The network element must be configured so that ICMPv6 unreachable notifications and redirects are disabled on all external facing interfaces.

From Perimeter Router Security Technical Implementation Guide Juniper

Part of ICMPv6 unreachable notifications and redirects must be disabled

SV-16478r2_rule The network element must be configured so that ICMPv6 unreachable notifications and redirects are disabled on all external facing interfaces.

Vulnerability discussion

The Internet Control Message Protocol version 6 (ICMPv6) supports IPv6 traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMPv6 messages under a wide variety of conditions. ICMPv6 messages are commonly used by attackers for network mapping and diagnosis: Host unreachable and Redirect.

Check content

Review the active configuration to determine if controls have been defined to ensure router has ICMPv6 unreachables or redirects disabled any external interfaces. ICMP Unreachable 1. Protocol Unreachable The filter used for the routing engine must be configured to silently discard any packets it does not recognize or want. Following would be an example: [edit interfaces] lo0 { unit 0 { family inet { filter { input protect-routing-engine; } address 192.168.1.2/32; } } } [edit firewall] family inet { filter protect-routing-engine { term 1 { . . . term default-action { then { syslog; discard; } } } } 2. Host Unreachable The only method to prevent a Juniper router from sending a Host Unreachable message back to the originator when it receives a packet with a destination address that is not found in its forwarding table, is t define a default route to the discard interface. The filter applied to this interface would then silently discard the packets. [edit interfaces] dsc { unit 0 { family inet { filter { input log-discard; } address 10.1.1.1/32 { destination 10.1.1.2; } } } } [edit firewall] family inet { filter log-discard { term one { then { syslog; discard; } } } } [edit routing-options] static { route 0.0.0.0/0 next-hop 10.1.1.2 ; } 3. Aggregate and black hole routes A Juniper router will also send ICMP unreachable messages for packets that have a destination address of an aggregate route as well as a black hole route. a. Checking aggregate routes By default, when aggregate routes are installed in a Juniper routing table, the next hop is configured as a reject route. Hence the packet is dropped and an ICMP unreachable message is sent to the packet’s originator if the aggregate route itself is the result of a routing table longest-match lookup or a packet with a more specific destination under the advertised summary route does not match a more specific route (contributing route). These packets can be quietly dropped by specifying discard for an individual route in the route part of the aggregate statement, or specifying reject when you configure the defaults for aggregate routes. [edit routing-options] aggregate { route 192.168.0.0/17 discard ; or [edit routing-options] aggregate { defaults { active; discard; community 2:333; } } Note: You can also issue the operational command show route protocol aggregate to determine if discard or reject option is used. b. Checking black hole routes [edit routing-options] static { route 0.0.0.0/8 discard; route 1.0.0.0/8 discard; route 5.0.0.0/8 discard; . ICMP Redirects Under the edit system hierarchy enter a show command to verify that the no-redirects command is present on all Juniper routers. This restriction can also be enforced by including the no-redirects statement under each active interface. [edit system] no-redirects; or [edit interfaces] fe-2/0/1 { description "NIPRNet link"; unit 0 { family inet { no-redirects; filter { input ingress-filter; } address 121.70.11.68/29; } } } } ICMP Mask Reply JUNOS has no option to not reply to an ICMP Mask Request message. Consequently, to ensure that the router does not send any ICMP Mask Reply messages in response to a mask request, include a term statement in the routing engine firewall to drop any masks requests sent to it. [edit interfaces] lo0 { unit 0 { family inet { filter { input protect-routing-engine; } address 192.168.1.2/32; } } } [edit firewall] family inet { filter protect-routing-engine { term icmp-mask-request { from { protocol icmp; icmp-type mask-request; } then { log; discard; } } } }

Fix text

The network element configuration must be changed to ensure ICMPv6 unreachables and redirects are disabled at all external interfaces.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer