NET-IPV6-062 - Endpoint Identification option not filtered - Outbound ACL

Information

The administrator must ensure the perimeter router is configured to drop all inbound and outbound IPv6 packets containing an extension header with the Endpoint Identification option.

The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it can't recognize and hence could cause a DoS on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large. According to the DoD IPv6 IA Guidance for MO3, headers which may be valid but serve no intended use should not be allowed into or out of any network (S0-C2-opt-3). This option type is associated with the Nimrod Routing system and has no defining RFC document.

Review the perimeter router or multi-layer switch configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing an option type values of 0x8A (Endpoint Identification) regardless of whether it appears in a Hop-by-Hop or Destination Option header.

NOTE: Change 'IPV6_EGRESS_ACL' to the access control list for IPv6 inbound connection filtering and verify the ACL is applied to the proper interface.

Solution

Configure the perimeter router or multi-layer switch to drop all inbound and outbound IPv6 packets containing an option type values of 0x8A (Endpoint Identification) regardless of whether it appears in a Hop-by-Hop or Destination Option header

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CAT|II, Rule-ID|SV-40432r1_rule, STIG-ID|NET-IPV6-062, Vuln-ID|V-30646

Plugin: Cisco

Control ID: 09b2942fbc0b46437825f88cb94f0d49927ce92fc7e435dacd93e59363c46f2d