Check: NET2015
Network Infrastructure Policy STIG:
NET2015
(in versions v10 r6 through v9 r2)
Title
The number of source-group (SG) states must be limited within the multicast topology where Any Source Multicast (ASM) is deployed. (Cat II impact)
Discussion
Any Source Multicast (ASM) can have many sources for the same groups (many-to-many). For many receivers, the path via the Rendezvous Point (RP) may not be ideal compared with the shortest path from the source to the receiver. By default, the last-hop router will initiate a switch from the shared tree to a source-specific shortest-path tree (SPT) to obtain lower latencies. This is accomplished by the last-hop router sending an (S, G) PIM Join towards S (the source). When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message towards the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.
Check Content
Review the multicast last-hop router configuration to verify that the SPT switchover threshold is increased (default is 0) or set to infinity (never switch over). The following is a PIM sparse mode last-hop router configuration example that will disable the SPT switchover for all multicast groups: ip multicast-routing ip pim spt-threshold infinity If any multicast router is not configured to increase the SPT threshold or set it to infinity to minimalize (S,G) state, this is a finding.
Fix Text
Configure the multicast router to increase the SPT threshold or set it to infinity to minimalize (S,G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
Additional Identifiers
Rule ID: SV-251397r853658_rule
Vulnerability ID: V-251397
Group Title: NET2015
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001095 |
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. |
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
CCI-002415 |
The organization employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions. |