Title

The system must not forward IPv4 source-routed packets. (Cat II impact)

Discussion

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Check Content

Determine if the system is configured to forward source-routed IP packets. # ndd -get /dev/ip ip_forward_src_routed If the returned value is not 0, then this feature is enabled, this is a finding.

Fix Text

Disable the IP source-routed forwarding feature. # ndd -set /dev/ip ip_forward_src_routed 0 Edit /etc/rc.config.d/nddconf and add/set: TRANSPORT_NAME[x] = ip NDD_NAME[x] = ip_forward_src_routed NDD_VALUE[x] = 0

Additional Identifiers

Rule ID: SV-38259r1_rule

Vulnerability ID: V-12002

Group Title: GEN003600

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.