GEN007920 - The system must not forward IPv6 source-routed packets.

Information

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Solution

Configure the system so it does not forward IPv6 source-routed packets.
# /usr/sbin/no -p -o ip6srcrouteforward=0

See Also

https://iasecontent.disa.mil/stigs/zip/U_AIX_6-1_V1R14_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001551, Group-ID|V-22553, Rule-ID|SV-38827r1_rule, STIG-ID|GEN007920, Vuln-ID|V-22553

Plugin: Unix

Control ID: 5ee8f89c4cd12579af02b7cd9f0daba7507f4dc90c90d5e42f62f86bcc272742