UCF STIG Viewer Logo

Protocol Independent Multicast (PIM) join messages received from a downstream multicast Designated Routers (DR) must be filtered for any reserved or any other undesirable multicast groups.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251393 NET2011 SV-251393r806134_rule Low
Description
Customer networks that do not maintain a multicast domain and only require the IP multicast service will be required to stand up a PIM-SM router that will be incorporated into the JIE shared tree structure by establishing a peering session with an RP router. Both of these implementations expose several risks that must be mitigated to provide a secure IP core network. All RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block multicast join requests for reserved or any other undesirable multicast groups.
STIG Date
Network Infrastructure Policy Security Technical Implementation Guide 2021-11-22

Details

Check Text ( C-54828r806132_chk )
Verify that the RP router is configured to filter PIM join messages for any reserved multicast groups using the ip pim accept-rp global command as shown in the example below. The ip pim accept-rp global command causes the router to accept only (*, G) join messages destined for the specified RP address as allowed by the referenced access-list.

ip pim accept-rp 10.10.2.1 PIM_JOIN_FILTER
!
ip access-list standard PIM_JOIN_FILTER
deny 224.0.1.2
deny 224.0.1.3
deny 224.0.1.8
deny 224.0.1.22
deny 224.0.1.24
deny 224.0.1.25
...
...
...
deny 225.1.2.3
deny 229.55.150.208
deny 234.42.42.42 255.255.255.252
deny 239.0.0.0 0.255.255.255
permit any

Note: IOS 12.4T extends the ip multicast-routing command with a group-range or access-list argument that can be used to filter multicast control (PIM, IGMP) and data packets for unauthorized groups.

If the RP router peering with customer PIM-SM routers is not configured with a PIM import policy to block join messages for reserved and any undesirable multicast groups, this is a finding.
Fix Text (F-54781r806133_fix)
RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block join messages for reserved and any undesirable multicast groups.