Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-30657 | NET-IPV6-064 | SV-40447r1_rule | Medium |
Description |
---|
The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it can’t recognize and hence could cause a DoS on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large. According to the DoD IPv6 IA Guidance for MO3, extension headers with an unknown option type value should not be allowed into or out of any network (S0-C2-opt-3). |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide | 2018-08-23 |
Check Text ( C-39280r1_chk ) |
---|
Review the perimeter router or multi-layer switch configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header. Undefined values are 0x02, 0x03, 0x06 through 0x89 inclusive, 0x8B through 0xC1 inclusive, 0xC4 through 0xC8 inclusive, and anything greater than 0xC9. |
Fix Text (F-34387r1_fix) |
---|
Configure the perimeter router or multi-layer switch to drop all inbound and outbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header. Undefined values are 0x02, 0x03, 0x06 through 0x89 inclusive, 0x8B through 0xC1 inclusive, 0xC4 through 0xC8 inclusive, and anything greater than 0xC9. |