The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Juniper router (DR) for any undesirable multicast groups and sources.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-90957	JUNI-RT-000830	SV-101167r1_rule		Low

Description
Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups and sources.

STIG	Date
Juniper Router RTR Security Technical Implementation Guide	2018-11-15

Details

Check Text ( C-90221r1_chk )
Review the RP router configuration to determine if it filters PIM join messages for any reserved multicast groups. Verify that a PIM import statement has been configured as shown in the example below. protocols { … … … } pim { import MULTICAST_JOIN_POLICY; Verify that the join policy has defined both bad multicast groups and sources as shown in the example below. policy-options { … … … } policy-statement MULTICAST_JOIN_POLICY { term BAD_SOURCES { from { source-address-filter x.x.x.x/32 exact; source-address-filter x.x.x.x/24 orlonger; } then reject; } term BAD_GROUPS { from { route-filter 224.1.1.0/24 orlonger; route-filter 225.1.2.3/32 exact; route-filter 239.0.0.0/8 orlonger; … … … route-filter 232.0.0.0/8 orlonger; } then reject; } term ALLOW_OTHER { then accept; } } If the RP router is not configured with a PIM import policy to block join messages for any undesirable multicast groups and sources, this is a finding.

Check Text ( C-90221r1_chk )

Review the RP router configuration to determine if it filters PIM join messages for any reserved multicast groups.

Verify that a PIM import statement has been configured as shown in the example below.

protocols {
…
…
…
}
pim {
import MULTICAST_JOIN_POLICY;

Verify that the join policy has defined both bad multicast groups and sources as shown in the example below.

policy-options {
…
…
…
}
policy-statement MULTICAST_JOIN_POLICY {
term BAD_SOURCES {
from {
source-address-filter x.x.x.x/32 exact;
source-address-filter x.x.x.x/24 orlonger;
}
then reject;
}
term BAD_GROUPS {
from {
route-filter 224.1.1.0/24 orlonger;
route-filter 225.1.2.3/32 exact;
route-filter 239.0.0.0/8 orlonger;
…
…
…
route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
term ALLOW_OTHER {
then accept;
}
}

If the RP router is not configured with a PIM import policy to block join messages for any undesirable multicast groups and sources, this is a finding.

Fix Text (F-97265r2_fix)
RP routers must implement a PIM import policy to block join messages for any undesirable multicast groups and sources. Configure a multicast join policy to filter bad groups and sources as shown in the example below. [edit policy-options policy-statement MULTICAST_JOIN_POLICY] set term BAD_SOURCES from source-address-filter x.x.x.x/32 exact set term BAD_SOURCES from source-address-filter x.x.x.x/24 orlonger set term BAD_GROUPS from route-filter 224.1.1.0/24 orlonger set term BAD_GROUPS from route-filter 225.1.2.3/32 exact set term BAD_GROUPS from route-filter 239.0.0.0/8 orlonger set term BAD_GROUPS then reject set term ALLOW_OTHER then accept Configure PIM to enable the join policy as shown in the example below. [edit protocols pim] set import MULTICAST_JOIN_POLICY

Fix Text (F-97265r2_fix)

RP routers must implement a PIM import policy to block join messages for any undesirable multicast groups and sources.

Configure a multicast join policy to filter bad groups and sources as shown in the example below.

[edit policy-options policy-statement MULTICAST_JOIN_POLICY]
set term BAD_SOURCES from source-address-filter x.x.x.x/32 exact
set term BAD_SOURCES from source-address-filter x.x.x.x/24 orlonger
set term BAD_GROUPS from route-filter 224.1.1.0/24 orlonger
set term BAD_GROUPS from route-filter 225.1.2.3/32 exact
set term BAD_GROUPS from route-filter 239.0.0.0/8 orlonger
set term BAD_GROUPS then reject
set term ALLOW_OTHER then accept

Configure PIM to enable the join policy as shown in the example below.

[edit protocols pim]
set import MULTICAST_JOIN_POLICY