UCF STIG Viewer Logo

Long Name: The administrator must ensure that multicast routers are configured to establish boundaries for Admin-local or Site-local scope multicast traffic.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19189 NET-MCAST-010 SV-21170r1_rule Low
Description
A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"-that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. As stated in the DoD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Hence, administrative scoped multicast traffic must not cross the perimeter of the enclave in either direction. Admin-local scope could be used to contain multicast traffic to a portion of an enclave or within a site. This can make it more difficult for a malicious user to access sensitive traffic if the traffic is restricted to links that the user does not have access to. Admin-local scope is encouraged for any multicast traffic within a network that is intended for network management as well as control plane traffic that must reach beyond link-local destinations.
STIG Date
Infrastructure Router Security Technical Implementation Guide Juniper 2018-11-27

Details

Check Text ( C-23288r1_chk )
The following examples will establish a multicast boundary on the interface to ensure that Local-scope IPv4 traffic or Site-local scope IPv6 traffic is not allowed into or out of the administratively scoped multicast region. You can configure multicast scoping with a scope statement or with a scope-policy statement as shown in the examples.

Example using the scope statement

routing-options {
multicast {
scope ipv4-administrative-scope {
interface [fe-1/1/1 fe-1/1/2];
prefix 239.255.0.0/16;
}
scope ipv6-administrative-scope {
interface [fe-1/1/1 fe-1/1/2];
prefix FF05::/16;
}
}
}


Example using the scope-policy statement

routing-options {
multicast {
scope-policy block-admin-scope;
}
}
.
.
.
policy-options {
policy-statement block-admin-scope {
term reject-i {
from {
route-filter 239.255.0.0/16 orlonger;
route-filter FF08::/16 orlonger;
}
then reject;
}
}
}
Fix Text (F-19813r1_fix)
Local Scope range is 239.255.0.0/16 and can expand into the reserved ranges 239.254.0.0/16 and 239.253.0.0/16 if 239.255.0.0/16 is exhausted. The scope of IPv6 multicast packets are determined by the scope value where 4 is Admin-local and 5 is Site-local. Configure the necessary boundary to ensure packets addressed to these administratively scoped multicast addresses do not cross the applicable administrative boundaries.