The system must set strict multihoming.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-216375 | SOL-11.1-050080 | SV-216375r959010_rule | CCI-000366 | medium |
| Description | ||||
| These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface. This rule is NA for documented systems that have interfaces that cross strict networking domains (for example, a firewall, a router, or a VPN node). | ||||
| STIG | Date | |||
| Solaris 11 SPARC Security Technical Implementation Guide | 2025-05-05 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-216375r959010_chk)
Determine if strict multihoming is configured.
# ipadm show-prop -p _strict_dst_multihoming -co current ipv4
# ipadm show-prop -p _strict_dst_multihoming -co current ipv6
If the output of all commands is not "1", this is a finding.
Fix Text (F-17609r371214_fix)
The Network Management profile is required.
Disable strict multihoming for IPv4 and IPv6.
# pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv4
# pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv6