UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000019-FW-000196 SRG-NET-000019-FW-000196 SRG-NET-000019-FW-000196_rule Medium
Description
Nested fragmentation in IPv6 should be dropped by the firewall since internal nodes that process the fragmentation may or may not be equipped to handle this unexpected case. These nodes may crash or behave in some unpredictable manner. Nested fragmentation is a new phenomenon with IPv6. It is not possible in IPv4 because the fragmentation fields are part of the main header and are modified in the event of a secondary fragmentation event. Nested fragmentation is an unnecessary and unwanted IPv6 condition that is not forbidden by the specifications. It occurs when an IP header chain contains more than one Fragmentation Header, implying that a fragment has been fragmented. In the specification, the phrase “IP header chain” rather than “packet” is used, because a tunneled packet has more than one IP header chain and each chain can have a Fragment Header (this case is not nested fragmentation). This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.
STIG Date
Firewall Security Requirements Guide 2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000196_chk )
Review the configuration of the firewall implementation. If the device is not configured to drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain, this is a finding. Note that this may be a default setting; review the product documentation to verify this capability exists and is enabled.
Fix Text (F-SRG-NET-000019-FW-000196_fix)
Configure the firewall implementation to drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.