The Juniper multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-90951	JUNI-RT-000800	SV-101161r1_rule		Low

Description
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic. Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

Description

If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic. Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.

STIG	Date
Juniper Router RTR Security Technical Implementation Guide	2018-11-15

Details

Check Text ( C-90215r1_chk )
Review the multicast topology diagram to determine if there are any documented Local -Scope (239.255.0.0/16) or Organization-Scope (239.192.0.0/14) boundaries. Verify the boundaries have been enforced as shown in the configuration example below. routing-options { … … … multicast { scope LOCAL_SCOPE { prefix 239.255.0.0/16; interface [ge-1/0/1.0 ge-1/1/1.0]; } scope ORGANIZATION_SCOPE { prefix 239.192.0.0/14; interface ge-2/0/1.0; } } } If the appropriate boundaries are not configured on applicable multicast-enabled interfaces, this is a finding.

Check Text ( C-90215r1_chk )

Review the multicast topology diagram to determine if there are any documented Local -Scope (239.255.0.0/16) or Organization-Scope (239.192.0.0/14) boundaries. Verify the boundaries have been enforced as shown in the configuration example below.

routing-options {
…
…
…
multicast {
scope LOCAL_SCOPE {
prefix 239.255.0.0/16;
interface [ge-1/0/1.0 ge-1/1/1.0];
}
scope ORGANIZATION_SCOPE {
prefix 239.192.0.0/14;
interface ge-2/0/1.0;
}
}
}

If the appropriate boundaries are not configured on applicable multicast-enabled interfaces, this is a finding.

Fix Text (F-97259r2_fix)
Configure the appropriate boundaries to contain packets addressed within the administratively scoped zone as shown in the example below. [edit routing-options] set multicast scope LOCAL_SCOPE interface ge-1/0/1.0 prefix 239.255.0.0/16 set multicast scope LOCAL_SCOPE interface ge-1/0/1.0 prefix 239.255.0.0/16 set multicast scope ORGANIZATION_SCOPE interface ge-2/0/1.0 prefix 239.192.0.0/14