Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The firewall implementation must drop all inbound IPv6 packets with a Type 0 Routing header.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000019-FW-000193 | SRG-NET-000019-FW-000193 | SRG-NET-000019-FW-000193_rule | Medium |
| Description |
|---|
| The IPv6 Type 0 Routing Header (extension header) is functionally equivalent to the IPv4 loose source routing header option, which is typically blocked for security reasons. The Type 0 Routing Header is dangerous because it allows attackers to spoof source addresses and get traffic in response (rather than to the real owner of the address). Secondly, a packet with an allowed destination address could be sent through a firewall only to bounce to a different (disallowed) node once inside using the Routing Header functionality. The IPv6 Type 0 Routing Header has been deprecated by IETF RFC 5095 and should not be used; there may be existing implementations that still recognize this header. If the firewall cannot distinguish the Type field of a routing header, it should be configured to drop all routing headers. Note that at one time Mobile IP used the Type 0 routing header; it has been changed to now use the Type 2 Routing Header. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000019-FW-000193_chk ) |
|---|
| Review the configuration of the firewall implementation. If the device is not configured to drop all inbound IPv6 packets with a Type 0 Routing Header, this is a finding. Note that this may be a default setting; review the product documentation to verify this capability exists and is enabled. |
| Fix Text (F-SRG-NET-000019-FW-000193_fix) |
|---|
| Configure the firewall implementation to drop all inbound IPv6 packets with a Type 0 Routing Header. |