The Dell OS10 multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-269866	SRG-NET-000019-RTR-000014	OS10-RTR-000230	SV-269866r1051983_rule	2024-12-11	1

Description
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups.

ℹ️ Check
Verify the RP router is configured to filter PIM join messages for any undesirable multicast groups. ! interface vlan100 no shutdown ip pim sparse-mode ip pim join-filter PIM_JOINFILTER ! ip access-list PIM_JOINFILTER seq 10 permit ip 10.10.10.0/24 226.1.1.0/24 seq 20 permit ip any 225.1.1.0/24 If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.

ℹ️ Check

Verify the RP router is configured to filter PIM join messages for any undesirable multicast groups. ! interface vlan100 no shutdown ip pim sparse-mode ip pim join-filter PIM_JOINFILTER ! ip access-list PIM_JOINFILTER seq 10 permit ip 10.10.10.0/24 226.1.1.0/24 seq 20 permit ip any 225.1.1.0/24 If the RP is not configured to filter join messages received from the DR for any undesirable multicast groups, this is a finding.

✔️ Fix
Configure the RP to filter PIM join messages for any undesirable multicast groups. Step 1: Configure an ACL that identifies which groups are allowed to join. OS10(config)# ip access-list PIM_JOINFILTER OS10(config-ipv4-acl)# permit ip 10.10.10.0/24 226.1.1.0/24 OS10(config-ipv4-acl)# permit ip any 225.1.1.0/24 Step 2: Configure a PIM join filter on the PIM interfaces. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip pim join-filter PIM_JOINFILTER NOTES: * Dell Technologies recommends not using the IP PIM join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source. Excessive traffic generates when the join process from the RP back to the source is blocked due to a new source group being permitted in the join-filter. This results in the new source becoming stuck in registering on the DR and the continuous generation of UDP-encapsulated registration messages between the DR and RP routers which are sent to the CPU. * Do not to configure a PIM join-filter on a source connected interface (IIF) on first hop router (FHR) node. Applying PIM join-filter with the rule, deny ip any any might block creation of the S,G entries. * When configuring a join filter, it applies for both incoming and outgoing joins. There is no option to specify in or out parameters while configuring a join filter.

✔️ Fix

Configure the RP to filter PIM join messages for any undesirable multicast groups. Step 1: Configure an ACL that identifies which groups are allowed to join. OS10(config)# ip access-list PIM_JOINFILTER OS10(config-ipv4-acl)# permit ip 10.10.10.0/24 226.1.1.0/24 OS10(config-ipv4-acl)# permit ip any 225.1.1.0/24 Step 2: Configure a PIM join filter on the PIM interfaces. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip pim join-filter PIM_JOINFILTER NOTES: * Dell Technologies recommends not using the IP PIM join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source. Excessive traffic generates when the join process from the RP back to the source is blocked due to a new source group being permitted in the join-filter. This results in the new source becoming stuck in registering on the DR and the continuous generation of UDP-encapsulated registration messages between the DR and RP routers which are sent to the CPU. * Do not to configure a PIM join-filter on a source connected interface (IIF) on first hop router (FHR) node. Applying PIM join-filter with the rule, deny ip any any might block creation of the S,G entries. * When configuring a join filter, it applies for both incoming and outgoing joins. There is no option to specify in or out parameters while configuring a join filter.