An error occurred:

Check: CACI-RT-000013

Cisco ACI Router STIG: CACI-RT-000013 (in version v1 r0.1)

Title

The Cisco ACI multicast rendezvous point (RP) must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the designated router (DR) for any undesirable multicast groups and sources. (Cat III impact)

Discussion

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources. By configuring route maps, the distribution of RP information that is distributed throughout the network can be controlled. Specify the BSRs or mapping agents to be listened to on each client router and the list of candidates to be advertised (listened to) on each BSR and mapping agent to ensure that what is advertised is what is expected.

Check Content

View the configuration to check for PIM compliance. APIC1(config)#show running-configuration pim Example: ip access-list extended PIM_REGISTER_FILTER deny ip any 232.0.0.0 0.255.255.255 permit ip host 10.1.2.6 any permit ip host 10.1.2.7 any deny ip any any ip pim accept-register list PIM_REGISTER_FILTER If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.

Fix Text

Configure an access list on the rendezvous point (RP) to explicitly deny PIM register messages originating from specific source-group combinations, effectively blocking the propagation of those multicast streams across the network; access this configuration through the APIC's CLI using the "accept-register" command with the desired access list applied to the RP. Specify group or group and source addresses with the match ip multicast command. Perform the following for each interface that uses IP multicast: 1. Create an extended access list with the desired filter criteria. # ip access-list extended <access-list-name> permit ip <source-ip> <multicast-group> <optional: protocol and port> ... (add other allowed source-group combinations) deny ip any <undesirable-multicast-group> 2. Access the PIM configuration mode on the RP. APIC1 (config-if)# ip pim sparse-mode 3. Apply the access list. # accept-register <access-list-name>

Additional Identifiers

Rule ID: SV-272073r1064583_rule

Vulnerability ID: V-272073

Group Title: SRG-NET-000019-RTR-000013

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001414

Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement