UCF STIG Viewer Logo

The system must not forward IPv6 source-routed packets.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22553 GEN007920 SV-37618r1_rule ECSC-1 Medium
Description
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2017-03-01

Details

Check Text ( C-36815r1_chk )
Determine if the system is configured to forward IPv6 source-routed packets.

Procedure:
# egrep "net.ipv6.conf.*forwarding" /etc/sysctl.conf
If there are no entries found or the value of the entries is not = "0", this is a finding.

Fix Text (F-31656r1_fix)
Configure the system to not forward IPv6 source-routed packets.

Procedure:
Edit the /etc/sysctl.conf file to include:
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0

Reload the kernel parameters:
# sysctl -p