STIGQter: STIG Summary: Router Security Requirements Guide Version: 4 Release: 2 Benchmark Date: 23 Apr 2021:

The Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

DISA Rule

SV-207104r604135_rule

Vulnerability Number

V-207104

Group Title

SRG-NET-000018

Rule Version

SRG-NET-000018-RTR-000008

Severity

CAT III

CCI(s)

CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

Fix Recommendation

Ensure an export policy is implemented on all MSDP routers to avoid global visibility of local multicast (S, G) states.

Check Contents

Review the router configuration to determine if there is export policy to block local source-active multicast advertisements.

Verify that an outbound source-active filter is bound to each MSDP peer.

Review the access lists referenced by the source-active filters and verify that MSDP source-active messages being sent to MSDP peers do not leak advertisements that are local.

If the router is not configured with an export policy to block local source-active multicast advertisements, this is a finding.

The Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments