Navigate

Check: SRG-NET-000364-RTR-000116

Router SRG: SRG-NET-000364-RTR-000116 (in versions v4 r3 through v4 r1)

Title

The Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers. (Cat II impact)

Discussion

MSDP peering with customer network routers presents additional risks to the DISN Core, whether from a rogue or misconfigured MSDP-enabled router. To guard against an attack from malicious MSDP traffic, the receive path or interface filter for all MSDP-enabled RP routers must be configured to only accept MSDP packets from known MSDP peers.

Check Content

Review the router configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers. If the router is not configured to only accept MSDP packets from known MSDP peers, this is a finding.

Fix Text

Ensure the receive path or interface filter for all MSDP routers only accepts MSDP packets from known MSDP peers.

Additional Identifiers

Rule ID: SV-207170r856654_rule

Vulnerability ID: V-207170

Group Title: SRG-NET-000364

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-002403	The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
SC-7 (11)	Restrict Incoming Communications Traffic