The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on per-peer basis.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-90977 | JUNI-RT-000930 | SV-101187r1_rule | Low |
| Description |
|---|
| To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer. |
| STIG | Date |
|---|---|
| Juniper Router RTR Security Technical Implementation Guide | 2018-11-15 |
Details
| Check Text ( C-90241r2_chk ) |
|---|
| Review the router configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis. protocols { … … … } msdp { export SA_EXPORT; import SA_IMPORT; group AS25 { peer x.x.x.x { active-source-limit { maximum nnn; } If the router is not configured to limit the source-active messages it accepts, this is a finding. |
| Fix Text (F-97285r2_fix) |
|---|
| Configure the router to limit the amount of source-active messages it accepts from each peer. [edit protocols msdp group AS25 peer x.x.x.x] set active-source-limit maximum nnn |