The firewall implementation must block IPv6 well-known multicast addresses on the ingress and egress inbound filters, (FF00::/8).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000019-FW-000253	SRG-NET-000019-FW-000253	SRG-NET-000019-FW-000253_rule		Medium

Description
The following well-known multicast addresses are predefined and shall never be assigned to any multicast group. Reserved Multicast Addresses: FF00:0:0:0:0:0:0:0 FF08:0:0:0:0:0:0:0 FF01:0:0:0:0:0:0:0 FF09:0:0:0:0:0:0:0 FF02:0:0:0:0:0:0:0 FF0A:0:0:0:0:0:0:0 FF03:0:0:0:0:0:0:0 FF0B:0:0:0:0:0:0:0 FF04:0:0:0:0:0:0:0 FF0C:0:0:0:0:0:0:0 FF05:0:0:0:0:0:0:0 FF0D:0:0:0:0:0:0:0 FF06:0:0:0:0:0:0:0 FF0E:0:0:0:0:0:0:0 FF07:0:0:0:0:0:0:0 FF0F:0:0:0:0:0:0:0

Description

The following well-known multicast addresses are predefined and shall never be assigned to any multicast group. Reserved Multicast Addresses: FF00:0:0:0:0:0:0:0 FF08:0:0:0:0:0:0:0 FF01:0:0:0:0:0:0:0 FF09:0:0:0:0:0:0:0 FF02:0:0:0:0:0:0:0 FF0A:0:0:0:0:0:0:0 FF03:0:0:0:0:0:0:0 FF0B:0:0:0:0:0:0:0 FF04:0:0:0:0:0:0:0 FF0C:0:0:0:0:0:0:0 FF05:0:0:0:0:0:0:0 FF0D:0:0:0:0:0:0:0 FF06:0:0:0:0:0:0:0 FF0E:0:0:0:0:0:0:0 FF07:0:0:0:0:0:0:0 FF0F:0:0:0:0:0:0:0

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000019-FW-000253_chk )
Review the configuration of the firewall implementation. Verify that ingress and egress filters for IPv6 have been defined to deny the Multicast Source Addresses (FF00::/8). If the ingress and egress filters for IPv6 are not defined to deny the Multicast Source Addresses (FF00::/8) and log all violations, this is a finding.

Fix Text (F-SRG-NET-000019-FW-000253_fix)
Configure the firewall implementation ingress and egress filters for IPv6 to deny the Multicast Source Addresses (FF00::/8).