STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.

DISA Rule

SV-216820r531087_rule

Vulnerability Number

V-216820

Group Title

SRG-NET-000018-RTR-000007

Rule Version

CISC-RT-000920

Severity

CAT III

CCI(s)

CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

Fix Recommendation

Configure the MSDP router to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below.

RP/0/0/CPU0:R2(config)#ipv4 access-list INBOUND_MSDP_SA_FILTER
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any host 224.0.1.3
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.24
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.22
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.2
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.35
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.60
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.39
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any host 224.0.1.40
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any 232.0.0.0 0.255.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 any 239.0.0.0 0.255.255.255
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 10.0.0.0 0.255.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 127.0.0.0 0.255.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 172.16.0.0 0.15.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ipv4 192.168.0.0 0.0.255.255 any
RP/0/0/CPU0:R2(config-ipv4-acl)#permit ipv4 any any
RP/0/0/CPU0:R2(config-ipv4-acl)#exit
RP/0/0/CPU0:R2(config)#router msdp
RP/0/0/CPU0:R2(config-msdp)#sa-filter in list INBOUND_MSDP_SA_FILTER
RP/0/0/CPU0:R2(config-msdp)#end

Check Contents

Review the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses.

Step 1: Verify that an inbound source-active filter is bound to each MSDP peer.

router msdp
sa-filter in list INBOUND_MSDP_SA_FILTER

Step 2: Review the access lists referenced by the source-active filter to verify that undesirable multicast groups, auto-RP, single source multicast (SSM) groups, and advertisements from undesirable sources are blocked.

ipv4 access-list INBOUND_MSDP_SA_FILTER
10 deny ipv4 any host 224.0.1.3
20 deny ipv4 any host 224.0.1.24
30 deny ipv4 any host 224.0.1.22
40 deny ipv4 any host 224.0.1.2
50 deny ipv4 any host 224.0.1.35
60 deny ipv4 any host 224.0.1.60
70 deny ipv4 any host 224.0.1.39
80 deny ipv4 any host 224.0.1.40
90 deny ipv4 any 232.0.0.0 0.255.255.255
100 deny ipv4 any 239.0.0.0 0.255.255.255
110 deny ipv4 10.0.0.0 0.255.255.255 any
120 deny ipv4 127.0.0.0 0.255.255.255 any
130 deny ipv4 172.16.0.0 0.15.255.255 any
140 deny ipv4 192.168.0.0 0.0.255.255 any
150 permit ipv4 any any

If the router is not configured with an import policy to filter undesirable SA multicast advertisements, this is a finding.

The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments