Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-253980 | JUEX-RT-000080 | SV-253980r843973_rule | Low |
Description |
---|
To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks. |
STIG | Date |
---|---|
Juniper EX Series Switches Router Security Technical Implementation Guide | 2023-03-23 |
Check Text ( C-57432r843971_chk ) |
---|
Review the router configuration to determine if there is export policy to block local source-active multicast advertisements. Verify that an outbound source-active filter is bound to each MSDP peer. [edit protocols msdp] peer { export source-active-filter; } Review the policy-statement referenced by the source-active filters and verify that MSDP source-active messages being sent to MSDP peers do not leak advertisements that are local. [edit policy-options] policy-statement source-active-filter { term unauth-groups { from { route-filter 224.0.1.2/32 exact; route-filter 224.0.2.2/32 exact; } then reject; } term unauth-sources { from { source-address-filter 10.0.0.0/8 orlonger; source-address-filter 127.0.0.0/8 orlonger; } then reject; } } If the router is not configured with an export policy to block local source-active multicast advertisements, this is a finding. |
Fix Text (F-57383r843972_fix) |
---|
Ensure an export policy is implemented on all MSDP routers to avoid global visibility of local multicast (S, G) states. set protocols msdp peer export source-active-filter set policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.1.2/32 exact set policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.2.2/32 exact set policy-options policy-statement source-active-filter term unauth-groups then reject set policy-options policy-statement source-active-filter term unauth-sources from source-address-filter 10.0.0.0/8 orlonger set policy-options policy-statement source-active-filter term unauth-sources from source-address-filter 127.0.0.0/8 orlonger set policy-options policy-statement source-active-filter term unauth-sources then reject |