The firewall implementation must drop all inbound IPv6 packets with a Type 1 or Types 3 through 255 Routing Header.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-FW-000250	SRG-NET-000019-FW-000250	SRG-NET-000019-FW-000250_rule		Medium

Description
The Type 1 Routing Header is defined by an abandoned specification called "Nimrod Routing". Devices may not recognize the Type 1 Routing Header, so packets with this header must be dropped. IETF standards explicitly require nodes to reject invalid or deprecated options. In the case of Routing Headers, however, under certain conditions the specification allows a node to ignore the Routing Header and proceed to the next header in the packet [RFC 2460, section 4.4 paragraph 2]. This allows a spurious data channel of arbitrary size and must not be allowed. The Types 3 through 255 Routing Header values in the routing type field are currently undefined and should also be dropped both inbound and outbound. The Routing Header is identified by a Next Header value of 43 (0x2B). To drop all types, including Type 2 Mobile IPv6 (MIPv6), a filter can be defined to drop the Routing Header 43 (0x2B). If MIPv6 is required, a permit statement will be required for Routing Header 43 (0x2B) Type 2, and then drop the remaining Routing Headers 43 (0x2B).

Description

The Type 1 Routing Header is defined by an abandoned specification called "Nimrod Routing". Devices may not recognize the Type 1 Routing Header, so packets with this header must be dropped. IETF standards explicitly require nodes to reject invalid or deprecated options. In the case of Routing Headers, however, under certain conditions the specification allows a node to ignore the Routing Header and proceed to the next header in the packet [RFC 2460, section 4.4 paragraph 2]. This allows a spurious data channel of arbitrary size and must not be allowed. The Types 3 through 255 Routing Header values in the routing type field are currently undefined and should also be dropped both inbound and outbound. The Routing Header is identified by a Next Header value of 43 (0x2B). To drop all types, including Type 2 Mobile IPv6 (MIPv6), a filter can be defined to drop the Routing Header 43 (0x2B). If MIPv6 is required, a permit statement will be required for Routing Header 43 (0x2B) Type 2, and then drop the remaining Routing Headers 43 (0x2B).

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000250_chk )
Review the router configuration and verify that a filter for IPv6 traffic has been defined to deny packets that include a Routing Header of Types 1 and 3 through 255 on all external interfaces. If the external interfaces do not have a filter defined that denies packets that include a Routing Header of Types 1 or 3 through 255, this is a finding.

Fix Text (F-SRG-NET-000019-FW-000250_fix)
Configure filters so that IPv6 traffic with Routing Header Type 1 or Types 3 through 255 must be dropped by all external router interfaces.