GEN007920 - The system must not forward IPv6 source-routed packets - 'net.ipv6.conf.all.forwarding'

Information

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Solution

Configure the system to not forward IPv6 source-routed packets.

Procedure:
Edit the /etc/sysctl.conf file to include:
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0

Reload the kernel parameters:
# sysctl -p

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_5_V2R1_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-4, 800-53|CM-6d., 800-53|CM-7b., CAT|II, CCI|CCI-000382, CCI|CCI-001503, CCI|CCI-001551, Rule-ID|SV-218688r603259_rule, STIG-ID|GEN007920, STIG-Legacy|SV-63393, STIG-Legacy|V-22553, Vuln-ID|V-218688

Plugin: Unix

Control ID: 3ce2d17bcbd16d0cc756715d1bdfdcfa87ae17b8ef204297c4c32510bc27a3a4