Title

The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to use its loopback address as the source address when originating MSDP traffic. (Cat III impact)

Discussion

Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of MSDP routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the numerous physical interface addresses.

Check Content

Review the router configuration to verify that a loopback address has been configured. Verify that a loopback interface is used as the source address for all MSDP packets generated by the router. [edit protocols] msdp { active-source-limit { maximum <1..1000000>; threshold <1..1000000>; log-warning <percent to log warning>; } local-address <lo0 address>; <additional configuration> peer <address> { active-source-limit { maximum <1..1000000>; threshold <1..1000000>; log-warning <percent to log warning>; } authentication-key "hashed PSK"; ## SECRET-DATA } } Note: Both the global, and the peer limit, are applied to every MSDP peer, and Junos applies the most restrictive limit. The maximum value sets the upper limit for source-active messages and the threshold value determines when Junos begins Random Early Detection (RED) dropping to alleviate congestion. The log-warning value is a percent where Junos begins generating syslog messages. If the router does not use its loopback address as the source address when originating MSDP traffic, this is a finding.

Fix Text

Ensure that the router’s loopback address is used as the source address when originating traffic. set protocols msdp active-source-limit maximum <1..1000000> set protocols msdp active-source-limit threshold <1..1000000> set protocols msdp active-source-limit log-warning <percent to log warning> set protocols msdp local-address <lo0 address> <additional configuration> set protocols msdp peer <address> active-source-limit maximum <1..1000000> set protocols msdp peer <address> active-source-limit threshold <1..1000000> set protocols msdp peer <address> active-source-limit log-warning <percent to log warning> set protocols msdp peer <address> authentication-key <PSK>

Additional Identifiers

Rule ID: SV-254070r844243_rule

Vulnerability ID: V-254070

Group Title: SRG-NET-000512-RTR-000011

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.