The system must not accept source-routed IPv4 packets.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22414	GEN003607	SV-29711r1_rule	ECSC-1	Medium

Description
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Description

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router.

STIG	Date
Solaris 10 X86 Security Technical Implementation Guide	2014-06-27

Details

Check Text ( None )
None

Fix Text (F-26888r1_fix)
Edit /etc/ipf/ipf.conf and add rules to block incoming source-routed packets, such as: block in log quick all with opt lsrr block in log quick all with opt ssrr Reload the IPF rules. Procedure: # ipf -Fa -A -f /etc/ipf/ipf.conf