An error occurred:

Check: RCKS-RTR-000810

RUCKUS ICX Router STIG: RCKS-RTR-000810 (in version v1 r1)

Title

The RUCKUS ICX multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization. (Cat II impact)

Discussion

Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.

Check Content

Review the configuration of the DR to verify it is filtering IGMP or MLD report messages, allowing hosts to only join multicast groups from sources that have been approved. Note: This requirement is only applicable to Source Specific Multicast (SSM) implementation. 1. Review the configuration for an ACL that denies unauthorized groups or permits only authorized sources. The example below denies all groups from the 239.8.0.0/16 range and permit from 0.0.0.0/8: ip access-list extended IGMP_JOIN_FILTER sequence 10 deny ip any 239.8.0.0 0.0.255.255 sequence 20 permit ip 0.0.0.0 0.255.255.255 any 2. Verify all host facing interfaces are configured to filter IGMP Membership Report messages (IGMP joins) as shown in the example below: interface ethernet x/x/x ip address x.0.1.2 255.255.255.252 ip pim-sparse ip igmp version 3 ip igmp access-group IGMP_JOIN_FILTER If the DR is not filtering IGMP or MLD report messages, this is a finding.

Fix Text

Configure the DR to filter the IGMP and MLD report messages to allow hosts to join only those multicast groups from sources that have been approved. 1. Configure the Access Control List (ACL) to filter IGMP membership report messages as shown in the example below: ICX(config)#ip access-list ext IGMP_JOIN_FILTER ICX(config-std-ipacl-IGMP_JOIN_FILTER)#deny ip any 239.8.0.0/16 ICX(config-std-ipacl-IGMP_JOIN_FILTER)#permit ip 0.0.0.0/8 any 2. Apply the filter to all nonhost-facing interfaces: ICX(config)interface ethernet 1/2/1 ICX(config-if-e1000-1/2/1)#ip igmp ver 3 ICX(config-if-e1000-1/2/1)#ip addr x.x.x.x/x ICX(config-if-e1000-1/2/1)#ip igmp access-group IGMP_JOIN_FILTER

Additional Identifiers

Rule ID: SV-273648r1111070_rule

Vulnerability ID: V-273648

Group Title: SRG-NET-000364-RTR-000115

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002403

Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-7(11)

Restrict Incoming Communications Traffic