The router must establish boundaries for Admin-local or Site-local scope multicast traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-RTR-000005	SRG-NET-000019-RTR-000005	SRG-NET-000019-RTR-000005_rule		Medium

Description
A scope zone is an instance of a connected region for a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective". That is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Hence, administrative scoped multicast traffic must not cross the enclave perimeter in either direction. The use of an Admin-local scope could contain multicast traffic to a portion of an enclave or within a site. This can make it more difficult for a malicious user to access sensitive traffic if the traffic is restricted to links that the user does not have access. Admin-local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

Description

A scope zone is an instance of a connected region for a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective". That is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Hence, administrative scoped multicast traffic must not cross the enclave perimeter in either direction. The use of an Admin-local scope could contain multicast traffic to a portion of an enclave or within a site. This can make it more difficult for a malicious user to access sensitive traffic if the traffic is restricted to links that the user does not have access. Admin-local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

STIG	Date
Router Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000019-RTR-000005_chk )
Review the multicast topology diagram to determine if any documented Admin-local (FFx4::/16), Site-local (FFx5::/16), or Organization-local (FFx8::/16) multicast boundaries for IPv6 traffic or any Local-scope (239.255.0.0/16) boundaries for IPv4 traffic. Verify the appropriate boundaries are configured on the applicable multicast-enabled interfaces. If the appropriate boundaries are not configured on applicable multicast-enabled interfaces, this is a finding.

Check Text ( C-SRG-NET-000019-RTR-000005_chk )

Review the multicast topology diagram to determine if any documented Admin-local (FFx4::/16), Site-local (FFx5::/16), or Organization-local (FFx8::/16) multicast boundaries for IPv6 traffic or any Local-scope (239.255.0.0/16) boundaries for IPv4 traffic. Verify the appropriate boundaries are configured on the applicable multicast-enabled interfaces. If the appropriate boundaries are not configured on applicable multicast-enabled interfaces, this is a finding.

Fix Text (F-SRG-NET-000019-RTR-000005_fix)
Configure the necessary boundaries to contain packets addressed within the administratively scoped zone. Defined multicast addresses are; FFx4::/16, FFx5::/16, FFx8::/16, and 239.255.0.0/16.