The multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-207111 | SRG-NET-000019-RTR-000005 | SV-207111r604135_rule | CCI-001414 | low |
| Description | ||||
| If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic. Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations. | ||||
| STIG | Date | |||
| Router Security Requirements Guide | 2024-05-28 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-4
1.00
- DISA · 5 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.3
1.00
- DISA · 5 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001414
1.00
- DISA · 5 · disa_xccdf · related
Details
Check Text (C-207111r604135_chk)
Review the router configuration and verify that admin-scope multicast traffic is blocked at the external edge.
If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.
Fix Text (F-7372r382227_fix)
Step 1: Configure the ACL to deny packets with multicast administratively scoped destination addresses.
Step 2: Apply the multicast boundary at the appropriate interfaces.