The RUCKUS ICX router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273632 | RCKS-RTR-000650 | SV-273632r1110938_rule | Medium |
| Description |
| The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis. |
| STIG | Date |
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77723r1110784_chk) |
| Review configuration to determine whether outgoing ICMP mask replies are blocked on external interfaces. enable egress-acl-on-cpu-traffic ip access-list extended BLOCK_ICMP_OUT sequence 10 deny icmp any any unreachable sequence 20 deny icmp any any mask-reply sequence 30 permit ip any any interface ethernet 1/1/1 ip address x.0.1.2 255.255.255.252 ip access-group BLOCK_ICMP_OUT out ! If outgoing ICMP mask replies are not blocked on external interfaces, this is a finding. |
| Fix Text (F-77628r1110785_fix) |
| Configure ACL to block ICMP mask replies. ICX(config)#enable egress-acl-on-cpu-traffic ICX(config)#ip access ext BLOCK_ICMP_OUT ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any unreachable ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any mask-reply ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#permit ip any any Apply ACL to external interface. ICX(config)#interface ethernet 1/1/1 ICX(config-if-e1000-1/1/1)#ip access-group BLOCK_ICMP_OUT out |