STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:

Protocol Independent Multicast (PIM) register messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.

DISA Rule

SV-80863r1_rule

Vulnerability Number

V-66373

Group Title

NET2010

Rule Version

NET2010

Severity

CAT III

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure RP routers to filter PIM register messages received from a tenant multicast DR for any reserved or any other undesirable multicast groups.

Check Contents

Verify that the RP router is configured to filter PIM register messages using the ip pim accept-register global command as shown in the example below. This command can reference either an ACL or a route-map to identify and prevent unauthorized sources or groups from registering with the RP.

ip pim accept-register list PIM_REGISTER_FILTER
!
ip access-list extended PIM_REGISTER_FILTER
deny ip any 224.0.0.0 0.0.0.255
deny ip 0.0.0.0 0.255.255.255 any
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
...
...
...
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 223.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 224.255.255.255 any
permit ip any any

If the RP router peering with customer PIM-SM routers is not configured with a PIM import policy to block registration messages for reserved multicast groups, this is a finding.

Vulnerability Number

V-66373

Documentable

False

Rule Version

NET2010

Severity Override Guidance

Verify that the RP router is configured to filter PIM register messages using the ip pim accept-register global command as shown in the example below. This command can reference either an ACL or a route-map to identify and prevent unauthorized sources or groups from registering with the RP.

ip pim accept-register list PIM_REGISTER_FILTER
!
ip access-list extended PIM_REGISTER_FILTER
deny ip any 224.0.0.0 0.0.0.255
deny ip 0.0.0.0 0.255.255.255 any
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
...
...
...
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 223.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 224.255.255.255 any
permit ip any any

If the RP router peering with customer PIM-SM routers is not configured with a PIM import policy to block registration messages for reserved multicast groups, this is a finding.

Check Content Reference

M

Target Key

838

Comments