The network element must be configured so that ICMPv6 unreachable notifications and redirects are disabled on all external facing interfaces.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14670	NET-IPV6-016	SV-16478r2_rule		Medium

Description
The Internet Control Message Protocol version 6 (ICMPv6) supports IPv6 traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMPv6 messages under a wide variety of conditions. ICMPv6 messages are commonly used by attackers for network mapping and diagnosis: Host unreachable and Redirect.

STIG	Date
Perimeter Router Security Technical Implementation Guide Juniper	2018-11-28

Details

Check Text ( C-39589r1_chk )
Review the active configuration to determine if controls have been defined to ensure router has ICMPv6 unreachables or redirects disabled any external interfaces. ICMP Unreachable 1. Protocol Unreachable The filter used for the routing engine must be configured to silently discard any packets it does not recognize or want. Following would be an example: [edit interfaces] lo0 { unit 0 { family inet { filter { input protect-routing-engine; } address 192.168.1.2/32; } } } [edit firewall] family inet { filter protect-routing-engine { term 1 { . . . term default-action { then { syslog; discard; } } } } 2. Host Unreachable The only method to prevent a Juniper router from sending a Host Unreachable message back to the originator when it receives a packet with a destination address that is not found in its forwarding table, is t define a default route to the discard interface. The filter applied to this interface would then silently discard the packets. [edit interfaces] dsc { unit 0 { family inet { filter { input log-discard; } address 10.1.1.1/32 { destination 10.1.1.2; } } } } [edit firewall] family inet { filter log-discard { term one { then { syslog; discard; } } } } [edit routing-options] static { route 0.0.0.0/0 next-hop 10.1.1.2 ; } 3. Aggregate and black hole routes A Juniper router will also send ICMP unreachable messages for packets that have a destination address of an aggregate route as well as a black hole route. a. Checking aggregate routes By default, when aggregate routes are installed in a Juniper routing table, the next hop is configured as a reject route. Hence the packet is dropped and an ICMP unreachable message is sent to the packet’s originator if the aggregate route itself is the result of a routing table longest-match lookup or a packet with a more specific destination under the advertised summary route does not match a more specific route (contributing route). These packets can be quietly dropped by specifying discard for an individual route in the route part of the aggregate statement, or specifying reject when you configure the defaults for aggregate routes. [edit routing-options] aggregate { route 192.168.0.0/17 discard ; or [edit routing-options] aggregate { defaults { active; discard; community 2:333; } } Note: You can also issue the operational command show route protocol aggregate to determine if discard or reject option is used. b. Checking black hole routes [edit routing-options] static { route 0.0.0.0/8 discard; route 1.0.0.0/8 discard; route 5.0.0.0/8 discard; . ICMP Redirects Under the edit system hierarchy enter a show command to verify that the no-redirects command is present on all Juniper routers. This restriction can also be enforced by including the no-redirects statement under each active interface. [edit system] no-redirects; or [edit interfaces] fe-2/0/1 { description "NIPRNet link"; unit 0 { family inet { no-redirects; filter { input ingress-filter; } address 121.70.11.68/29; } } } } ICMP Mask Reply JUNOS has no option to not reply to an ICMP Mask Request message. Consequently, to ensure that the router does not send any ICMP Mask Reply messages in response to a mask request, include a term statement in the routing engine firewall to drop any masks requests sent to it. [edit interfaces] lo0 { unit 0 { family inet { filter { input protect-routing-engine; } address 192.168.1.2/32; } } } [edit firewall] family inet { filter protect-routing-engine { term icmp-mask-request { from { protocol icmp; icmp-type mask-request; } then { log; discard; } } } }

Check Text ( C-39589r1_chk )

Review the active configuration to determine if controls have been defined to ensure router has ICMPv6 unreachables or redirects disabled any external interfaces.

ICMP Unreachable
1. Protocol Unreachable

The filter used for the routing engine must be configured to silently discard any packets it does not recognize or want. Following would be an example:
[edit interfaces]
lo0 {
unit 0 {
family inet {
filter {
input protect-routing-engine;
}
address 192.168.1.2/32;
}
}
}

[edit firewall]
family inet {
filter protect-routing-engine {
term 1 {
.
.
.
term default-action {
then {
syslog;
discard;
}
}
}
}
2. Host Unreachable
The only method to prevent a Juniper router from sending a Host Unreachable message back to the originator when it receives a packet with a destination address that is not found in its forwarding table, is t define a default route to the discard interface. The filter applied to this interface would then silently discard the packets.

[edit interfaces]
dsc {
unit 0 {
family inet {
filter {
input log-discard;
}
address 10.1.1.1/32 {
destination 10.1.1.2;
}
}
}
}

[edit firewall]
family inet {
filter log-discard {
term one {
then {
syslog;
discard;
}
}
}
}

[edit routing-options]
static {
route 0.0.0.0/0 next-hop 10.1.1.2 ;
}
3. Aggregate and black hole routes

A Juniper router will also send ICMP unreachable messages for packets that have a destination address of an aggregate route as well as a black hole route.

a. Checking aggregate routes

By default, when aggregate routes are installed in a Juniper routing table, the next hop is configured as a reject route. Hence the packet is dropped and an ICMP unreachable message is sent to the packet’s originator if the aggregate route itself is the result of a routing table longest-match lookup or a packet with a more specific destination under the advertised summary route does not match a more specific route (contributing route). These packets can be quietly dropped by specifying discard for an individual route in the route part of the aggregate statement, or specifying reject when you configure the defaults for aggregate routes.

[edit routing-options]
aggregate {
route 192.168.0.0/17 discard ;

or

[edit routing-options]
aggregate {
defaults {
active;
discard;
community 2:333;
}
}
Note: You can also issue the operational command show route protocol aggregate to determine if discard or reject option is used.

b. Checking black hole routes

[edit routing-options]
static {
route 0.0.0.0/8 discard;
route 1.0.0.0/8 discard;
route 5.0.0.0/8 discard;
.
ICMP Redirects
Under the edit system hierarchy enter a show command to verify that the no-redirects command is present on all Juniper routers. This restriction can also be enforced by including the no-redirects statement under each active interface.

[edit system]
no-redirects;

or

[edit interfaces]
fe-2/0/1 {
description "NIPRNet link";
unit 0 {
family inet {
no-redirects;
filter {
input ingress-filter;
}
address 121.70.11.68/29;
}
}
}
}
ICMP Mask Reply
JUNOS has no option to not reply to an ICMP Mask Request message. Consequently, to ensure that the router does not send any ICMP Mask Reply messages in response to a mask request, include a term statement in the routing engine firewall to drop any masks requests sent to it.

[edit interfaces]
lo0 {
unit 0 {
family inet {
filter {
input protect-routing-engine;
}
address 192.168.1.2/32;
}
}
}
[edit firewall]
family inet {
filter protect-routing-engine {
term icmp-mask-request {
from {
protocol icmp;
icmp-type mask-request;
}
then {
log;
discard;
}
}
}
}

Fix Text (F-14131r1_fix)
The network element configuration must be changed to ensure ICMPv6 unreachables and redirects are disabled at all external interfaces.