An error occurred:

Check: JUEX-RT-000090

Juniper EX Series Switches Router STIG: JUEX-RT-000090 (in versions v1 r3 through v1 r1)

Title

The Juniper router configured for MSDP must limit the amount of source-active messages it accepts on per-peer basis. (Cat III impact)

Discussion

To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.

Check Content

Review the router configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis. [edit protocols] msdp { active-source-limit { maximum <1..1000000>; threshold <1..1000000>; log-warning <percent to log warning>; } local-address <lo0 address>; <additional configuration> peer <address> { active-source-limit { maximum <1..1000000>; threshold <1..1000000>; log-warning <percent to log warning>; } authentication-key "hashed PSK"; ## SECRET-DATA } } Note: Both the global, and the peer limit, are applied to every MSDP peer, and Junos applies the most restrictive limit. The maximum value sets the upper limit for source-active messages and the threshold value determines when Junos begins Random Early Detection (RED) dropping to alleviate congestion. The log-warning value is a percent where Junos begins generating syslog messages. If the router is not configured to limit the source-active messages it accepts, this is a finding.

Fix Text

Configure the MSDP router to limit the amount of source-active messages it accepts from each peer. set protocols msdp active-source-limit maximum <1..1000000> set protocols msdp active-source-limit threshold <1..1000000> set protocols msdp active-source-limit log-warning <percent to log warning> <additional configuration> set protocols msdp peer <address> active-source-limit maximum <1..1000000> set protocols msdp peer <address> active-source-limit threshold <1..1000000> set protocols msdp peer <address> active-source-limit log-warning <percent to log warning>

Additional Identifiers

Rule ID: SV-253981r843976_rule

Vulnerability ID: V-253981

Group Title: SRG-NET-000018-RTR-000009

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001368

The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement