From Perimeter L3 Switch Security Technical Implementation Guide
Part of NSAP address option not filtered
Associated with IA controls: ECSC-1
The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always drop packets with headers that it can’t recognize and hence could cause a DoS on the target device. In addition, the type, length, value (TLV) formatting provides the ability for headers to be very large. According to the DoD IPv6 IA Guidance for MO3, headers which may be valid but serve no intended use should not be allowed into or out of any network (S0-C2-opt-3). This option type from RFC 1888 (OSI NSAPs and IPv6) has been deprecated by RFC 4048.
Review the perimeter router or multi-layer switch configuration and determine if filters are bound to the applicable interfaces to drop all inbound and outbound IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).
Configure the perimeter router or multi-layer switch to drop all inbound and outbound IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address).
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer