The firewall implementation must be configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with invalid option type values.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000019-FW-000251 | SRG-NET-000019-FW-000251 | SRG-NET-000019-FW-000251_rule | Medium |
| Description |
|---|
| These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that they cannot recognize and hence could cause a DoS on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000019-FW-000251_chk ) |
|---|
| Review the firewall implementation configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address). If filters are not applied to drop all inbound and outbound IPv6 headers containing a Hop-by-Hop header with option type values of 0x04, 0xC9, or 0xC3, this is a finding. |
| Fix Text (F-SRG-NET-000019-FW-000251_fix) |
|---|
| Configure the firewall implementation to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address). |