CISC-RT-000393 - The Cisco perimeter switch must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255.

Information

The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6.

The Type 0 Routing Header (RFC 5095) is dangerous because it allows attackers to spoof source addresses and obtain traffic in response, rather than the real owner of the address. Secondly, a packet with an allowed destination address could be sent through a Firewall using the Routing Header functionality, only to bounce to a different node once inside. The Type 1 Routing Header is defined by a specification called 'Nimrod Routing', a discontinued project funded by DARPA. Assuming that most implementations will not recognize the Type 1 Routing Header, it must be dropped. The Type 3-255 Routing Header values in the routing type field are currently undefined and should be dropped inbound and outbound.

Solution

Configure the switch to drop IPv6 packets with Routing Header of type 0, 1, or 3-255 as shown in the example below.
SW1(config)#ipv6 access-list FILTER_IPV6
SW1(config-ipv6-acl)#permit ipv6 any host 2001:DB8::0:1:1:1234 routing-type 2
SW1(config-ipv6-acl)#deny ipv6 any any routing log
SW1(config-ipv6-acl)#permit ...
...
...
...
SW1(config-ipv6-acl)#deny ipv6 any any log
SW1(config-ipv6-acl)#exit
SW1(config)#int g1/0
SW1(config-if)#ipv6 traffic-filter FILTER_IPV6

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Switch_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11), CAT|II, CCI|CCI-002403, Rule-ID|SV-237764r856665_rule, STIG-ID|CISC-RT-000393, Vuln-ID|V-237764

Plugin: Cisco

Control ID: 8109e8f10b94f8b04d35c7118632ce33fc8c9891c99808bf6de1877ab012eee6