UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The administrator must ensure that multicast groups used for source specific multicast (SSM) routing are from the specific multicast address space reserved for this purpose.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30585 NET-MCAST-020 SV-40325r1_rule ECSC-1 Low
Description
Packet origin is a concern because unauthorized sources could potentially send multicast data to a group, using any source address that is permitted. The unauthorized data could impact the integrity of the nodes receiving the data or could create a DoS condition. A receiver that subscribes to an SSM channel only receives data from the requested source. Since a channel is specific to a source, only that source can transmit on that channel. Hence, the SSM model provides more packet origin protection than ASM. To ensure that the subscriber is joining an authorized or known multicast group and source address pair, it is imperative that the group is from the reserved multicast address space as a first step measure.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide 2015-04-06

Details

Check Text ( C-39203r1_chk )
IANA has reserved the address range 232.0.0.0 through 232.255.255.255 for SSM applications and protocols. However, Cisco IOS allows SSM configuration for an arbitrary subset of the IP multicast address range 224.0.0.0 through 239.255.255.255.

If IPv4 or IPv6 multicast routing is enabled, determine if gimp version 3 or MLD version 2 is enabled for IPv4 and IPv6 respectively. If enabled, then PIM-SSM is also enabled. Hence, you must verify that only the IANA reserved SSM range of addresses is used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively.
Fix Text (F-34303r1_fix)
If IGMP version 3 or MLD version 2 is enabled for IPv4 and IPv6 multicast respectively, then PIM-SSM is also enabled. Hence, you must configure the router so that only the IANA reserved SSM range of addresses can be used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively.