STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.

DISA Rule

SV-230154r538603_rule

Vulnerability Number

V-230154

Group Title

SRG-NET-000364-RTR-000204

Rule Version

CISC-RT-000396

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Configure the router to drop IPv6 packets containing an option type values of 0x8A (Endpoint Identification) regardless of whether it appears in a Hop-by-Hop or Destination Option header as shown in the example below.

RP/0/0/CPU0:R3(config)# ipv6 access-list FILTER_IPV6
RP/0/0/CPU0:R3(config-ipv6-acl)# deny any any dest-option-type 138 log
RP/0/0/CPU0:R3(config-ipv6-acl)# permit ipv6 …
…
…
…
RP/0/0/CPU0:R3(config-ipv6-acl)# deny ipv6 any any log
RP/0/0/CPU0:R3(config-ipv6-acl)# exit
RP/0/0/CPU0:R3(config)# interface gigabitethernet 0/2/0/2
RP/0/0/CPU0:R3(config-if)# ipv6 access-group FILTER_IPV6 ingress
RP/0/0/CPU0:R3(config-if)# end

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.

interface interface gigabitethernet 0/2/0/2
ipv6 address 2001::1:0:22/64
ipv6 access-group FILTER_IPV6 ingress

Step 2: Verify that the ACL drops IPv6 packets containing an extension header with the Endpoint Identification option as shown in the example below.

ipv6 access-list FILTER_IPV6
10 deny any any dest-option-type 138 log
20 permit ipv6 …
…
…
…
90 deny ipv6 any any log

If the router is not configured to drop IPv6 packets containing an extension header with the Endpoint Identification option, this is a finding.

Vulnerability Number

V-230154

Documentable

False

Rule Version

CISC-RT-000396

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.

interface interface gigabitethernet 0/2/0/2
ipv6 address 2001::1:0:22/64
ipv6 access-group FILTER_IPV6 ingress

Step 2: Verify that the ACL drops IPv6 packets containing an extension header with the Endpoint Identification option as shown in the example below.

ipv6 access-list FILTER_IPV6
10 deny any any dest-option-type 138 log
20 permit ipv6 …
…
…
…
90 deny ipv6 any any log

If the router is not configured to drop IPv6 packets containing an extension header with the Endpoint Identification option, this is a finding.

Check Content Reference

M

Target Key

4029

Comments