|Finding ID||Version||Rule ID||IA Controls||Severity|
|Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand up a PIM-SM router that will be incorporated into the JIE shared tree structure by establishing a peering session with an RP router. Both of these implementations expose several risks that must be mitigated to provide a secure IP core network. All RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block multicast join requests for reserved or any other undesirable multicast groups.|
|Network Infrastructure Policy Security Technical Implementation Guide||2016-12-22|
|Check Text ( C-67023r1_chk )|
| Verify that the RP router is configured to filter PIM join messages for any reserved multicast groups using the ip pim accept-rp global command as shown in the example below. The ip pim accept-rp global command causes the router to accept only (*, G) join messages destined for the specified RP address as allowed by the referenced access-list. |
ip pim accept-rp 10.10.2.1 PIM_JOIN_FILTER
ip access-list standard PIM_JOIN_FILTER
deny 184.108.40.206 255.255.255.252
deny 220.127.116.11 0.255.255.255
Note: IOS 12.4T extends the ip multicast-routing command with a group-range or access-list argument that can be used to filter multicast control (PIM, IGMP) and data packets for unauthorized groups.
If the RP router peering with customer PIM-SM routers is not configured with a PIM import policy to block join messages for reserved and any undesirable multicast groups, this is a finding.
|Fix Text (F-72451r1_fix)|
|RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block join messages for reserved and any undesirable multicast groups.|