STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.

DISA Rule

SV-230146r647440_rule

Vulnerability Number

V-230146

Group Title

SRG-NET-000364-RTR-000202

Rule Version

CISC-RT-000394

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Drop IPv6 packets containing a Hop-by-Hop header as shown in the example below.

R1(config)#ipv6 access-list FILTER_IPV6
R1(config-ipv6-acl)#deny hbh any any dest-option-type 4 log
R1(config-ipv6-acl)#deny hbh any any dest-option-type 195 log
R1(config-ipv6-acl)#deny hbh any any dest-option-type home-address log
R1(config-ipv6-acl)# permit ipv6 …
…
…
…
R1(config-ipv6-acl)#deny ipv6 any any log
R1(config-ipv6-acl)#exit
R1(config)#int g1/0
R1(config-if)#ipv6 traffic-filter FILTER_IPV6
R1(config-if)#end

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.

interface gigabitethernet1/0
ipv6 address 2001::1:0:22/64
ipv6 traffic-filter FILTER_IPV6 in

Step 2: Verify that the ACL drops IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address) as shown in the example below.
ipv6 access-list FILTER_IPV6
deny hbh any any dest-option-type 4 log
deny hbh any any dest-option-type 195 log
deny hbh any any dest-option-type home-address log
permit ipv6 …
…
…
…
deny ipv6 any any log

If the router is not configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values, this is a finding.

Vulnerability Number

V-230146

Documentable

False

Rule Version

CISC-RT-000394

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.

interface gigabitethernet1/0
ipv6 address 2001::1:0:22/64
ipv6 traffic-filter FILTER_IPV6 in

Step 2: Verify that the ACL drops IPv6 packets containing a Hop-by-Hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address) as shown in the example below.
ipv6 access-list FILTER_IPV6
deny hbh any any dest-option-type 4 log
deny hbh any any dest-option-type 195 log
deny hbh any any dest-option-type home-address log
permit ipv6 …
…
…
…
deny ipv6 any any log

If the router is not configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values, this is a finding.

Check Content Reference

M

Target Key

4028

Comments