U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

Router Security Configuration Guide Supplement - Security for IPv6 Routers v1.0 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Cisco IOS 12.3 cpe:/o:cisco:ios:12.3 (View CVEs)
Cisco IOS 12.3t cpe:/o:cisco:ios:12.3t (View CVEs)
Cisco IOS 12.4 cpe:/o:cisco:ios:12.4 (View CVEs)
Cisco IOS 12.4t cpe:/o:cisco:ios:12.4t (View CVEs)

Checklist Highlights

Checklist Name:
Router Security Configuration Guide Supplement - Security for IPv6 Routers
Checklist ID:
38
Version:
v1.0
Type:
Compliance
Review Status:
Archived
Authority:
Governmental Authority: National Security Agency
Original Publication Date:
05/22/2006

Checklist Summary:

This document is a supplement to the NSA Router Security Configuration Guide (RSCG) version 1.1c. It provides background information about IP version 6, discusses threats and threat mitigation for IPv6, and provides specific directions and rationale for configuring Cisco IOS routers for secure IPv6 operation. Specific topic areas covered include basic IPv6 configuration, IPv6 packet filtering, IPv6 routing security, protection IPv6 traffic with IPSec, simple IPv6 rate limiting, and basic IPv6 firewall protections.

Checklist Role:

  • IPv6 Border or Gateway Router

Known Issues:

1. This document should not be applied by itself for best results, apply the full NSA RSCG first, then apply the guidance in this document. 2. This document does not address security for IPv6 multicast. 3. Some of the security features described in this checklist are available only in particular releases of IOS. 4. Community consensus best practices have not yet emerged in some areas of IPv6 security

Target Audience:

Network administrators and network security officers are the primary audience for this configuration guide. Throughout the text the familiar pronoun is used for guidance directed specifically to them. Most network administrators are responsible for managing the connections within their networks, and between their network and various other networks. Network security officers are usually responsible for selecting and deploying the assurance measures applied to their networks. For this audience, this guide provides security goals and guidance, along with specific examples of configuring Cisco IOS routers to meet those goals. In particular, this supplement is designed for managers of networks that support both IPv4 and IPv6.

Target Operational Environment:

  • Managed

Testing Information:

The guidance in this document has undergone extensive lab testing, but only cursory operational testing. IOS versions used in testing included many releases of IOS 12.3, 12.3T, 12.4, and 12.4T. The most testing was performed on version 12.4. Hardware platforms used in testing: C3620, C3640, and C3725

Regulatory Compliance:

No

Comments/Warnings/Miscellaneous:

This document is only a guide to recommended security settings for Internet Protocol version 6 (IPv6) routers, particularly routers running Cisco Systems Internet Operating System (IOS) versions 12.3 through 12.4 and 12.4T. It does not provide comprehensive guidance the directions in this document should be used in conjunction with the NSA Router Security Configuration Guide 1.1c or later. The advice in this document cannot replace well-designed policy or sound judgment. This supplement does not address site-specific configuration issues. Care must be taken when implementing the security steps specified in this document. Ensure that all security steps and procedures chosen from this guide are thoroughly tested and reviewed prior to imposing them on an operational network.

Disclaimer:

SOFTWARE IS PROVIDED AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE, DATA, OR PROFITS OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Product Support:

Not provided.

Point of Contact:

SNAC.Guides@nsa.gov

Sponsor:

Not provided.

Licensing:

Refer to the legal statement posted at: http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/routers/I33-002R-06.pdf

Change History: 

Not provided.
corrected reference links - 8/8/18
Updated status to Archive - 10/24/18

Dependency/Requirements:

URL Description
http://www.ciscopress.com At the web site of Cisco's publishing arm, you can order a wide variety of books about Cisco routers and related networking technologies.
https://support.microsoft.com/en-us Microsoft Corporation Support homepage
https://www.sei.cmu.edu/about/divisions/cert/index.cfm The Carnegie Mellon University Computer Emergency Response Team (CERT) maintains a web site about network vulnerabilities.

References:

Reference URL Description

NIST checklist record last modified on 10/24/2018