The Juniper perimeter router must be configured to drop fragmented IPv6 packets where the first fragment does not include the entire IPv6 header chain.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254053	JUEX-RT-000810	SV-254053r844192_rule		Medium

Description
One of the fragmentation weaknesses known in IPv6 is the "undetermined transport" packet, which is the first fragment where the entire IPv6 header chain is not included. Fragmenting IPv6 datagrams and not including the upper-layer header makes it difficult to identify the traffic. RFC7112 and RFC8200 require the entire IPv6 header chain be present in the first fragment and defines the header chain as: "The IPv6 Header Chain contains an initial IPv6 header, zero or more IPv6 Extension Headers, and optionally, a single upper-layer header. If an upper-layer header is present, it terminates the header chain; otherwise, the "No Next Header" value (Next Header = 59) terminates it." Both RFCs consider a second IPv6 header and an ESP header as "upper-layer headers" when determining where the IPv6 header chain terminates.

Description

One of the fragmentation weaknesses known in IPv6 is the "undetermined transport" packet, which is the first fragment where the entire IPv6 header chain is not included. Fragmenting IPv6 datagrams and not including the upper-layer header makes it difficult to identify the traffic. RFC7112 and RFC8200 require the entire IPv6 header chain be present in the first fragment and defines the header chain as: "The IPv6 Header Chain contains an initial IPv6 header, zero or more IPv6 Extension Headers, and optionally, a single upper-layer header. If an upper-layer header is present, it terminates the header chain; otherwise, the "No Next Header" value (Next Header = 59) terminates it." Both RFCs consider a second IPv6 header and an ESP header as "upper-layer headers" when determining where the IPv6 header chain terminates.

STIG	Date
Juniper EX Series Switches Router Security Technical Implementation Guide	2023-03-23

Details

Check Text ( C-57505r844190_chk )
This requirement is not applicable for the DODIN Backbone. There is no check for dropping RFC 7112 nonconformant fragmented IPv6 packets because Juniper EX switches drop these packets without offering or requiring a configurable option in the CLI. Review the router configuration to determine if it is configured to drop fragmented transit IPv6 traffic. [edit firewall family inet6] filter { term { from { next-header fragment; } then { syslog; discard; } } } Note: Some platforms also support "is-fragment" or "fragment-flags is-fragment" in addition to "next-header fragment" as shown in the example. If the router is not configured to drop first-fragment IPv6 packets without the entire header chain, this is a finding.

Check Text ( C-57505r844190_chk )

This requirement is not applicable for the DODIN Backbone.

There is no check for dropping RFC 7112 nonconformant fragmented IPv6 packets because Juniper EX switches drop these packets without offering or requiring a configurable option in the CLI.

Review the router configuration to determine if it is configured to drop fragmented transit IPv6 traffic.

[edit firewall family inet6]
filter {
term {
from {
next-header fragment;
}
then {
syslog;
discard;
}
}
}

Note: Some platforms also support "is-fragment" or "fragment-flags is-fragment" in addition to "next-header fragment" as shown in the example.

If the router is not configured to drop first-fragment IPv6 packets without the entire header chain, this is a finding.

Fix Text (F-57456r844191_fix)
Configure the router to drop first-fragment IPv6 packets without the entire header chain. There is no configurable CLI option to prevent EX devices from dropping nonconformant fragmented IPv6 packets destined to the device. Configure the router to drop fragmented transit IPv6 packets. set firewall family inet6 filter term from next-header fragment set firewall family inet6 filter term then syslog set firewall family inet6 filter term then discard

Fix Text (F-57456r844191_fix)

Configure the router to drop first-fragment IPv6 packets without the entire header chain.

There is no configurable CLI option to prevent EX devices from dropping nonconformant fragmented IPv6 packets destined to the device.

Configure the router to drop fragmented transit IPv6 packets.

set firewall family inet6 filter term from next-header fragment
set firewall family inet6 filter term then syslog
set firewall family inet6 filter term then discard