STIGQter STIGQter: STIG Summary: Cisco IOS-XE Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco perimeter switch must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.

DISA Rule

SV-237772r648811_rule

Vulnerability Number

V-237772

Group Title

SRG-NET-000364-RTR-000203

Rule Version

CISC-RT-000395

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the switch to drop IPv6 packets containing a Destination Option header with option type values of 0x05 (Switch Alert) or 0xC2 (Jumbo Payload) as shown in the example below.

SW1(config)#ipv6 access-list FILTER_IPV6
SW1(config-ipv6-acl)#deny 60 any any dest-option-type 5 log
SW1(config-ipv6-acl)#deny 60 any any dest-option-type 194 log
SW1(config-ipv6-acl)#permit …



SW1(config-ipv6-acl)#deny ipv6 any any log
SW1(config-ipv6-acl)#exit
SW1(config)#int g1/0
SW1(config-if)#ipv6 traffic-filter FILTER_IPV6
SW1(config-if)#end

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the switch configuration to determine if it is compliant with this requirement.

Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.

interface gigabitethernet1/0
ipv6 address 2001::1:0:22/64
ipv6 traffic-filter FILTER_IPV6 in


Step 2: Verify that the ACL drops IPv6 packets containing a Destination Option header with option type values of 0x05 (Switch Alert) or 0xC2 (Jumbo Payload) as shown in the example below.

ipv6 access-list FILTER_IPV6
deny 60 any any dest-option-type 5 log
deny 60 any any dest-option-type 194 log
permit ipv6 …



deny ipv6 any any log

If the switch is not configured to drop IPv6 packets containing a Destination Option header with option type values of 0x05 (Switch Alert) or 0xC2 (Jumbo Payload), this is a finding.

Vulnerability Number

V-237772

Documentable

False

Rule Version

CISC-RT-000395

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the switch configuration to determine if it is compliant with this requirement.

Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface.

interface gigabitethernet1/0
ipv6 address 2001::1:0:22/64
ipv6 traffic-filter FILTER_IPV6 in


Step 2: Verify that the ACL drops IPv6 packets containing a Destination Option header with option type values of 0x05 (Switch Alert) or 0xC2 (Jumbo Payload) as shown in the example below.

ipv6 access-list FILTER_IPV6
deny 60 any any dest-option-type 5 log
deny 60 any any dest-option-type 194 log
permit ipv6 …



deny ipv6 any any log

If the switch is not configured to drop IPv6 packets containing a Destination Option header with option type values of 0x05 (Switch Alert) or 0xC2 (Jumbo Payload), this is a finding.

Check Content Reference

M

Target Key

4074

Comments