The firewall implementation must block IPv6 Jumbo Payload hop-by-hop header.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-FW-000199	SRG-NET-000019-FW-000199	SRG-NET-000019-FW-000199_rule		Medium

Description
The IPv6 Jumbo Payload allows IP packets to be larger than 65,535 bytes. This header should be dropped unless the system is specifically designed to use very large payloads since it can break implementations. The Jumbo Payload option is carried in an IPv6 Hop-by-Hop Options header, immediately following the IPv6 header. This feature is only useful on very specialized high performance systems (e.g. super computers). Common-place link layer technologies do not support these payload sizes, and special link layer designs would be necessary.

Description

The IPv6 Jumbo Payload allows IP packets to be larger than 65,535 bytes. This header should be dropped unless the system is specifically designed to use very large payloads since it can break implementations. The Jumbo Payload option is carried in an IPv6 Hop-by-Hop Options header, immediately following the IPv6 header. This feature is only useful on very specialized high performance systems (e.g. super computers). Common-place link layer technologies do not support these payload sizes, and special link layer designs would be necessary.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000199_chk )
Review the configuration of the firewall implementation; if it is not configured to drop all inbound or outbound IPv6 packets containing a hop-by-hop option of option Type 0xC2, this is a finding. If the system is specifically designed to use very large payloads and its use is documented in architecture design documents, then this is not a finding.

Fix Text (F-SRG-NET-000019-FW-000199_fix)
Configure the firewall to drop all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option Type 0xC2.