The perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-220152 | SRG-NET-000364-RTR-000205 | SV-220152r604135_rule | Medium |
| Description |
|---|
| The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it cannot recognize, and hence could cause a Denial-of-Service on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large. This option type from RFC 1888 (OSI NSAPs and IPv6) has been deprecated by RFC 4048. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2021-03-16 |
Details
| Check Text ( C-21867r457785_chk ) |
|---|
| This requirement is not applicable for the DODIN Backbone. Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address). Note: Because Hop-by-Hop and destination options have the same header format, they are combined under the dest-option-type keyword. According to Cisco, since Hop-by-Hop and Destination Option headers have non-overlapping types, dest-option-type to match either can be used. The Hop-by-Hop and Destination Option headers can be filtered via protocol 0 and 60 respectively. If the router is not configured to drop IPv6 packets containing the NSAP address option within Destination Option header, this is a finding. |
| Fix Text (F-21860r457786_fix) |
|---|
| Configure the router to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address). |