The system administrator will ensure the undetermined transport packet is blocked at the perimeter in an IPv6 enclave by the router.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-14683 | NET-IPV6-006 | SV-15361r1_rule | Medium |
| Description |
|---|
| One of the fragmentation weaknesses known in IPv6 is the undetermined transport packet. This is a packet that contains an undetermined protocol due to fragmentation. Depending on the length of the IPv6 extension header chain, the initial fragment may not contain the layer four port information of the packet. |
| STIG | Date |
|---|---|
| Perimeter Router Security Technical Implementation Guide | 2018-11-28 |
Details
| Check Text ( C-12829r1_chk ) |
|---|
| Review the firewall filter or have the SA provide the router filter mitigating the vulnerability. IOS Procedure: Verify that an ACL for IPv6 has been defined to deny packets with unknown or invalid payload, and log all violations. The ACL should be defined on the ingress and egress filters and should look as shown in the following example: ipv6 access-list inbound-to-enclave remark prohibit unknown protocols deny ipv6 any any undetermined-trans log … |
| Fix Text (F-14150r1_fix) |
|---|
| Ensure the undetermined transport command is implemented. |