An error occurred:

Check: JUNI-RT-000930

Juniper Router RTR STIG: JUNI-RT-000930 (in versions v3 r2 through v1 r0.1)

Title

The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on per-peer basis. (Cat III impact)

Discussion

To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.

Check Content

Review the router configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis. protocols { … … … } msdp { export SA_EXPORT; import SA_IMPORT; group AS25 { peer x.x.x.x { active-source-limit { maximum nnn; } If the router is not configured to limit the source-active messages it accepts, this is a finding.

Fix Text

Configure the router to limit the amount of source-active messages it accepts from each peer. [edit protocols msdp group AS25 peer x.x.x.x] set active-source-limit maximum nnn

Additional Identifiers

Rule ID: SV-217097r604135_rule

Vulnerability ID: V-217097

Group Title: SRG-NET-000018-RTR-000009

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001368

Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement