STIGQter: STIG Summary: HP FlexFabric Switch RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.

DISA Rule

SV-80629r1_rule

Vulnerability Number

V-66139

Group Title

SRG-NET-000019-RTR-000005

Rule Version

HFFS-RT-000026

Severity

CAT II

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the appropriate boundaries to contain packets addressed within the administratively scoped zone. Defined multicast addresses are FFx4::/16, FFx5::/16, FFx8::/16, and 239.255.0.0/16.

Enable ip multicast globally
[HP] ipv6 multicast routing

Specify the IPv6 multicast boundary on multicast enabled interface

[HP] interface gig 0/2
[HP-GigabitEthernet0/2] ipv6 multicast boundary scope 4
[HP-GigabitEthernet0/2] ipv6 multicast boundary scope 5
[HP-GigabitEthernet0/2] ipv6 multicast boundary scope 8

specify the IPv4 multicast boundary on multicast enabled interfaces

[HP-GigabitEthernet0/2] multicast boundary 239.255.0.0 16

Check Contents

Review the multicast topology diagram to determine if there are any documented Admin-Local (FFx4::/16), Site-Local (FFx5::/16), or Organization-Local (FFx8::/16) multicast boundaries for IPv6 traffic or any Local-Scope (239.255.0.0/16) boundaries for IPv4 traffic.

Verify the appropriate boundaries are configured on the applicable multicast-enabled interfaces.

If appropriate multicast scope boundaries have not been configured, this is a finding.

[HP] display current-configuration interface GigabitEthernet 0/2
interface GigabitEthernet0/2
port link-mode route
description OVERSUBSCRIBE
ip address 201.6.36.1 255.255.255.0
multicast boundary 239.255.0.0 16
ipv6 multicast boundary scope 4
ipv6 multicast boundary scope 5
ipv6 multicast boundary scope 8
ipv6 address 2115:C:24::1/120

Vulnerability Number

V-66139

Documentable

False

Rule Version

HFFS-RT-000026

Severity Override Guidance

Review the multicast topology diagram to determine if there are any documented Admin-Local (FFx4::/16), Site-Local (FFx5::/16), or Organization-Local (FFx8::/16) multicast boundaries for IPv6 traffic or any Local-Scope (239.255.0.0/16) boundaries for IPv4 traffic.

Verify the appropriate boundaries are configured on the applicable multicast-enabled interfaces.

If appropriate multicast scope boundaries have not been configured, this is a finding.

[HP] display current-configuration interface GigabitEthernet 0/2
interface GigabitEthernet0/2
port link-mode route
description OVERSUBSCRIBE
ip address 201.6.36.1 255.255.255.0
multicast boundary 239.255.0.0 16
ipv6 multicast boundary scope 4
ipv6 multicast boundary scope 5
ipv6 multicast boundary scope 8
ipv6 address 2115:C:24::1/120

Check Content Reference

M

Target Key

2979

Comments