The firewall implementation must drop IPv6 drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37366 | SRG-NET-999999-FW-000196 | SV-49127r1_rule | Medium |
| Description |
|---|
| Nested fragmentation is an unnecessary and unwanted IPv6 condition that is not forbidden by the specifications. It occurs when an IP header chain contains more than one Fragmentation Header, implying that a fragment has been fragmented. In the specification, the phrase "IP header chain" rather than "packet" is used, because a tunneled packet has more than one IP header chain and each chain can have a Fragmentation Header (this case is not nested fragmentation). Nested fragmentation is a new phenomenon with IPv6. It is not possible in IPv4, because the fragmentation fields are part of the main header and are modified in the event of a secondary fragmentation event. Nested fragmentation in IPv6 should be dropped by firewalls since internal nodes that process the fragmentation may or may not be equipped to handle this unexpected case. These nodes may crash or behave in some unpredictable manner. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45613r1_chk ) |
|---|
| Verify the firewall implementation is configured to drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain. If the firewall implementation does not drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain. |
| Fix Text (F-42291r1_fix) |
|---|
| Configure the firewall implementation to drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain. |