STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.

DISA Rule

SV-216811r531087_rule

Vulnerability Number

V-216811

Group Title

SRG-NET-000019-RTR-000013

Rule Version

CISC-RT-000830

Severity

CAT III

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.

RP/0/0/CPU0:R2(config)#ipv4 access-list PIM_REGISTER_FILTER
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any 239.5.0.0 0.0.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#permit ipv4 host 10.1.2.6 any
RP/0/0/CPU0:R2(config-ipv4-acl)#permit ipv4 host 10.1.2.7 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any any
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
RP/0/0/CPU0:R2(config)#router pim
RP/0/0/CPU0:R2(config-pim)#address-family ipv4
RP/0/0/CPU0:R2(config-pim-default-ipv4)#accept-register PIM_REGISTER_FILTER
RP/0/0/CPU0:R2(config-pim-default-ipv4)#end

Check Contents

Verify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.

ipv4 access-list PIM_REGISTER_FILTER
10 deny ipv4 any 239.5.0.0 0.0.255.255
20 permit ipv4 host 10.1.2.6 any
30 permit ipv4 host 10.1.2.7 any
40 deny ipv4 any any
…
…
…
router pim
address-family ipv4
rp-address 2.2.2.2
accept-register PIM_REGISTER_FILTER

If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.

Vulnerability Number

V-216811

Documentable

False

Rule Version

CISC-RT-000830

Severity Override Guidance

Verify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7.

ipv4 access-list PIM_REGISTER_FILTER
10 deny ipv4 any 239.5.0.0 0.0.255.255
20 permit ipv4 host 10.1.2.6 any
30 permit ipv4 host 10.1.2.7 any
40 deny ipv4 any any
…
…
…
router pim
address-family ipv4
rp-address 2.2.2.2
accept-register PIM_REGISTER_FILTER

If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.

Check Content Reference

M

Target Key

4029

Comments