The network device must not accept any outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF) Strict mode or via egress ACL.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3164 | NET0950 | SV-3164r2_rule | ECSC-1 | High |
| Description |
|---|
| When Unicast Reverse Path Forwarding (uRPF) provides an IP address spoof protection capability. When uRPF is enabled in strict mode, the packet must be received on the interface that the router would use to forward the return packet. |
| STIG | Date |
|---|---|
| Perimeter L3 Switch Security Technical Implementation Guide | 2018-11-27 |
Details
| Check Text ( C-3602r3_chk ) |
|---|
| Review the device configuration and validate uRPF or an egress ACL has been configured on all internal interfaces. |
| Fix Text (F-3189r5_fix) |
|---|
| Configure the network device from accepting any outbound IP packet that contains an illegitimate address in the source address field by enabling uRPF Strict mode or via egress ACL. |