UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Router (DR) for any undesirable multicast groups.


Overview

Finding ID Version Rule ID IA Controls Severity
V-253995 JUEX-RT-000230 SV-253995r844018_rule Low
Description
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups.
STIG Date
Juniper EX Series Switches Router Security Technical Implementation Guide 2023-03-23

Details

Check Text ( C-57447r844016_chk )
Verify that the RP router is configured to filter PIM register messages.
[edit policy-options]
policy-statement {
term filter_groups {
from {
route-filter / orlonger;
route-filter / exact;

}
then reject;
}
term filter_sources {
from {
source-address-filter /32 exact;
source-address-filter / orlonger;

}
then reject;
}
term accept_others {
then accept;
}
}
[edit protocols]
pim {
mode sparse;
import ;
}

Note: Alternative is to verify all designated routers are filtering IGMP Membership Report (a.k.a., join) messages received from hosts.

If the RP router peering with PIM-SM routers is not configured with a PIM import policy to block registration messages for any undesirable multicast groups and Bogon sources, this is a finding.
Fix Text (F-57398r844017_fix)
RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block join messages for reserved and any undesirable multicast groups.

set policy-options policy-statement term filter_groups from route-filter /
set policy-options policy-statement term filter_groups from route-filter /
set policy-options policy-statement term filter_groups then reject

set policy-options policy-statement term filter_source from source-address-filter /
set policy-options policy-statement term filter_source from source-address-filter /
set policy-options policy-statement term filter_source then reject

set policy-options policy-statement term accept_others then accept

set protocols pim import