Rule ID
SV-273590r1110891_rule
Version
V1R1
CCIs
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.
Check configuration for presence of accept-register filter for PIM: ICX# show ip pim sparse Global PIM Sparse Mode Settings Maximum Mcache : 12288 Current Count : 0 Hello interval : 30 Neighbor timeout : 105 Join/Prune interval : 60 Inactivity interval : 180 Hardware Drop Enabled : Yes Prune Wait Interval : 3 Bootstrap Msg interval : 60 Candidate-RP Msg interval : 60 Register Suppress Time : 60 Register Probe Time : 10 Register Stop Delay : 10 SPT Threshold : 1 SSM Enabled : No Register Rate Limit : 1 pps Register Filter : PIM_REG_FILTER Route Precedence : uc-non-default uc-default mc-non-default mc-default Join/Prune Policy : No Slow Path Disable All : No Slow Path Enable SSM : No Slow Path Filter Acl : None If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.
Configure PIM register filter and apply to PIM configuration: ICX(config)#ip access ext PIM_REG_FILTER ICX(config-ext-ipacl-PIM_REG_FILTER)#deny ip any 239.5.0.0/16 ICX(config-ext-ipacl-PIM_REG_FILTER)#permit ip host 10.1.2.6 any ICX(config-ext-ipacl-PIM_REG_FILTER)#permit ip host x.1.2.7 any ICX(config-ext-ipacl-PIM_REG_FILTER)#deny ip any any ICX(config-ext-ipacl-PIM_REG_FILTER)#exit ICX(config)#router pim ICX(config-pim-router)#rp-addres x.1.1.1 ICX(config-pim-router)#accept-register PIM_REG_FILTER