MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)

[PrzemyslawKlys]

This control determines if Windows will accept source routed packets.

How to Validate To validate this, go to the registery key (HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters) and look for the value named (DisableIPSourceRouting), check for the modifiers (ErrorNotOk), get the description (The recommended state for this setting is "Highest protection, source routing is completely disabled".), with the priority (Critical), Acceptable Value(s) 2

Remediation Steps

Remediation The GPO for this setting is located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) For all profiles, the recommended state for this setting is Highest protection, source routing is completely disabled NOTE: For "MSS:"- prefixed settings, if they are not visible in the Group Policy Editor, download the Microsoft Security Compliance Manager, run LocalGPO.msi, and then execute the following command to make them available: cscript.exe LocalGPO.wsf /ConfigureSCE

[PrzemyslawKlys]

If the value for "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" is not set to "Highest protection, source routing is completely disabled", this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE Subkey: \System\CurrentControlSet\Services\Tcpip6\Parameters\

Value Name: DisableIpSourceRouting

Type: REG_DWORD Value: 2

[doggonewater672]

What would be the impact of this setting if you use a proxy to reroute client traffic to a different route so SDWAN in this case?

[PrzemyslawKlys]

Unfortunately, I don't know. This follows a recommendation from MS.