The firewall implementation must drop IPv6 packets for which the layer 4 protocol and ports cannot be detected.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37362 | SRG-NET-999999-FW-000192 | SV-49123r1_rule | Low |
| Description |
|---|
| As a minimum, a firewall must be able to drop any packet for which it cannot identify the layer 4 protocol and ports (if applicable). This is usually a default firewall feature, but is a particular concern because IPv6 allows an unlimited number of extension headers to be applied to a packet. A firewall may not be able to locate the layer 4 protocol and port values if too many extension headers exhaust its resources. The security policy would be subverted if these packets were allowed to pass through a firewall. If the firewall cannot traverse through extension headers at all, it must drop packets using any extension header. This measure will disable a large amount of IPv6 functionality and should only be used if the primary guidance cannot be implemented. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45609r1_chk ) |
|---|
| Verify the firewall implementation is configured to drop all inbound IPv6 packets for which the layer 4 protocol and ports (if applicable) is undetectable. If the firewall implementation does not drop packets for which the layer 4 protocol and ports is undetectable, this is a finding. |
| Fix Text (F-42287r1_fix) |
|---|
| Configure the firewall implementation to drop IPv6 packets for which the layer 4 protocol and ports is undetectable. |