UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The administrator must ensure the perimeter router is configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with invalid option type values.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30594 NET-IPV6-060 SV-40342r1_rule Medium
Description
These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it can’t recognize and hence could cause a DoS on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large. According to the DoD IPv6 IA Guidance for MO3, headers which may be valid but serve no intended use should not be allowed into or out of any network (S0-C2-opt-3).
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide 2017-06-27

Details

Check Text ( C-39217r1_chk )
Review the perimeter router or multi-layer switch configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address).

Fix Text (F-34316r1_fix)
Configure the perimeter router or multi-layer switch to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address).