An error occurred:

Check: RCKS-RTR-000130

RUCKUS ICX Router STIG: RCKS-RTR-000130 (in version v1 r1)

Title

The RUCKUS ICX multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. (Cat II impact)

Discussion

If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security. A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. As stated in the DOD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Therefore, it is imperative that the network engineers have documented their multicast topology and know which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.

Check Content

Review the network's multicast topology diagram and examine the running configuration to determine whether PIM has been enabled on any unnecessary ports (disabled by default). interface ethernet 1/1/3 ip address x.95.5.1/24 ip pim-sparse If PIM is enabled on unnecessary interfaces, this is a finding.

Fix Text

Disable PIM on unnecessary ports: ICX(config)# interface ethernet 1/1/1 ICX(config-if-e1000-1/1/1)# no ip pim-sparse

Additional Identifiers

Rule ID: SV-273581r1110911_rule

Vulnerability ID: V-273581

Group Title: SRG-NET-000019-RTR-000003

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001414

Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement