The firewall implementation must drop fragmented IPv6 packets when any fragment overlaps another.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-FW-000195	SRG-NET-000019-FW-000195	SRG-NET-000019-FW-000195_rule		Medium

Description
Fragmented packets can be used to "fool" a firewall into allowing otherwise prohibited traffic. A firewall must be able to properly enforce its filtering policy upon fragmented packets. This requires that the firewall be able to find the complete set of header data, including extension headers and the upper layer protocol/port values. It also requires that the packet not be susceptible to fragment overlap attacks. Fragment overlaps are a more serious problem in IPv6 than in IPv4 because the presence of extension headers can push the upper layer protocol/port information outward (toward packet boundaries) making it much harder to protect. RFC 5722 has expressly forbidden overlapping fragments in IPv6. When reassembling an IPv6 datagram, if one or more of its constituent fragments is determined to be an overlapping fragment, the entire datagram (and any constituent fragments, including those not yet received) must be silently discarded. Alternately, the firewall implementation can drop at least one fragment of a fragmented packet; this is a bare minimum action to secure a packet, and is chosen to allow firewall vendors flexibility in achieving it. Note that this latter option is not complaint with RFC 5722, so it is not the preferred option. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.

Description

Fragmented packets can be used to "fool" a firewall into allowing otherwise prohibited traffic. A firewall must be able to properly enforce its filtering policy upon fragmented packets. This requires that the firewall be able to find the complete set of header data, including extension headers and the upper layer protocol/port values. It also requires that the packet not be susceptible to fragment overlap attacks. Fragment overlaps are a more serious problem in IPv6 than in IPv4 because the presence of extension headers can push the upper layer protocol/port information outward (toward packet boundaries) making it much harder to protect. RFC 5722 has expressly forbidden overlapping fragments in IPv6. When reassembling an IPv6 datagram, if one or more of its constituent fragments is determined to be an overlapping fragment, the entire datagram (and any constituent fragments, including those not yet received) must be silently discarded. Alternately, the firewall implementation can drop at least one fragment of a fragmented packet; this is a bare minimum action to secure a packet, and is chosen to allow firewall vendors flexibility in achieving it. Note that this latter option is not complaint with RFC 5722, so it is not the preferred option. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000195_chk )
Review the configuration of the firewall implementation. The firewall implementation must either drop fragmented IPv6 packets (and all fragments thereof) when any fragment overlaps another or drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering to include protocol/port values cannot be determined. If it does not, this is a finding. Note that this may be a default setting; review the product documentation to verify this capability exists and is enabled.

Check Text ( C-SRG-NET-000019-FW-000195_chk )

Review the configuration of the firewall implementation. The firewall implementation must either drop fragmented IPv6 packets (and all fragments thereof) when any fragment overlaps another or drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering to include protocol/port values cannot be determined. If it does not, this is a finding. Note that this may be a default setting; review the product documentation to verify this capability exists and is enabled.

Fix Text (F-SRG-NET-000019-FW-000195_fix)
Configure the firewall implementation to either drop fragmented IPv6 packets (and all fragments thereof) when any fragment overlaps another or drop at least one fragment of any inbound fragmented packet for which the complete data set for filtering to include protocol/port values cannot be determined.