An error occurred:

Check: RCKS-RTR-000070

RUCKUS ICX Router STIG: RCKS-RTR-000070 (in version v1 r1)

Title

The RUCKUS ICX Multicast Source Discovery Protocol router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources. (Cat III impact)

Discussion

The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. When RPs in peering multicast domains hear about active sources, they can pass on that information to their local receivers, thereby allowing multicast data to be forwarded between the domains. Configuring an import policy to block multicast advertisements for reserved, Martian, single-source multicast, and any other undesirable multicast groups, as well as any source-group (S, G) states with Bogon source addresses, would assist in avoiding unwanted multicast traffic from traversing the core.

Check Content

Check for SA filter on MSDP peer: ICX# show msdp peer x.x.x.x | include Input Input SA Filter:Applicable Input (S,G) route-map:MSDP_SA_filter Input RP route-map:None If any configured MSDP peer is not configured to filter undesirable multicast groups and sources, this is a finding.

Fix Text

Create access-list to filter source-active multicast advertisements for any undesirable multicast groups and sources: ip access-list extended in_MSDP_SA_filter sequence 10 deny ip any host 224.0.1.3 sequence 20 deny ip any host 224.0.1.24 sequence 30 deny ip any host 224.0.1.22 sequence 40 deny ip any host 224.0.1.2 sequence 50 deny ip any host 224.0.1.35 sequence 60 deny ip any host 224.0.1.60 sequence 70 deny ip any host 224.0.1.39 sequence 80 deny ip any host 224.0.1.40 sequence 90 deny ip any 232.0.0.0 0.255.255.255 sequence 100 deny ip any 239.0.0.0 0.255.255.255 sequence 110 deny ip 10.0.0.0 0.255.255.255 any sequence 120 deny ip 127.0.0.0 0.255.255.255 any sequence 130 deny ip 172.16.0.0 0.15.255.255 any sequence 140 deny ip 192.168.0.0 0.0.255.255 any sequence 150 permit ip any any route-map MSDP_SA_filter permit 10 match ip address in_MSDP_SA_filter router msdp msdp-peer x.x.x.x sa-filter in x.x.x.x route-map MSDP_SA_filter !

Additional Identifiers

Rule ID: SV-273575r1110884_rule

Vulnerability ID: V-273575

Group Title: SRG-NET-000018-RTR-000007

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001368

Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement