CISC-RT-000790 - The Cisco multicast switch must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.

Information

If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security.

A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap, while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be 'convex from a routing perspective'; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands.

As stated in the DoD IPv6 IA Guidance for MO3, 'One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some switches and passing through some switches to include only some of their interfaces.' Therefore, it is imperative that the network engineers have documented their multicast topology and know which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.

Solution

Document all enabled interfaces for PIM in the network's multicast topology diagram. Disable support for PIM on interfaces that are not required to support it.

SW1(config)#int g1/1
SW1(config-if)#no ip pim sparse-mode

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Switch_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001414, Rule-ID|SV-220461r622190_rule, STIG-ID|CISC-RT-000790, STIG-Legacy|SV-110777, STIG-Legacy|V-101673, Vuln-ID|V-220461

Plugin: Cisco

Control ID: 6211867e317bf9017e9ce39dcec890c07936afd6ff2ad779e0d755d151f7dd30