STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255.

DISA Rule

SV-233294r639663_rule

Vulnerability Number

V-233294

Group Title

SRG-NET-000364-RTR-000201

Rule Version

JUNI-RT-000382

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Step 1: Configure a filter to block packets with a routing header as shown in the example.

user@R1# edit firewall family inet6
user@R1# edit filter IPV6-INGRESS-FILTER
user@R1# set term ROUTING_HEADER from next-header routing
user@R1# set term ROUTING_HEADER then discard syslog
user@R1# top

Step 2: Apply the filter inbound on all external IPv6-enabled interfaces.

user@R1# edit interfaces ge-0/0/0 unit 0 family inet6
user@R1# set filter input IPV6-INGRESS-FILTER
user@R1# commit

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255.

Step 1: Verify that all external IPv6-enabled interfaces have an IPv6 filter as shown in the example below.

interfaces {
ge-0/0/0 {
unit 0 {
family inet6 {
filter {
input IPV6-INGRESS-FILTER;
}
address 2001:1:0:146::1/64;
}
}
}
}

Step 2: Verify that the IPV6 filter blocks all packets with a routing header as shown in the example below.

firewall {
family inet6 {
filter IPV6-INGRESS-FILTER {
term ROUTING_HEADER {
from {
next-header routing;
}
then {
syslog;
discard;
}
}
term ALLOW_TCP_ESTABLISHED {
from {
next-header tcp;
tcp-established;
}
then accept;
}
term DENY_BY_DEFAULT {
then {
syslog;
discard;
}
}
}
}
}

Note: Currently JUNOS has no method to filter option type within a routing header. Hence, all packets with a routing header must be dropped.


If the router is not configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255, this is a finding.

Vulnerability Number

V-233294

Documentable

False

Rule Version

JUNI-RT-000382

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255.

Step 1: Verify that all external IPv6-enabled interfaces have an IPv6 filter as shown in the example below.

interfaces {
ge-0/0/0 {
unit 0 {
family inet6 {
filter {
input IPV6-INGRESS-FILTER;
}
address 2001:1:0:146::1/64;
}
}
}
}

Step 2: Verify that the IPV6 filter blocks all packets with a routing header as shown in the example below.

firewall {
family inet6 {
filter IPV6-INGRESS-FILTER {
term ROUTING_HEADER {
from {
next-header routing;
}
then {
syslog;
discard;
}
}
term ALLOW_TCP_ESTABLISHED {
from {
next-header tcp;
tcp-established;
}
then accept;
}
term DENY_BY_DEFAULT {
then {
syslog;
discard;
}
}
}
}
}

Note: Currently JUNOS has no method to filter option type within a routing header. Hence, all packets with a routing header must be dropped.


If the router is not configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255, this is a finding.

Check Content Reference

M

Target Key

4032

Comments