An error occurred:

Check: JUEX-RT-000890

Juniper EX Series Switches Router STIG: JUEX-RT-000890 (in versions v1 r3 through v1 r1)

Title

The Juniper MPLS router must be configured to use its loopback address as the source address for LDP peering sessions. (Cat III impact)

Discussion

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.

Check Content

Review the router configuration to determine if it uses its loopback address as the source address for LDP peering sessions. Verify that a loopback address has been configured as shown in the following example: [edit interfaces] lo0 { unit 0 { family inet { address <IPv4 address>/32; } family inet6 { address <IPv6 address>/128; } } } An MPLS router will use the LDP router ID as the source address for LDP hellos and when establishing TCP sessions with LDP peers; hence, it is necessary to verify that the LDP router ID is the same as the loopback address. By default, routers will assign the LDP router ID using the highest IP address on the router, with preference given to loopback addresses. If the router-id command is specified that overrides this default behavior, verify that it is the IP address of the designated loopback interface. [edit routing-options] router-id <lo0 address>; If the router is not configured do use its loopback address for LDP peering, this is a finding.

Fix Text

Configure MPLS routers to use their loopback address as the source address for LDP peering sessions. set interfaces lo0 unit 0 family inet <IPv4 address>/32 set interfaces lo0 unit 0 family inet6 <IPv6 address>/128 set routing-options router-id <lo0 address>

Additional Identifiers

Rule ID: SV-254061r844216_rule

Vulnerability ID: V-254061

Group Title: SRG-NET-000512-RTR-000002

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings