UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper multicast edge router must be configured to establish boundaries for administratively scoped multicast traffic.


Overview

Finding ID Version Rule ID IA Controls Severity
V-217084 JUNI-RT-000800 SV-217084r604135_rule Low
Description
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Administrative scoped multicast addresses are locally assigned and are to be used exclusively by the enterprise network or enclave. Administrative scoped multicast traffic must not cross the enclave perimeter in either direction. Restricting multicast traffic makes it more difficult for a malicious user to access sensitive traffic. Admin-Local scope is encouraged for any multicast traffic within a network intended for network management, as well as for control plane traffic that must reach beyond link-local destinations.
STIG Date
Juniper Router RTR Security Technical Implementation Guide 2024-06-12

Details

Check Text ( C-18313r297120_chk )
Review the router configuration to verify it is blocking admin-scope multicast traffic (239.0.0.0/8) at the multicast domain edge as shown in the example below:

routing-options {



multicast {
scope ADMIN_SCOPE {
prefix 239.0.0.0/8;
interface [ ge-1/0/1.0 ge-1/1/1.0 ];
}
}
}

If the router is not configured to block admin-scoped multicast traffic at the multicast domain edge, this is a finding.
Fix Text (F-18311r297121_fix)
Configure the router to block admin-scoped multicast traffic at the multicast domain edge as shown in the example below:

[edit routing-options]
set multicast scope ADMINL_SCOPE interface ge-1/0/1.0 prefix 239.0.0.0/8
set multicast scope ADMINL_SCOPE interface ge-1/1/1.0 prefix 239.0.0.0/8