UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IPv6 Jumbo Payload hop by hop header must be blocked.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18815 NET-IPV6-035 SV-20551r2_rule ECSC-1 Medium
Description
The IPv6 Jumbo Payload allows IP packets to be larger than 65,535 bytes. This feature is only useful on very specialized high performance systems (e.g. super computers). Common place link layer technologies do not support these payload sizes and special link layer designs would be necessary. This header should be dropped unless the system is specifically designed to use very large payloads, since it only serves as an opportunity to break implementations.
STIG Date
Firewall Security Technical Implementation Guide 2017-12-07

Details

Check Text ( C-22525r4_chk )
Review the device configuration to determine filters drop all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2.

If IPv6 Jumbo Payloads are not dropped, this is a finding.

Alternatively, if the system is specifically designed to use very large payloads and its use is documented in architecture design documents, than this is not a finding.
Fix Text (F-19475r1_fix)
Configure the firewall to drop all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2.