Title

The system must not accept source-routed IPv4 packets. (Cat II impact)

Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the handling of source-routed traffic destined to the system itself, not to traffic forwarded by the system to another, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Check Content

Check the system for an IP Filter (IPF) rule blocking incoming source-routed packets. # ipfstat -i Examine the list for rules such as: block in log quick [all] | [from any to any] with opt lsrr block in log quick [all] | [from any to any] with opt ssrr If the listed rules do not block incoming traffic with both lsrr and ssrr options, this is a finding.

Fix Text

Edit /etc/opt/ipf/ipf.conf and add rules to block incoming source-routed packets, such as: block in log quick [all] | [from any to any] with opt lsrr block in log quick [all] | [from any to any] with opt ssrr Reload the IPF rules. # ipf -Fa -A -f /etc/opt/ipf/ipf.conf

Additional Identifiers

Rule ID: SV-29713r2_rule

Vulnerability ID: V-22414

Group Title: GEN003607

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.