Long Name: The administrator must ensure that multicast routers are configured to establish boundaries for Admin-local or Site-local scope multicast traffic.

From Perimeter Router Security Technical Implementation Guide Juniper

Part of No Admin-local or Site-local boundary

SV-21170r1_rule Long Name: The administrator must ensure that multicast routers are configured to establish boundaries for Admin-local or Site-local scope multicast traffic.

Vulnerability discussion

A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"-that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. As stated in the DoD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces."Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Hence, administrative scoped multicast traffic must not cross the perimeter of the enclave in either direction. Admin-local scope could be used to contain multicast traffic to a portion of an enclave or within a site. This can make it more difficult for a malicious user to access sensitive traffic if the traffic is restricted to links that the user does not have access to. Admin-local scope is encouraged for any multicast traffic within a network that is intended for network management as well as control plane traffic that must reach beyond link-local destinations.

Check content

The following examples will establish a multicast boundary on the interface to ensure that Local-scope IPv4 traffic or Site-local scope IPv6 traffic is not allowed into or out of the administratively scoped multicast region. You can configure multicast scoping with a scope statement or with a scope-policy statement as shown in the examples. Example using the scope statement routing-options { multicast { scope ipv4-administrative-scope { interface [fe-1/1/1 fe-1/1/2]; prefix 239.255.0.0/16; } scope ipv6-administrative-scope { interface [fe-1/1/1 fe-1/1/2]; prefix FF05::/16; } } } Example using the scope-policy statement routing-options { multicast { scope-policy block-admin-scope; } } . . . policy-options { policy-statement block-admin-scope { term reject-i { from { route-filter 239.255.0.0/16 orlonger; route-filter FF08::/16 orlonger; } then reject; } } }

Fix text

Local Scope range is 239.255.0.0/16 and can expand into the reserved ranges 239.254.0.0/16 and 239.253.0.0/16 if 239.255.0.0/16 is exhausted. The scope of IPv6 multicast packets are determined by the scope value where 4 is Admin-local and 5 is Site-local. Configure the necessary boundary to ensure packets addressed to these administratively scoped multicast addresses do not cross the applicable administrative boundaries.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer