The firewall implementation must ensure the IPv6 Jumbo Payload hop-by-hop header is blocked.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-37369	SRG-NET-999999-FW-000199	SV-49130r1_rule		Medium

Description
The IPv6 Jumbo Payload allows IP packets to be larger than 65,535 bytes. This feature is only useful on very specialized high performance systems (e.g., super computers). Commonplace link layer technologies do not support these payload sizes and special link layer designs would be necessary. This header should be dropped unless the system is specifically designed to use very large payloads, since it only serves as an opportunity to break implementations.

Description

The IPv6 Jumbo Payload allows IP packets to be larger than 65,535 bytes. This feature is only useful on very specialized high performance systems (e.g., super computers). Commonplace link layer technologies do not support these payload sizes and special link layer designs would be necessary. This header should be dropped unless the system is specifically designed to use very large payloads, since it only serves as an opportunity to break implementations.

STIG	Date
Firewall Security Requirements Guide	2013-04-24

Details

Check Text ( C-45616r1_chk )
If the system is specifically designed to use very large payloads and its use is documented in architecture design documents, this is not a finding. Verify the firewall drops all inbound and/or outbound IPv6 packets containing a hop-by-hop option of option type 0xC2. If the firewall implementation does not ensure the IPv6 Jumbo Payload hop-by-hop header is blocked.

Fix Text (F-42294r1_fix)
Configure the firewall to drop all inbound and outbound IPv6 packets containing a hop-by-hop option of option type 0xC2.