The multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-207119 | SRG-NET-000019-RTR-000014 | SV-207119r604135_rule | CCI-001414 | low |
| Description | ||||
| Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups. | ||||
| STIG | Date | |||
| Router Security Requirements Guide | 2024-05-28 | |||
Details
Check Text (C-207119r604135_chk)
Verify that the RP router is configured to filter PIM register messages.
Note: Alternative is to configure all designated routers to filter IGMP Membership Report (a.k.a join) messages received from hosts.
If the RP router peering with PIM-SM routers is not configured with a PIM import policy to block registration messages for any undesirable multicast groups and Bogon sources, this is a finding.
Fix Text (F-7380r382251_fix)
RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block join messages for reserved and any undesirable multicast groups.