UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must drop IPv6 drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.


Overview

Finding ID Version Rule ID IA Controls Severity
V-37366 SRG-NET-999999-FW-000196 SV-49127r1_rule Medium
Description
Nested fragmentation is an unnecessary and unwanted IPv6 condition that is not forbidden by the specifications. It occurs when an IP header chain contains more than one Fragmentation Header, implying that a fragment has been fragmented. In the specification, the phrase "IP header chain" rather than "packet" is used, because a tunneled packet has more than one IP header chain and each chain can have a Fragmentation Header (this case is not nested fragmentation). Nested fragmentation is a new phenomenon with IPv6. It is not possible in IPv4, because the fragmentation fields are part of the main header and are modified in the event of a secondary fragmentation event. Nested fragmentation in IPv6 should be dropped by firewalls since internal nodes that process the fragmentation may or may not be equipped to handle this unexpected case. These nodes may crash or behave in some unpredictable manner.
STIG Date
Firewall Security Requirements Guide 2013-04-24

Details

Check Text ( C-45613r1_chk )
Verify the firewall implementation is configured to drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.

If the firewall implementation does not drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.
Fix Text (F-42291r1_fix)
Configure the firewall implementation to drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.