The perimeter router must be configured to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with invalid option type values.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000205-RTR-000109	SRG-NET-000205-RTR-000109	SRG-NET-000205-RTR-000109_rule		Medium

Description
These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that they cannot recognize and hence could cause a DoS on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large.

Description

These options are intended to be for the Destination Options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that they cannot recognize and hence could cause a DoS on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large.

STIG	Date
Router Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000205-RTR-000109_chk )
Review the perimeter router configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address). If filters are not applied to drop all inbound and outbound IPv6 headers containing a Hop-by-Hop header with option type values of 0x04, 0xc9, or 0xc3, this is a finding.

Check Text ( C-SRG-NET-000205-RTR-000109_chk )

Review the perimeter router configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address). If filters are not applied to drop all inbound and outbound IPv6 headers containing a Hop-by-Hop header with option type values of 0x04, 0xc9, or 0xc3, this is a finding.

Fix Text (F-SRG-NET-000205-RTR-000109_fix)
Configure the perimeter router to drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address).