← Back to RUCKUS ICX Router Security Technical Implementation Guide

V-273591

CAT III (Low)

The RUCKUS ICX multicast Rendezvous Pointerface (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.

Rule ID

SV-273591r1110892_rule

STIG

RUCKUS ICX Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001414

Discussion

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups.

Check Content

Check PIM sparse Join/Prune policy configuration for required filters:

ICX# show ip pim jp

Vrf Instance : default-vrf
---------------------------

(RP,G) JP policy
---------

(RP,G) JP policy count: 1

RP-Address           ACL Name                (RP,G) Join Drops   (RP,G) Prune Drops
10.1.1.1             FILTER_PIM_JOINS                        0                    0

(*,G) and (S,G) JP policy
---------

ACL Name                 (*,G) Join Drops    (*,G) Prune Drops     (S,G) Join Drops    (S,G) Prune Drops
EXT_FILTER_PIM_JOINS                    0                    0                    0                    0

If the RP is not configured to filter PIM register messages, this is a finding.

Fix Text

Note: Standard ACLs can only be applied to specific RPs. Extended ACLs must be used when applying to any RP.

Configure filter for PIM Join messages and apply to PIM:

ICX(config)#ip access stand FILTER_PIM_JOINS
ICX(config-std-ipacl-FILTER_PIM_JOINS)#deny 239.8.0.0/16
ICX(config-std-ipacl-FILTER_PIM_JOINS)#exit
ICX(config)#router pim
ICX(config-pim-router)#jp-policy 10.1.1.1 FILTER_PIM_JOINS