UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255.


Overview

Finding ID Version Rule ID IA Controls Severity
V-220148 SRG-NET-000364-RTR-000201 SV-220148r604135_rule Medium
Description
The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6. The Type 0 Routing Header (RFC 5095) is dangerous because it allows attackers to spoof source addresses and obtain traffic in response, rather than the real owner of the address. Secondly, a packet with an allowed destination address could be sent through a Firewall using the Routing Header functionality, only to bounce to a different node once inside. The Type 1 Routing Header is defined by a specification called "Nimrod Routing", a discontinued project funded by DARPA. Assuming that most implementations will not recognize the Type 1 Routing Header, it must be dropped. The Type 3–255 Routing Header values in the routing type field are currently undefined and should be dropped inbound and outbound.
STIG Date
Router Security Requirements Guide 2020-12-04

Details

Check Text ( C-21863r457773_chk )
This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3–255.

If the router is not configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3–255, this is a finding.
Fix Text (F-21856r457774_fix)
Configure the router to drop IPv6 packets with Routing Header of type 0, 1, or 3–255.