The Juniper router configured for MSDP must limit the amount of source-active messages it accepts on per-peer basis.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253981	JUEX-RT-000090	SV-253981r843976_rule		Low

Description
To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.

STIG	Date
Juniper EX Series Switches Router Security Technical Implementation Guide	2023-03-23

Details

Check Text ( C-57433r843974_chk )
Review the router configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis. [edit protocols] msdp { active-source-limit { maximum <1..1000000>; threshold <1..1000000>; log-warning ; } local-address ; peer { active-source-limit { maximum <1..1000000>; threshold <1..1000000>; log-warning ; } authentication-key "hashed PSK"; ## SECRET-DATA } } Note: Both the global, and the peer limit, are applied to every MSDP peer, and Junos applies the most restrictive limit. The maximum value sets the upper limit for source-active messages and the threshold value determines when Junos begins Random Early Detection (RED) dropping to alleviate congestion. The log-warning value is a percent where Junos begins generating syslog messages. If the router is not configured to limit the source-active messages it accepts, this is a finding.

Check Text ( C-57433r843974_chk )

Review the router configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis.

[edit protocols]
msdp {
active-source-limit {
maximum <1..1000000>;
threshold <1..1000000>;
log-warning ;
}
local-address ;

peer

{
active-source-limit {
maximum <1..1000000>;
threshold <1..1000000>;
log-warning ;
}
authentication-key "hashed PSK"; ## SECRET-DATA
}
}
Note: Both the global, and the peer limit, are applied to every MSDP peer, and Junos applies the most restrictive limit. The maximum value sets the upper limit for source-active messages and the threshold value determines when Junos begins Random Early Detection (RED) dropping to alleviate congestion. The log-warning value is a percent where Junos begins generating syslog messages.

If the router is not configured to limit the source-active messages it accepts, this is a finding.

Fix Text (F-57384r843975_fix)
Configure the MSDP router to limit the amount of source-active messages it accepts from each peer. set protocols msdp active-source-limit maximum <1..1000000> set protocols msdp active-source-limit threshold <1..1000000> set protocols msdp active-source-limit log-warning set protocols msdp peer active-source-limit maximum <1..1000000> set protocols msdp peer active-source-limit threshold <1..1000000> set protocols msdp peer active-source-limit log-warning

Fix Text (F-57384r843975_fix)

Configure the MSDP router to limit the amount of source-active messages it accepts from each peer.

set protocols msdp active-source-limit maximum <1..1000000>
set protocols msdp active-source-limit threshold <1..1000000>
set protocols msdp active-source-limit log-warning

set protocols msdp peer

active-source-limit maximum <1..1000000>
set protocols msdp peer

active-source-limit threshold <1..1000000>
set protocols msdp peer

active-source-limit log-warning