packets with Bogon source addresses.
This requirement is not applicable for the DODIN Backbone.
Verify that the ingress filter is blocking packets with Bogon source addresses.
Review the router configuration to verify that it is configured to block IP packets with a Bogon source address.
IPv4 Bogon Prefixes
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.88.99.0/24
192.168.0.0/16
198.18.0.0/15 |
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4
IPv6 Bogon Prefixes
::/128
::1/128
0::/96
::ffff:0:0/96
3ffe::/16
64:ff9b::/96
100::/64
2001:10::/28
2001:db8::/32
2001:2::/48
2001::/32
2001::/23
2002::/16
fc00::/7
fec0::/10
ff00::/8
If the router is not configured to block inbound IP packets containing a Bogon source address, this is a finding.
Note: At a minimum, IP packets containing a source address from the special purpose address space as defined in RFC 6890 must be blocked. The 6Bone prefix (3ffe::/16) is also be considered a Bogon address. Perimeter routers connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a full Bogon list.
The IPv4 full Bogon list contains prefixes that have been allocated to RIRs but not assigned by those RIRs. Reference the following link: http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
The IPv6 full Bogon list contains prefixes that have not been allocated to RIRs, or those that have been allocated to RIRs but have not been assigned by those RIRs. Reference the following link: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
V-207164
False
SRG-NET-000364-RTR-000110
This requirement is not applicable for the DODIN Backbone.
Verify that the ingress filter is blocking packets with Bogon source addresses.
Review the router configuration to verify that it is configured to block IP packets with a Bogon source address.
IPv4 Bogon Prefixes
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.88.99.0/24
192.168.0.0/16
198.18.0.0/15 |
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4
IPv6 Bogon Prefixes
::/128
::1/128
0::/96
::ffff:0:0/96
3ffe::/16
64:ff9b::/96
100::/64
2001:10::/28
2001:db8::/32
2001:2::/48
2001::/32
2001::/23
2002::/16
fc00::/7
fec0::/10
ff00::/8
If the router is not configured to block inbound IP packets containing a Bogon source address, this is a finding.
Note: At a minimum, IP packets containing a source address from the special purpose address space as defined in RFC 6890 must be blocked. The 6Bone prefix (3ffe::/16) is also be considered a Bogon address. Perimeter routers connected to commercial ISPs for Internet or other non-DoD network sources will need to be reviewed for a full Bogon list.
The IPv4 full Bogon list contains prefixes that have been allocated to RIRs but not assigned by those RIRs. Reference the following link: http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
The IPv6 full Bogon list contains prefixes that have not been allocated to RIRs, or those that have been allocated to RIRs but have not been assigned by those RIRs. Reference the following link: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
M
2917