UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must be configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with invalid option type values.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000019-FW-000251 SRG-NET-000019-FW-000251 SRG-NET-000019-FW-000251_rule Medium
Description
These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that they cannot recognize and hence could cause a DoS on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large.
STIG Date
Firewall Security Requirements Guide 2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000251_chk )
Review the firewall implementation configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address). If filters are not applied to drop all inbound and outbound IPv6 headers containing a Hop-by-Hop header with option type values of 0x04, 0xC9, or 0xC3, this is a finding.
Fix Text (F-SRG-NET-000019-FW-000251_fix)
Configure the firewall implementation to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address).