The Juniper perimeter router must be configured to drop fragmented IPv6 packets where the first fragment does not include the entire IPv6 header chain.

Description

<VulnDiscussion>One of the fragmentation weaknesses known in IPv6 is the "undetermined transport" packet, which is the first fragment where the entire IPv6 header chain is not included. Fragmenting IPv6 datagrams and not including the upper-layer header makes it difficult to identify the traffic. RFC7112 and RFC8200 require the entire IPv6 header chain be present in the first fragment and defines the header chain as: "The IPv6 Header Chain contains an initial IPv6 header, zero or more IPv6 Extension Headers, and optionally, a single upper-layer header. If an upper-layer header is present, it terminates the header chain; otherwise, the "No Next Header" value (Next Header = 59) terminates it." Both RFCs consider a second IPv6 header and an ESP header as "upper-layer headers" when determining where the IPv6 header chain terminates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>