An error occurred:

Check: RCKS-RTR-000850

RUCKUS ICX Router STIG: RCKS-RTR-000850 (in version v1 r1)

Title

The RUCKUS ICX perimeter router must be configured to drop IPv6 packets containing a hop-by-hop and destination options header with invalid or undefined option type values. (Cat II impact)

Discussion

These options are intended for the destination options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny because many implementations do not always drop packets with headers that cannot be recognized. This could cause a denial of service on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large. Satisfies: SRG-NET-000364-RTR-000202, SRG-NET-000364-RTR-000203, SRG-NET-000364-RTR-000204, SRG-NET-000364-RTR-000205, SRG-NET-000364-RTR-000206

Check Content

This requirement is not applicable for the DODIN Backbone. Review the perimeter router configuration to determine whether an ACL is configured to drop IPv6 packets containing hop-by-hop or destination options extension headers. 1. Review the perimeter router configuration to determine whether an ACL is configured to drop IPv6 packets containing hop-by-hop or destination options extension headers. ipv6 access-list BLOCK_OPTIONS sequence 10 deny 0 any any log sequence 20 deny 60 any any log sequence 30 permit ipv6 any any ! 2. Verify the ACL has been applied to external interfaces. interface ethernet x/x/x ipv6 address x::x/x ipv6 access-group BLOCK_OPTIONS in logging enable If the perimeter router is not configured to drop IPv6 packets with hop-by-hop or destination options extension headers, this is a finding.

Fix Text

Configure the router to drop IPv6 packets containing a hop-by-hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address). 1. Create an ACL to drop IPv6 packets with hop-by-hop or Destination Options extension headers. ICX(config)#ipv6 access BLOCK_OPTIONS ICX(config-ipv6acl-BLOCK_OPTIONS)#deny 0 any any log ICX(config-ipv6acl-BLOCK_OPTIONS)#deny 60 any any log ICX(config-ipv6acl-BLOCK_OPTIONS)#permit ipv6 any any 2. Apply the ACL to external interfaces of the perimeter router. ICX(config)#interface ethernet x/x/x ICX(config-if-e1000-x/x/x)#ipv6 access-group BLOCK_OPTIONS in logging enable

Additional Identifiers

Rule ID: SV-273652r1111072_rule

Vulnerability ID: V-273652

Group Title: SRG-NET-000364-RTR-000202

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002403

Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7(11)

Restrict Incoming Communications Traffic