Title

The RUCKUS ICX multicast Rendezvous Pointerface (RP) Router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries. (Cat III impact)

Discussion

MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial-of-service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.

Check Content

View the "show default value" output for the msdp-sa-cache value. If that number is zero, this is a finding.

Fix Text

Configure the "system-max msdp-sa-cache" value to be above zero. (Reboot may be required to take effect.) ICX(config)#system-max msdp-sa-cache 1024

Additional Identifiers

Rule ID: SV-273637r1110898_rule

Vulnerability ID: V-273637

Group Title: SRG-NET-000362-RTR-000120

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.