Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-216721 | CISC-RT-000830 | SV-216721r531086_rule | Low |
Description |
---|
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial of service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources. |
STIG | Date |
---|---|
Cisco IOS XE Router RTR Security Technical Implementation Guide | 2021-09-16 |
Check Text ( C-17954r288105_chk ) |
---|
Verify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. ip pim rp-address 10.1.12.3 ip pim accept-register list PIM_REGISTER_FILTER … … … ip access-list extended PIM_REGISTER_FILTER deny ip any 239.5.0.0 0.0.255.255 permit ip host 10.1.2.6 any permit ip host 10.1.2.7 any deny ip any any If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding. |
Fix Text (F-17952r288106_fix) |
---|
Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. R2(config)#ip access-list extended PIM_REGISTER_FILTER R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255 R2(config-ext-nacl)#permit ip host 10.1.2.6 any R2(config-ext-nacl)#permit ip host 10.1.2.7 any R2(config-ext-nacl)#deny ip any any R2(config-ext-nacl)#exit R2(config)#ip pim accept-register list PIM_REGISTER_FILTER R2(config)#end |