Title

The Multicast Source Discovery Protocol (MSDP) Cisco ACI must be configured to authenticate all received MSDP packets. (Cat II impact)

Discussion

MSDP peering with customer network routers presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled router. MSDP password authentication is used to validate each segment sent on the TCP connection between MSDP peers, protecting the MSDP session against the threat of spoofed packets being injected into the TCP connection stream.

Check Content

Review the Management Access configuration to determine if received MSDP packets are authenticated: 1. Navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access. 2. Verify the option for "Strict Security on APIC OOB Subnet" is selected. If the router does not require MSDP authentication, this is a finding.

Fix Text

Enable the "Strict Security on APIC OOB Subnet" option within the Management Access settings on the APIC: 1. On the APIC GUI, navigate to Fabric >> Fabric Policies >> Policies >> Pod >> Management Access to find the relevant settings. 2. Select "Strict Security on APIC OOB Subnet".

Additional Identifiers

Rule ID: SV-272085r1064589_rule

Vulnerability ID: V-272085

Group Title: SRG-NET-000343-RTR-000002

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.