Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-30585 | NET-MCAST-020 | SV-40327r1_rule | ECSC-1 | Low |
Description |
---|
Packet origin is a concern because unauthorized sources could potentially send multicast data to a group, using any source address that is permitted. The unauthorized data could impact the integrity of the nodes receiving the data or could create a DoS condition. A receiver that subscribes to an SSM channel only receives data from the requested source. Since a channel is specific to a source, only that source can transmit on that channel. Hence, the SSM model provides more packet origin protection than ASM. To ensure that the subscriber is joining an authorized or known multicast group and source address pair, it is imperative that the group is from the reserved multicast address space as a first step measure. |
STIG | Date |
---|---|
Infrastructure Router Security Technical Implementation Guide Juniper | 2015-09-21 |
Check Text ( C-39206r1_chk ) |
---|
IANA has reserved the address range 232.0.0.0 through 232.255.255.255 for SSM applications and protocols. However, Cisco IOS allows SSM configuration for an arbitrary subset of the IP multicast address range 224.0.0.0 through 239.255.255.255. If IPv4 or IPv6 multicast routing is enabled, determine if gimp version 3 or MLD version 2 is enabled for IPv4 and IPv6 respectively. If enabled, then PIM-SSM is also enabled. Hence, you must verify that only the IANA reserved SSM range of addresses is used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively. Step 1: Determine if multicast routing is enabled routing-options { multicast { … … } } Step 2: IPv4 Determine if IGMPv3 is enabled. This is required for subscribers to join a specific source. The configuration would look similar to the following: protocols { … … igmp { interface all { mode sparse; version 3; } interface fx0.0 { disable; } interface fe-1/1/1 { disable; } } } If IGMPv3 is not enabled for IPv4 multicast, this vulnerability is not applicable. IPv6 Determine if MLDv2 is enabled. This is required for subscribers to join a specific source. The configuration would look similar to the following: protocols { … … mld { interface all { mode sparse; version 2; } interface fx0.0 { disable; } interfaces fe-1/1/1 { disable; } } } If MLDv2 is not enabled for IPv6 multicast, this vulnerability is not applicable. Step 3: Verify that the appropriate multicast groups are used for SSM. By default, the SSM group multicast address is limited to the IPv4 address block 232/8 and IPv6 address block FF3x::/32 where x is any valid scope value. However, you can extend SSM operations into another range by including a list of addresses with the [edit routing-options multicast ssm-groups] statement. If configured, configured as in the examples shown below, ensure that the range is within the IANA reserved range for SSM groups. IPv4 routing-options { multicast { ssm-groups { 232.4.0.0/24; } … } } IPv6 routing-options { multicast { ssm-groups { ff3e::1:0:0/96; } … } } |
Fix Text (F-34303r1_fix) |
---|
If IGMP version 3 or MLD version 2 is enabled for IPv4 and IPv6 multicast respectively, then PIM-SSM is also enabled. Hence, you must configure the router so that only the IANA reserved SSM range of addresses can be used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively. |