Check: JUNI-RT-000381
Juniper Router RTR STIG:
JUNI-RT-000381
(in versions v3 r1 through v2 r1)
Title
The Juniper perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces. (Cat II impact)
Discussion
Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways must be configured to suppress router advertisements.
Check Content
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that Router Advertisements are suppressed on all external IPv6-enabled interfaces as shown in the example below. By default, router advertisements are disabled by Junos. Verify that there are no external-facing interfaces defined under the protocols router-advertisement hierarchy as shown in the example below. protocols { router-advertisement { interface fe-0/1/0.0 { prefix 2001:1:123::/64; } } } If the router is not configured to suppress Router Advertisements on all external IPv6-enabled interfaces, this is a finding.
Fix Text
Remove any external IPv6-enabled interfaces from the protocols router-advertisement hierarchy.
Additional Identifiers
Rule ID: SV-233292r604135_rule
Vulnerability ID: V-233292
Group Title: SRG-NET-000512-RTR-000014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |