STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.

DISA Rule

SV-216730r531086_rule

Vulnerability Number

V-216730

Group Title

SRG-NET-000018-RTR-000007

Rule Version

CISC-RT-000920

Severity

CAT III

CCI(s)

CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

Fix Recommendation

Configure the MSDP router to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below:

R8(config)#ip access-list extended INBOUND_MSDP_SA_FILTER
R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod
R8(config-ext-nacl)#deny ip any host 224.0.1.24 ! Microsoft-ds
R8(config-ext-nacl)#deny ip any host 224.0.1.22 ! SVRLOC
R8(config-ext-nacl)#deny ip any host 224.0.1.2 ! SGI-Dogfight
R8(config-ext-nacl)#deny ip any host 224.0.1.35 ! SVRLOC-DA
R8(config-ext-nacl)#deny ip any host 224.0.1.60 ! hp-device-disc
R8(config-ext-nacl)#deny ip any host 224.0.1.39 ! Auto-RP
R8(config-ext-nacl)#deny ip any host 224.0.1.40 ! Auto-RP
R8(config-ext-nacl)#deny ip any 232.0.0.0 0.255.255.255 ! SSM range
R8(config-ext-nacl)#deny ip any 239.0.0.0 0.255.255.255 ! Admin scoped range
R8(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any ! RFC 1918 address range
R8(config-ext-nacl)#deny ip 127.0.0.0 0.255.255.255 any ! RFC 1918 address range
R8(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any ! RFC 1918 address range
R8(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any ! RFC 1918 address range
R8(config-ext-nacl)#permit ip any any
R8(config-ext-nacl)#exit
R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTER

Check Contents

Review the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses.

Step 1: Verify that an inbound source-active filter is bound to each MSDP peer.

ip msdp peer x.1.28.2 remote-as 2
ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTER

Step 2: Review the access lists referenced by the source-active filter to verify that undesirable multicast groups, auto-RP, single source multicast (SSM) groups, and advertisements from undesirable sources are blocked.

ip access-list extended INBOUND_MSDP_SA_FILTER
deny ip any host 224.0.1.3
deny ip any host 224.0.1.24
deny ip any host 224.0.1.22
deny ip any host 224.0.1.2
deny ip any host 224.0.1.35
deny ip any host 224.0.1.60
deny ip any host 224.0.1.39
deny ip any host 224.0.1.40
deny ip any 232.0.0.0 0.255.255.255
deny ip any 239.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any

If the router is not configured with an import policy to filter undesirable SA multicast advertisements, this is a finding.

The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments