UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must drop IPv6 drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, cannot be determined.


Overview

Finding ID Version Rule ID IA Controls Severity
V-37365 SRG-NET-999999-FW-000195 SV-49126r1_rule Medium
Description
Drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, to include protocol/port values, cannot be determined. A firewall must be able to properly enforce its filtering policy upon fragmented packets. This requires that the firewall be able to find the complete set of header data, including extension headers and the upper layer protocol/port values. It also requires that the packet not be susceptible to fragment overlap attacks. Fragment overlaps are a more serious problem in IPv6 than in IPv4 because the presence of extension headers can push the upper layer protocol/port information outward (toward packet boundaries) making it much harder to protect. How a firewall achieves these requirements is not important as long as both aspects are met. The wording "drop at least one fragment" is a statement of the bare minimum action to secure a packet, and is chosen to allow firewall venders flexibility in achieving it.
STIG Date
Firewall Security Requirements Guide 2013-04-24

Details

Check Text ( C-45612r1_chk )
Verify the firewall implementation is configured to drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, to include protocol/port values, cannot be determined.

If the firewall implementation does not drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, cannot be determined.
Fix Text (F-42290r1_fix)
Configure the firewall implementation to drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering, cannot be determined.