UCF STIG Viewer Logo

Protocol Independent Multicast (PIM) must be disabled on all router interfaces that are not required to support multicast routing.


Overview

Finding ID Version Rule ID IA Controls Severity
V-66365 NET2006 SV-80855r1_rule Medium
Description
PIM is a routing protocol that is used by the IP core for forwarding multicast traffic. PIM operates independent of any particular IP routing protocol but makes use of the IP unicast routing table--PIM does not keep a separate multicast routing table. The multicast tree is built by first allowing a flood of traffic from the source to every dense mode router in the network. For a brief time, unnecessary traffic is allowed. As each router receives traffic for the group, it will decide whether it has active recipients wanting to receive the multicast data. If so, the router will let the flow continue. If no hosts have registered for the multicast group, the router sends a prune message to its neighbor toward the source. That branch of the tree is then pruned off so that the unnecessary traffic does not continue. Dense mode is viewed as a "flood and prune" implementation. With PIM Sparse Mode (PIM-SM), the multicast tree is not extended to a router unless a local host has already joined the group. The multicast tree is built by beginning with group members at the end leaf nodes and extending back toward a central root point--the tree is built from the bottom up. In either case, if an interface is not going to be supporting any of the multicast traffic--that is, join a multicast tree, PIM should be disabled.
STIG Date
Network Infrastructure Policy Security Technical Implementation Guide 2017-12-07

Details

Check Text ( C-67011r1_chk )
By default, multicast is disabled globally as well as on all interfaces. Multicast routing is enabled on a router with the global command ip multicast-routing. PIM is enabled on an interface with either of the following commands: ip pim sparse-mode, ip pim dense-mode, ip pim sparse-dense-mode. If the global command ip multicast-routing is defined, review all interface configurations and verify that only the required interfaces are enabled for PIM. The following is a sample configuration with multicast routing enabled and PIM enabled on an interface.

ip multicast-routing
!
interface FastEthernet0/0
ip pim sparse-mode

If PIM is not disabled on interfaces that are not supporting multicast, this is a finding.
Fix Text (F-72441r1_fix)
The router administrator will disable PIM on all router interfaces that are not required to support multicast routing.