STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020: The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.

DISA Rule

SV-105981r1_rule

Vulnerability Number

V-96843

Group Title

SRG-NET-000364-RTR-000116

Rule Version

CISC-RT-000900

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the interface ACLs to only accept MSDP packets from known MSDP peers.

RP/0/0/CPU0:R2(config)#ipv4 access-list EXTERNAL_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp host x.1.28.2 host x.1.28.8 eq 639
RP/0/0/CPU0:R2(config-ipv4-acl)#deny tcp any host x.1.28.8 eq 639 log
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp host x.1.28.2 host x.1.28.8 eq bgp
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp host x.1.28.2 eq bgp host x.1.28.8
RP/0/0/CPU0:R2(config-ipv4-acl)#permit pim host x.1.28.2 host x.1.28.8
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp any any established



RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any any log

Check Contents

Review the router configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers.

Step 1: Determine which interfaces would be peering MSDP with an external router by the configured peer addresses as shown in the example below.

router msdp
peer x.14.2.1
remote-as nn
!
peer x.15.3.5
remote-as nn
!
!

Step 2: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example.

interface GigabitEthernet0/0/0/1
ipv4 address x.14.2.2 255.255.255.252
ipv4 access-group EXTERNAL_ACL_INBOUND ingress

Step 3: Verify that the ACL restricts MSDP peering to only known sources.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 permit tcp host x.1.28.2 host x.1.28.8 eq 639
20 deny tcp any host x.1.28.8 eq 639 log
30 permit tcp host x.1.28.2 host x.1.28.8 eq bgp
40 permit tcp host x.1.28.2 eq bgp host x.1.28.8
50 permit pim host x.1.28.2 host x.1.28.8
60 permit tcp any any established



140 deny ipv4 any any log

Note: MSDP connections is via TCP port 639

If the router is not configured to only accept MSDP packets from known MSDP peers, this is a finding.

Vulnerability Number

V-96843

Documentable

False

Rule Version

CISC-RT-000900

Severity Override Guidance

Review the router configuration to determine if there is a receive path or interface filter to only accept MSDP packets from known MSDP peers.

Step 1: Determine which interfaces would be peering MSDP with an external router by the configured peer addresses as shown in the example below.

router msdp
peer x.14.2.1
remote-as nn
!
peer x.15.3.5
remote-as nn
!
!

Step 2: Verify that interfaces used for MSDP peering have an inbound ACL as shown in the example.

interface GigabitEthernet0/0/0/1
ipv4 address x.14.2.2 255.255.255.252
ipv4 access-group EXTERNAL_ACL_INBOUND ingress

Step 3: Verify that the ACL restricts MSDP peering to only known sources.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 permit tcp host x.1.28.2 host x.1.28.8 eq 639
20 deny tcp any host x.1.28.8 eq 639 log
30 permit tcp host x.1.28.2 host x.1.28.8 eq bgp
40 permit tcp host x.1.28.2 eq bgp host x.1.28.8
50 permit pim host x.1.28.2 host x.1.28.8
60 permit tcp any any established



140 deny ipv4 any any log

Note: MSDP connections is via TCP port 639

If the router is not configured to only accept MSDP packets from known MSDP peers, this is a finding.

Check Content Reference

M

Target Key

3481

Comments