Title

Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages must be filtered to allow hosts to join only those multicast groups that have been approved by the organization. (Cat III impact)

Discussion

Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (e.g., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups that hosts are allowed to join via IGMP (IPv4) or MLD (IPv6).

Check Content

Review the configuration of the DR to verify that it is filtering IGMP or MLD report messages allowing hosts to only join those groups that have been approved by the organization. If the DR is not filtering IGMP or MLD report messages, this is a finding. The following is a PIM sparse mode configuration example filtering specific multicast groups as defined in access-list 11 on the LAN-facing interface. ip multicast-routing ! interface FastEthernet 0/0 description link to core ip address 192.168.123.2 255.255.255.0 ip pim sparse-mode ! interface FastEthernet 0/1 description User LAN ip address 192.168.122.1 255.255.255.0 ip pim sparse-mode ip igmp access-group 11 ! access-list 11 permit 224.10.10.0 0.0.0.255 access-list 11 permit 224.11.11.0 0.0.0.255 access-list 11 permit 224.20.20.0 0.0.0.255

Fix Text

Configure the Designated Router (DR) to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) report messages to allow tenant hosts to join only those multicast groups that have been approved by the organization.

Additional Identifiers

Rule ID: SV-251395r806140_rule

Vulnerability ID: V-251395

Group Title: NET2013

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.