The firewall implementation must drop all inbound IPv6 packets containing undefined header extensions/protocol values.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-FW-000194	SRG-NET-000019-FW-000194	SRG-NET-000019-FW-000194_rule		Medium

Description
Undefined header extensions may cause equipment to behave erratically or even crash. Various IPv6 extension headers have been standardized since the IPv6 standard was first published, and a process exists in which developers can register new extension headers with the Internet Engineering Task Force (IETF). The phrase "undefined IPv6 header extensions" means that the Next Header type is not registered with IANA. Since these header extensions are not recognized, intermediate equipment (such as firewalls, proxies, and load balancers) may not process them and even may be adversely affected by trying. Therefore, the firewall implementation must drop all undefined extension headers/protocol values. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.

Description

Undefined header extensions may cause equipment to behave erratically or even crash. Various IPv6 extension headers have been standardized since the IPv6 standard was first published, and a process exists in which developers can register new extension headers with the Internet Engineering Task Force (IETF). The phrase "undefined IPv6 header extensions" means that the Next Header type is not registered with IANA. Since these header extensions are not recognized, intermediate equipment (such as firewalls, proxies, and load balancers) may not process them and even may be adversely affected by trying. Therefore, the firewall implementation must drop all undefined extension headers/protocol values. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000194_chk )
Review the configuration of the firewall implementation. If the device is not configured to drop all inbound IPv6 packets containing undefined header extensions/protocol values, this is a finding. Note that this may be a default setting; review the product documentation to verify this capability exists and is enabled.

Fix Text (F-SRG-NET-000019-FW-000194_fix)
Configure the firewall implementation to drop all inbound IPv6 packets containing undefined header extensions/protocol values.