The administrator must ensure that multicast groups used for source specific multicast (SSM) routing are from the specific multicast address space reserved for this purpose.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30585	NET-MCAST-020	SV-40326r1_rule	ECSC-1	Low

Description
Packet origin is a concern because unauthorized sources could potentially send multicast data to a group, using any source address that is permitted. The unauthorized data could impact the integrity of the nodes receiving the data or could create a DoS condition. A receiver that subscribes to an SSM channel only receives data from the requested source. Since a channel is specific to a source, only that source can transmit on that channel. Hence, the SSM model provides more packet origin protection than ASM. To ensure that the subscriber is joining an authorized or known multicast group and source address pair, it is imperative that the group is from the reserved multicast address space as a first step measure.

Description

Packet origin is a concern because unauthorized sources could potentially send multicast data to a group, using any source address that is permitted. The unauthorized data could impact the integrity of the nodes receiving the data or could create a DoS condition. A receiver that subscribes to an SSM channel only receives data from the requested source. Since a channel is specific to a source, only that source can transmit on that channel. Hence, the SSM model provides more packet origin protection than ASM. To ensure that the subscriber is joining an authorized or known multicast group and source address pair, it is imperative that the group is from the reserved multicast address space as a first step measure.

STIG	Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco	2015-04-06

Details

Check Text ( C-39204r1_chk )
IANA has reserved the address range 232.0.0.0 through 232.255.255.255 for SSM applications and protocols. However, Cisco IOS allows SSM configuration for an arbitrary subset of the IP multicast address range 224.0.0.0 through 239.255.255.255. If IPv4 or IPv6 multicast routing is enabled, determine if gimp version 3 or MLD version 2 is enabled for IPv4 and IPv6 respectively. If enabled, then PIM-SSM is also enabled. Hence, you must verify that only the IANA reserved SSM range of addresses is used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively. Step 1: Determine if multicast routing is enabled. By default, multicast is disabled globally. The following global configuration commands will enable IPv4 and IPv6 multicast routing: ip multicast-routing ipv6 multicast-routing If multicast routing is not enabled, this vulnerability is not applicable. Step 2: IPv4 Check interface connected to multicast subscribers to determine if IGMPv3 is enabled. This is required for subscribers to join a specific source. The following ipv4 interface configuration would look as follows: ip igmp version 3 or ip igmp v3lite If IGMPv3 is not enabled for IPv4 multicast, this vulnerability is not applicable. IPv6 MLD is automatically enabled on an interface when IPv6 PIM is enabled on an interface. With IPv6, PIM is enabled by default on all IPv6-enabled interfaces if IPv6 multicast routing is enabled on the router via the global ipv6 multicast-routing command. An interface can be disabled for PIM using the no ipv6 pim interface command. MLD can also be disabled on IPv6 PIM-enabled interfaces with the no ipv6 mld router interface command. Following is an example of two IPv6-enabled interfaces. interface FastEthernet0/1 ipv6 address 2001:1:0:146::/64 eui-64 interface FastEthernet0/2 ipv6 enable MLDv2 is the default with current releases of IOS. In some releases of IOS, the ipv6 mld version command is not available. You can verify the version of MLD interfaces via show ipv6 mld interface command. If MLDv2 is not enabled for IPv6 multicast, this vulnerability is not applicable. Step 3: Verify that the appropriate multicast groups are used for SSM. IPv4 The following configuration will allow all of the multicast groups 232/8 reserved for SSM: ip pim ssm default or The following configuration will only allow multicast groups 232.4.0.0/24 access-list 4 permit 232.4.0.0 0.0.0.255 ip pim ssm range 4 Note: If a range is configured as in the example shown above, ensure that the range is within the IANA reserved range for SSM groups. IPv6 The following configuration will allow all of the multicast groups FF3x::/32 reserved for SSM where x is any valid scope value: ipv6 pim ssm default or The following configuration will only allow multicast groups with the ff3e::1:0:0/96 range: ipv6 access-list SSM_RANGE permit any ff3e::1:0:0/96 ipv6 pim ssm range SSM_RANGE

Check Text ( C-39204r1_chk )

IANA has reserved the address range 232.0.0.0 through 232.255.255.255 for SSM applications and protocols. However, Cisco IOS allows SSM configuration for an arbitrary subset of the IP multicast address range 224.0.0.0 through 239.255.255.255.

If IPv4 or IPv6 multicast routing is enabled, determine if gimp version 3 or MLD version 2 is enabled for IPv4 and IPv6 respectively. If enabled, then PIM-SSM is also enabled. Hence, you must verify that only the IANA reserved SSM range of addresses is used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively.

Step 1: Determine if multicast routing is enabled. By default, multicast is disabled globally. The following global configuration commands will enable IPv4 and IPv6 multicast routing:

ip multicast-routing

ipv6 multicast-routing

If multicast routing is not enabled, this vulnerability is not applicable.

Step 2:

IPv4

Check interface connected to multicast subscribers to determine if IGMPv3 is enabled. This is required for subscribers to join a specific source. The following ipv4 interface configuration would look as follows:

ip igmp version 3
or
ip igmp v3lite

If IGMPv3 is not enabled for IPv4 multicast, this vulnerability is not applicable.

IPv6

MLD is automatically enabled on an interface when IPv6 PIM is enabled on an interface. With IPv6, PIM is enabled by default on all IPv6-enabled interfaces if IPv6 multicast routing is enabled on the router via the global ipv6 multicast-routing command. An interface can be disabled for PIM using the no ipv6 pim interface command. MLD can also be disabled on IPv6 PIM-enabled interfaces with the no ipv6 mld router interface command.

Following is an example of two IPv6-enabled interfaces.

interface FastEthernet0/1
ipv6 address 2001:1:0:146::/64 eui-64

interface FastEthernet0/2
ipv6 enable

MLDv2 is the default with current releases of IOS. In some releases of IOS, the ipv6 mld version command is not available. You can verify the version of MLD interfaces via show ipv6 mld interface command. If MLDv2 is not enabled for IPv6 multicast, this vulnerability is not applicable.

Step 3:

Verify that the appropriate multicast groups are used for SSM.

IPv4

The following configuration will allow all of the multicast groups 232/8 reserved for SSM:

ip pim ssm default

or

The following configuration will only allow multicast groups 232.4.0.0/24

access-list 4 permit 232.4.0.0 0.0.0.255
ip pim ssm range 4

Note: If a range is configured as in the example shown above, ensure that the range is within the IANA reserved range for SSM groups.

IPv6

The following configuration will allow all of the multicast groups FF3x::/32 reserved for SSM where x is any valid scope value:

ipv6 pim ssm default

or

The following configuration will only allow multicast groups with the ff3e::1:0:0/96 range:

ipv6 access-list SSM_RANGE permit any ff3e::1:0:0/96
ipv6 pim ssm range SSM_RANGE

Fix Text (F-34303r1_fix)
If IGMP version 3 or MLD version 2 is enabled for IPv4 and IPv6 multicast respectively, then PIM-SSM is also enabled. Hence, you must configure the router so that only the IANA reserved SSM range of addresses can be used for this implementation. The SSM address range is 232.0.0.0/8 and FF3x::/32 for IPv4 and IPv6 respectively.