The firewall implementation must drop all inbound IPv6 packets for which the layer 4 protocol and ports (undetermined transport) cannot be located.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000019-FW-000192 | SRG-NET-000019-FW-000192 | SRG-NET-000019-FW-000192_rule | Medium |
| Description |
|---|
| IPv6 allows an unlimited number of extension headers to be applied to a packet. Some devices are incapable of traversing the list of extension headers, with the result being that the network device can fail to identify the layer 4 header. Since the firewall may not be able to locate and identify the layer 4 protocol and port values, it cannot properly filter those packets. The security policy would be subverted if these packets were allowed to pass. The firewall implementation must drop any packet for which it cannot identify the layer 4 protocol and ports. If the firewall cannot traverse through extension headers at all, it must drop packets using any extension header. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000019-FW-000192_chk ) |
|---|
| Review the configuration of the firewall implementation. If the device is not configured to drop all inbound IPv6 packets for which the layer 4 protocol and ports cannot be located, this is a finding. Note that this may be a default setting; review the product documentation to verify this capability exists and is enabled. |
| Fix Text (F-SRG-NET-000019-FW-000192_fix) |
|---|
| Configure the firewall implementation to drop all inbound IPv6 packets for which the layer 4 protocol and ports cannot be located. |