The firewall implementation must drop all inbound IPv6 packets containing a Type 0 Routing Header unless the packet also contains an IPSec AH or IPSec ESP header.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-37363	SRG-NET-999999-FW-000193	SV-49124r1_rule		Medium

Description
The IPv6 Type 0 Routing Header (extension header) is functionally equivalent to the IPv4 loose source routing header option, which is typically blocked for security reasons. The Type 0 Routing Header is dangerous because it allows attackers to spoof source addresses and get traffic in response (rather than to the real owner of the address). Additionally, a packet with an allowed destination address could be sent through a firewall only to bounce to a different (disallowed) node once inside using the Routing Header functionality. If the Type 0 Routing Header must be used, it must be used in conjunction with either the IPSec AH or the IPSec Encapsulation Security Payload (ESP) headers. If the firewall cannot distinguish the type field of a routing header, it should be configured to drop all routing headers. Note that Mobile IP is disabled without the Type 2 Routing Header. Although deprecated by a recent RFC, there may be existing implementations that still recognize this header.

Description

The IPv6 Type 0 Routing Header (extension header) is functionally equivalent to the IPv4 loose source routing header option, which is typically blocked for security reasons. The Type 0 Routing Header is dangerous because it allows attackers to spoof source addresses and get traffic in response (rather than to the real owner of the address). Additionally, a packet with an allowed destination address could be sent through a firewall only to bounce to a different (disallowed) node once inside using the Routing Header functionality. If the Type 0 Routing Header must be used, it must be used in conjunction with either the IPSec AH or the IPSec Encapsulation Security Payload (ESP) headers. If the firewall cannot distinguish the type field of a routing header, it should be configured to drop all routing headers. Note that Mobile IP is disabled without the Type 2 Routing Header. Although deprecated by a recent RFC, there may be existing implementations that still recognize this header.

STIG	Date
Firewall Security Requirements Guide	2013-04-24

Details

Check Text ( C-45610r1_chk )
Verify the firewall implementation is configured to drop all inbound IPv6 packets with a Type 0 Routing Header unless the packet also contains an IPSec AH or IPSec ESP header. If the firewall implementation does not drop all inbound IPv6 packets containing a Type 0 Routing Header (unless the packet also contains an IPSec AH or IPSec ESP header), this is a finding.

Fix Text (F-42288r1_fix)
Configure the firewall implementation to drop all inbound IPv6 packets with a Type 0 Routing Header unless the packet also contains an IPSec AH or IPSec ESP header.