The firewall implementation must drop all inbound IPv6 packets with a Type 0 Routing header.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000019-FW-000193 | SRG-NET-000019-FW-000193 | SRG-NET-000019-FW-000193_rule | Medium |
| Description |
|---|
| The IPv6 Type 0 Routing Header (extension header) is functionally equivalent to the IPv4 loose source routing header option, which is typically blocked for security reasons. The Type 0 Routing Header is dangerous because it allows attackers to spoof source addresses and get traffic in response (rather than to the real owner of the address). Secondly, a packet with an allowed destination address could be sent through a firewall only to bounce to a different (disallowed) node once inside using the Routing Header functionality. The IPv6 Type 0 Routing Header has been deprecated by IETF RFC 5095 and should not be used; there may be existing implementations that still recognize this header. If the firewall cannot distinguish the Type field of a routing header, it should be configured to drop all routing headers. Note that at one time Mobile IP used the Type 0 routing header; it has been changed to now use the Type 2 Routing Header. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000019-FW-000193_chk ) |
|---|
| Review the configuration of the firewall implementation. If the device is not configured to drop all inbound IPv6 packets with a Type 0 Routing Header, this is a finding. Note that this may be a default setting; review the product documentation to verify this capability exists and is enabled. |
| Fix Text (F-SRG-NET-000019-FW-000193_fix) |
|---|
| Configure the firewall implementation to drop all inbound IPv6 packets with a Type 0 Routing Header. |