An error occurred:

Check: JUEX-RT-000810

Juniper EX Series Switches Router STIG: JUEX-RT-000810 (in versions v1 r3 through v1 r1)

Title

The Juniper perimeter router must be configured to drop fragmented IPv6 packets where the first fragment does not include the entire IPv6 header chain. (Cat II impact)

Discussion

One of the fragmentation weaknesses known in IPv6 is the "undetermined transport" packet, which is the first fragment where the entire IPv6 header chain is not included. Fragmenting IPv6 datagrams and not including the upper-layer header makes it difficult to identify the traffic. RFC7112 and RFC8200 require the entire IPv6 header chain be present in the first fragment and defines the header chain as: "The IPv6 Header Chain contains an initial IPv6 header, zero or more IPv6 Extension Headers, and optionally, a single upper-layer header. If an upper-layer header is present, it terminates the header chain; otherwise, the "No Next Header" value (Next Header = 59) terminates it." Both RFCs consider a second IPv6 header and an ESP header as "upper-layer headers" when determining where the IPv6 header chain terminates.

Check Content

This requirement is not applicable for the DODIN Backbone. There is no check for dropping RFC 7112 nonconformant fragmented IPv6 packets because Juniper EX switches drop these packets without offering or requiring a configurable option in the CLI. Review the router configuration to determine if it is configured to drop fragmented transit IPv6 traffic. [edit firewall family inet6] filter <filter name> { term <name> { from { next-header fragment; } then { syslog; discard; } } } Note: Some platforms also support "is-fragment" or "fragment-flags is-fragment" in addition to "next-header fragment" as shown in the example. If the router is not configured to drop first-fragment IPv6 packets without the entire header chain, this is a finding.

Fix Text

Configure the router to drop first-fragment IPv6 packets without the entire header chain. There is no configurable CLI option to prevent EX devices from dropping nonconformant fragmented IPv6 packets destined to the device. Configure the router to drop fragmented transit IPv6 packets. set firewall family inet6 filter <name> term <name> from next-header fragment set firewall family inet6 filter <name> term <name> then syslog set firewall family inet6 filter <name> term <name> then discard

Additional Identifiers

Rule ID: SV-254053r844192_rule

Vulnerability ID: V-254053

Group Title: SRG-NET-000364-RTR-000200

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002373

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).
CCI-002403

The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
RA-5 (3)

Breadth / Depth Of Coverage
SC-7 (11)

Restrict Incoming Communications Traffic