The system must ignore IPv6 Internet Control Message Protocol (ICMP ) redirect messages.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22550 | GEN007860 | SV-35241r1_rule | ECSC-1 | Medium |
| Description |
|---|
| ICMP redirect messages are used by routers to inform hosts of a more direct route existing for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. |
| STIG | Date |
|---|---|
| HP-UX 11.23 Security Technical Implementation Guide | 2015-12-02 |
Details
| Check Text ( C-35088r1_chk ) |
|---|
| Determine if the system blocks inbound IPv6 ICMP redirects. # ipfstat -6 -i Check for a rule such as: block in quick proto icmpv6 from any to any icmpv6-type 137 If a rule blocking inbound IPv6 ICMP redirects does not exist, this is a finding. |
| Fix Text (F-30359r1_fix) |
|---|
| Add an IPF rule to block inbound IPv6 ICMP redirect packets. Edit /etc/opt/ipf/ipf6.conf and add a rule such as: block in quick proto icmpv6 from any to any icmpv6-type 137 Reload the IPF rules. # ipf -6 -Fa -A -f /etc/opt/ipf/ipf6.conf |