Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The firewall implementation must block IPv6 well-known multicast addresses on the ingress and egress inbound filters, (FF00::/8).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000019-FW-000253 | SRG-NET-000019-FW-000253 | SRG-NET-000019-FW-000253_rule | Medium |
| Description |
|---|
| The following well-known multicast addresses are predefined and shall never be assigned to any multicast group. Reserved Multicast Addresses: FF00:0:0:0:0:0:0:0 FF08:0:0:0:0:0:0:0 FF01:0:0:0:0:0:0:0 FF09:0:0:0:0:0:0:0 FF02:0:0:0:0:0:0:0 FF0A:0:0:0:0:0:0:0 FF03:0:0:0:0:0:0:0 FF0B:0:0:0:0:0:0:0 FF04:0:0:0:0:0:0:0 FF0C:0:0:0:0:0:0:0 FF05:0:0:0:0:0:0:0 FF0D:0:0:0:0:0:0:0 FF06:0:0:0:0:0:0:0 FF0E:0:0:0:0:0:0:0 FF07:0:0:0:0:0:0:0 FF0F:0:0:0:0:0:0:0 |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2014-07-07 |
Details
| Check Text ( C-SRG-NET-000019-FW-000253_chk ) |
|---|
| Review the configuration of the firewall implementation. Verify that ingress and egress filters for IPv6 have been defined to deny the Multicast Source Addresses (FF00::/8). If the ingress and egress filters for IPv6 are not defined to deny the Multicast Source Addresses (FF00::/8) and log all violations, this is a finding. |
| Fix Text (F-SRG-NET-000019-FW-000253_fix) |
|---|
| Configure the firewall implementation ingress and egress filters for IPv6 to deny the Multicast Source Addresses (FF00::/8). |