The router must block the undetermined transport packet at the perimeter of an IPv6 enclave.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000202-RTR-000090 | SRG-NET-000202-RTR-000090 | SRG-NET-000202-RTR-000090_rule | Low |
| Description |
|---|
| One of the fragmentation weaknesses known in IPv6 is the undetermined transport packet. This packet contains an undetermined protocol due to fragmentation. Depending on the length of the IPv6 extension header chain, the initial fragment may not contain the layer-four port information of the packet. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000202-RTR-000090_chk ) |
|---|
| Review the router filter and verify that the router is configured to deny packets with unknown or invalid payloads and log all violations on ingress and egress filters. If the router does not have ingress and egress filters configured to deny packets with unknown or invalid payload, this is a finding. |
| Fix Text (F-SRG-NET-000202-RTR-000090_fix) |
|---|
| Configure the ingress and egress filters to deny packets with unknown or invalid payloads and to log all violations. |