The RUCKUS ICX perimeter router must be configured to drop IPv6 packets containing a hop-by-hop and destination options header with invalid or undefined option type values.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273652 | RCKS-RTR-000850 | SV-273652r1111072_rule | Medium |
| Description |
| These options are intended for the destination options header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny because many implementations do not always drop packets with headers that cannot be recognized. This could cause a denial of service on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large. Satisfies: SRG-NET-000364-RTR-000202, SRG-NET-000364-RTR-000203, SRG-NET-000364-RTR-000204, SRG-NET-000364-RTR-000205, SRG-NET-000364-RTR-000206 |
| STIG | Date |
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77743r1109976_chk) |
| This requirement is not applicable for the DODIN Backbone. Review the perimeter router configuration to determine whether an ACL is configured to drop IPv6 packets containing hop-by-hop or destination options extension headers. 1. Review the perimeter router configuration to determine whether an ACL is configured to drop IPv6 packets containing hop-by-hop or destination options extension headers. ipv6 access-list BLOCK_OPTIONS sequence 10 deny 0 any any log sequence 20 deny 60 any any log sequence 30 permit ipv6 any any ! 2. Verify the ACL has been applied to external interfaces. interface ethernet x/x/x ipv6 address x::x/x ipv6 access-group BLOCK_OPTIONS in logging enable If the perimeter router is not configured to drop IPv6 packets with hop-by-hop or destination options extension headers, this is a finding. |
| Fix Text (F-77648r1111071_fix) |
| Configure the router to drop IPv6 packets containing a hop-by-hop header with option type values of 0x04 (Tunnel Encapsulation Limit), 0xC9 (Home Address Destination), or 0xC3 (NSAP Address). 1. Create an ACL to drop IPv6 packets with hop-by-hop or Destination Options extension headers. ICX(config)#ipv6 access BLOCK_OPTIONS ICX(config-ipv6acl-BLOCK_OPTIONS)#deny 0 any any log ICX(config-ipv6acl-BLOCK_OPTIONS)#deny 60 any any log ICX(config-ipv6acl-BLOCK_OPTIONS)#permit ipv6 any any 2. Apply the ACL to external interfaces of the perimeter router. ICX(config)#interface ethernet x/x/x ICX(config-if-e1000-x/x/x)#ipv6 access-group BLOCK_OPTIONS in logging enable |