Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-217085 | JUNI-RT-000810 | SV-217085r639663_rule | Low |
Description |
---|
MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial-of-service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries. |
STIG | Date |
---|---|
Juniper Router RTR Security Technical Implementation Guide | 2021-02-11 |
Check Text ( C-18314r297123_chk ) |
---|
Review the router configuration to determine if forwarding cache thresholds are defined as shown in the example below. routing-options { multicast { … … … } forwarding-cache { threshold { suppress 5000; reuse 4000; } } } } If the RP router is not configured to limit the multicast forwarding cache to ensure that its resources are not saturated, this is a finding. |
Fix Text (F-18312r297124_fix) |
---|
Configure the router to limit the multicast forwarding cache for source-active entries. [edit routing-options multicast] set forwarding-cache threshold suppress 5000 reuse 4000 |