An error occurred:

Check: JUEX-RT-000710

Juniper EX Series Switches Router STIG: JUEX-RT-000710 (in versions v1 r3 through v1 r1)

Title

The Juniper multicast Designated Router (DR) must be configured to increase the shortest-path tree (SPT) threshold or set it to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed. (Cat II impact)

Discussion

ASM can have many sources for the same groups (many-to-many). For many receivers, the path via the RP may not be ideal compared with the shortest path from the source to the receiver. By default, the last-hop router will initiate a switch from the shared tree to a source-specific SPT to obtain lower latencies. This is accomplished by the last-hop router sending an (S, G) Protocol Independent Multicast (PIM) Join toward S (the source). When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message toward the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.

Check Content

Review the multicast last-hop router configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over). Verify the policy statement includes specific multicast groups or all groups (as shown). [edit policy-options] policy-statement <name> { term 1 { from { route-filter 234.0.0.0/8 orlonger; } then accept; } } Verify the infinity policy is applied. [edit protocols pim] spt-threshold { infinity <policy name>; } If any multicast router is not configured to increase the SPT threshold or set to infinity to minimalize (S, G) state, this is a finding.

Fix Text

Configure the multicast router to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed. set policy-options policy-statement <name> term 1 from route-filter 239.0.0.0/8 orlonger set policy-options policy-statement <name> term 1 then accept set protocols pim spt-threshold infinity <policy name>

Additional Identifiers

Rule ID: SV-254043r844162_rule

Vulnerability ID: V-254043

Group Title: SRG-NET-000362-RTR-000123

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002355

The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.
CCI-002385

The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-24 (2)

No User Or Process Identity
SC-5

Denial Of Service Protection