The multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.

From Router Security Requirements Guide

Part of SRG-NET-000019-RTR-000005

Associated with: CCI-001414

SV-69983r2_rule The multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.

Vulnerability discussion

If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic.Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

Check content

Review the multicast topology diagram to determine if there are any documented Admin-Local (FFx4::/16), Site-Local (FFx5::/16), or Organization-Local (FFx8::/16) multicast boundaries for IPv6 traffic or any Local-Scope (239.255.0.0/16) boundaries for IPv4 traffic. Verify the appropriate boundaries are configured on the applicable multicast-enabled interfaces. If the appropriate boundaries are not configured on applicable multicast-enabled interfaces, this is a finding.

Fix text

Configure the appropriate boundaries to contain packets addressed within the administratively scoped zone. Defined multicast addresses are FFx4::/16, FFx5::/16, FFx8::/16, and 239.255.0.0/16.

Pro Tips

Powered by sagemincer