The firewall implementation must drop all inbound IPv6 packets containing undefined header extensions/protocol values.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37364 | SRG-NET-999999-FW-000194 | SV-49125r1_rule | Medium |
| Description |
|---|
| Undefined IPv6 header extensions means that the Next Header type is not registered with Internet Assigned Numbers Authority (IANA). The header extension is the same as the protocol value, and should be dropped. Drop all undefined extension headers/protocol values. The security policy would be subverted if these packets were allowed to pass through a firewall. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45611r1_chk ) |
|---|
| Verify the firewall implementation is configured to drop all inbound IPv6 packets containing undefined header extensions/protocol values. If the firewall implementation does not drop all inbound IPv6 packets containing undefined header extensions/protocol values |
| Fix Text (F-42289r1_fix) |
|---|
| Configure the firewall implementation to drop all inbound IPv6 packets containing undefined header extensions/protocol values |