The administrator must ensure that multicast groups used for source specific multicast (SSM) routing are from the specific multicast address space reserved for this purpose.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30585	NET-MCAST-020	SV-40325r1_rule		Low

Description
Packet origin is a concern because unauthorized sources could potentially send multicast data to a group, using any source address that is permitted. The unauthorized data could impact the integrity of the nodes receiving the data or could create a DoS condition. A receiver that subscribes to an SSM channel only receives data from the requested source. Since a channel is specific to a source, only that source can transmit on that channel. Hence, the SSM model provides more packet origin protection than ASM. To ensure that the subscriber is joining an authorized or known multicast group and source address pair, it is imperative that the group is from the reserved multicast address space as a first step measure.

Description

Packet origin is a concern because unauthorized sources could potentially send multicast data to a group, using any source address that is permitted. The unauthorized data could impact the integrity of the nodes receiving the data or could create a DoS condition. A receiver that subscribes to an SSM channel only receives data from the requested source. Since a channel is specific to a source, only that source can transmit on that channel. Hence, the SSM model provides more packet origin protection than ASM. To ensure that the subscriber is joining an authorized or known multicast group and source address pair, it is imperative that the group is from the reserved multicast address space as a first step measure.

STIG	Date
Perimeter L3 Switch Security Technical Implementation Guide	2016-12-22

Details

Check Text ( C-39203r1_chk )
IANA has reserved the address range 232.0.0.0 through 232.255.255.255 for SSM applications and protocols. However, Cisco IOS allows SSM configuration for an arbitrary subset of the IP multicast address range 224.0.0.0 through 239.255.255.255. If IPv4 or IPv6 multicast routing is enabled, determine if gimp version 3 or MLD version 2 is enabled for IPv4 and IPv6 respectively. If enabled, then PIM-SSM is also enabled. Hence, you must verify that only the IANA reserved SSM range of addresses is used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively.

Check Text ( C-39203r1_chk )

IANA has reserved the address range 232.0.0.0 through 232.255.255.255 for SSM applications and protocols. However, Cisco IOS allows SSM configuration for an arbitrary subset of the IP multicast address range 224.0.0.0 through 239.255.255.255.

If IPv4 or IPv6 multicast routing is enabled, determine if gimp version 3 or MLD version 2 is enabled for IPv4 and IPv6 respectively. If enabled, then PIM-SSM is also enabled. Hence, you must verify that only the IANA reserved SSM range of addresses is used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively.

Fix Text (F-34303r1_fix)
If IGMP version 3 or MLD version 2 is enabled for IPv4 and IPv6 multicast respectively, then PIM-SSM is also enabled. Hence, you must configure the router so that only the IANA reserved SSM range of addresses can be used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively.