Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The router must block IPv6 well-known multicast addresses on the ingress and egress inbound filters, (FF00::/8).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000205-RTR-000106 | SRG-NET-000205-RTR-000106 | SRG-NET-000205-RTR-000106_rule | Medium |
| Description |
|---|
| The following well-known multicast addresses are predefined and shall never be assigned to any multicast group. Reserved Multicast Addresses: FF00:0:0:0:0:0:0:0 FF08:0:0:0:0:0:0:0 FF01:0:0:0:0:0:0:0 FF09:0:0:0:0:0:0:0 FF02:0:0:0:0:0:0:0 FF0A:0:0:0:0:0:0:0 FF03:0:0:0:0:0:0:0 FF0B:0:0:0:0:0:0:0 FF04:0:0:0:0:0:0:0 FF0C:0:0:0:0:0:0:0 FF05:0:0:0:0:0:0:0 FF0D:0:0:0:0:0:0:0 FF06:0:0:0:0:0:0:0 FF0E:0:0:0:0:0:0:0 FF07:0:0:0:0:0:0:0 FF0F:0:0:0:0:0:0:0 |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000205-RTR-000106_chk ) |
|---|
| Review the perimeter router configuration to verify filters are in place to restrict the IPv6 addresses. Verify that ingress and egress filters for IPv6 have been defined to deny the Multicast Source Addresses (FF00::/8), and log all violations. If the ingress and egress filters for IPv6 are not defined to deny the Multicast Source Addresses (FF00::/8), and log all violations, this is a finding. |
| Fix Text (F-SRG-NET-000205-RTR-000106_fix) |
|---|
| Configure the perimeter router ingress and egress filters for IPv6 to deny the Multicast Source Addresses (FF00::/8), and log all violations. |