The firewall implementation must drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-FW-000196	SRG-NET-000019-FW-000196	SRG-NET-000019-FW-000196_rule		Medium

Description
Nested fragmentation in IPv6 should be dropped by the firewall since internal nodes that process the fragmentation may or may not be equipped to handle this unexpected case. These nodes may crash or behave in some unpredictable manner. Nested fragmentation is a new phenomenon with IPv6. It is not possible in IPv4 because the fragmentation fields are part of the main header and are modified in the event of a secondary fragmentation event. Nested fragmentation is an unnecessary and unwanted IPv6 condition that is not forbidden by the specifications. It occurs when an IP header chain contains more than one Fragmentation Header, implying that a fragment has been fragmented. In the specification, the phrase “IP header chain” rather than “packet” is used, because a tunneled packet has more than one IP header chain and each chain can have a Fragment Header (this case is not nested fragmentation). This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.

Description

Nested fragmentation in IPv6 should be dropped by the firewall since internal nodes that process the fragmentation may or may not be equipped to handle this unexpected case. These nodes may crash or behave in some unpredictable manner. Nested fragmentation is a new phenomenon with IPv6. It is not possible in IPv4 because the fragmentation fields are part of the main header and are modified in the event of a secondary fragmentation event. Nested fragmentation is an unnecessary and unwanted IPv6 condition that is not forbidden by the specifications. It occurs when an IP header chain contains more than one Fragmentation Header, implying that a fragment has been fragmented. In the specification, the phrase “IP header chain” rather than “packet” is used, because a tunneled packet has more than one IP header chain and each chain can have a Fragment Header (this case is not nested fragmentation). This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000196_chk )
Review the configuration of the firewall implementation. If the device is not configured to drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain, this is a finding. Note that this may be a default setting; review the product documentation to verify this capability exists and is enabled.

Fix Text (F-SRG-NET-000019-FW-000196_fix)
Configure the firewall implementation to drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain.