The firewall implementation must drop IPv6 drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, cannot be determined.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-37365	SRG-NET-999999-FW-000195	SV-49126r1_rule		Medium

Description
Drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, to include protocol/port values, cannot be determined. A firewall must be able to properly enforce its filtering policy upon fragmented packets. This requires that the firewall be able to find the complete set of header data, including extension headers and the upper layer protocol/port values. It also requires that the packet not be susceptible to fragment overlap attacks. Fragment overlaps are a more serious problem in IPv6 than in IPv4 because the presence of extension headers can push the upper layer protocol/port information outward (toward packet boundaries) making it much harder to protect. How a firewall achieves these requirements is not important as long as both aspects are met. The wording "drop at least one fragment" is a statement of the bare minimum action to secure a packet, and is chosen to allow firewall venders flexibility in achieving it.

Description

Drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, to include protocol/port values, cannot be determined. A firewall must be able to properly enforce its filtering policy upon fragmented packets. This requires that the firewall be able to find the complete set of header data, including extension headers and the upper layer protocol/port values. It also requires that the packet not be susceptible to fragment overlap attacks. Fragment overlaps are a more serious problem in IPv6 than in IPv4 because the presence of extension headers can push the upper layer protocol/port information outward (toward packet boundaries) making it much harder to protect. How a firewall achieves these requirements is not important as long as both aspects are met. The wording "drop at least one fragment" is a statement of the bare minimum action to secure a packet, and is chosen to allow firewall venders flexibility in achieving it.

STIG	Date
Firewall Security Requirements Guide	2013-04-24

Details

Check Text ( C-45612r1_chk )
Verify the firewall implementation is configured to drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, to include protocol/port values, cannot be determined. If the firewall implementation does not drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, cannot be determined.

Fix Text (F-42290r1_fix)
Configure the firewall implementation to drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, cannot be determined.