CISC-RT-000820 - The Cisco multicast Rendezvous Point (RP) switch must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.

Information

MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP switches to peer with MSDP switches. As a first step of defense against a denial-of-service (DoS) attack, all RP switches must limit the multicast forwarding cache to ensure that switch resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.

Solution

The risk associated with this requirement can be fully mitigated by configuring the switch to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers.

Step 1: Configure the switch to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources x.1.2.6 and x.1.2.7.

SW1(config)#ip access-list extended PIM_REGISTER_FILTER
SW1(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255
SW1(config-ext-nacl)#permit ip host x.1.2.6 any
SW1(config-ext-nacl)#permit ip host x.1.2.7 any
SW1(config-ext-nacl)#deny ip any any
SW1(config-ext-nacl)#exit
SW1(config)#ip pim accept-register list PIM_REGISTER_FILTER
SW1(config)#end

Step 2: Configure the RP to rate limit the number of multicast register messages.

SW1(config)#ip pim register-rate-limit nn

Step 3: Configure the receive path or interface ACLs to only accept MSDP packets from known MSDP peers.

SW1(config)#ip access-list extended EXTERNAL_ACL_INBOUND
SW1(config-ext-nacl)#permit tcp any any established
SW1(config-ext-nacl)#permit tcp host x.1.28.2 host x.1.28.8 eq 639
SW1(config-ext-nacl)#deny tcp any host x.1.28.8 eq 639
SW1(config-ext-nacl)#permit tcp host x.1.28.2 host x.1.28.8 eq bgp
SW1(config-ext-nacl)#permit tcp host x.1.28.2 eq bgp host x.1.28.8
SW1(config-ext-nacl)#permit pim host x.1.28.2 host x.1.28.8
...
...
...
SW1(config-ext-nacl)#deny ip any any

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XE_Switch_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-221056r863379_rule, STIG-ID|CISC-RT-000820, STIG-Legacy|SV-110933, STIG-Legacy|V-101829, Vuln-ID|V-221056

Plugin: Cisco

Control ID: b247b2c0cdea1b09b83f5405b23b815735490f60ba566705992ed4176915e990