The RUCKUS Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273626 | RCKS-RTR-000590 | SV-273626r1110933_rule | Medium |
| Description |
| MSDP peering with customer network routers presents additional risks to the core, whether from a rogue or misconfigured MSDP-enabled router. MSDP password authentication is used to validate each segment sent on the TCP connection between MSDP peers, protecting the MSDP session against the threat of spoofed packets being injected into the TCP connection stream. |
| STIG | Date |
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77717r1109898_chk) |
| Review the running configuration to determine whether MSDP peers are configured for authentication. ICX(config-msdp-router)# msdp-peer x.x.x.x connect-source loopback 1 ICX(config-msdp-router)# msdp-peer x.x.x.x connect-source loopback 1 ao chain1 If MSDP peers are not configured for authentication, this is a finding. |
| Fix Text (F-77622r1109899_fix) |
| Configure TCP keychain and apply it to MSDP peer(s): ICX(config)# keychain mykeychain ICX(config-keychain-mykeychain)# key 1 ICX(config-keychain-mykeychain-key-1)# authentication-algorithm hmac-sha-256 ICX(config-keychain-mykeychain-key-1)# password pw_for_mykeychain ICX(config-keychain-mykeychain-key-1)# send-id 1 ICX(config-keychain-mykeychain-key-1)# recv-id 1 ICX(config-keychain-mykeychain-key-1)# accept-lifetime start 03-05-24 10:10:10 end 15552000 ICX(config-keychain-mykeychain-key-1)# send-lifetime start xx-xx-xx xx:xx:xx end xx-xx-xx xx:xx:xx ICX(config-keychain-mykeychain-key-1)# router msdp ICX(config-msdp-router)# msdp-peer x.x.x.x connect-source loopback 1 ao mykeychain |