UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.


Overview

Finding ID Version Rule ID IA Controls Severity
V-220152 SRG-NET-000364-RTR-000205 SV-220152r604135_rule Medium
Description
The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence could cause a Denial-of-Service on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large. This option type from RFC 1888 (OSI NSAPs and IPv6) has been deprecated by RFC 4048.
STIG Date
Router Security Requirements Guide 2021-03-16

Details

Check Text ( C-21867r457785_chk )
This requirement is not applicable for the DODIN Backbone.

Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).


Note: Because Hop-by-Hop and destination options have the same header format, they are combined under the dest-option-type keyword. According to Cisco, since Hop-by-Hop and Destination Option headers have non-overlapping types, dest-option-type to match either can be used. The Hop-by-Hop and Destination Option headers can be filtered via protocol 0 and 60 respectively.

If the router is not configured to drop IPv6 packets containing the NSAP address option within Destination Option header, this is a finding.
Fix Text (F-21860r457786_fix)
Configure the router to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).