Juniper Router RTR STIG Version Comparison

There are 2 differences between versions v2 r2 (Feb. 12, 2021) (the "left" version) and v2 r4 (July 27, 2022) (the "right" version).

Check JUNI-RT-000910 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.

Check Content

Review the router configuration to determine if there is import policy to block source-active multicast advertisements for undesirable multicast groups and sources. policy-options { … … … } policy-statement SA_IMPORT { term BAD_GROUPS { from { route-filter 224.0.1.2/32 exact; route-filter 224.77.0.0/16 orlonger; } then reject; } term BAD_SOURCES { from { source-address-filter x.x.x.x /8 orlonger; source-address-filter x.x.x.x /8 orlonger; orlonger; } then reject; } term ACCEPT_OTHERS { then accept; } } Verify that an import source-active filter has been applied to MSDP. protocols { … … … } msdp { import SA_IMPORT; If the router is not configured with an import policy to block undesirable SA multicast advertisements, this is a finding.

Discussion

The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. When RPs in peering multicast domains hear about active sources, they can pass on that information to their local receivers, thereby allowing multicast data to be forwarded between the domains. Configuring an import policy to block multicast advertisements for reserved, Martian, single-source multicast, and any other undesirable multicast groups, as well as any source-group (S, G) states with Bogon source addresses, would assist in avoiding unwanted multicast traffic from traversing the core.

Fix

Configure the MSDP to implement an import policy to block multicast advertisements for undesirable multicast groups and sources. Configure the source-active filter to reject undesirable multicast groups and sources as shown in the example below. [edit policy-options] set policy-statement SA_IMPORT term BAD_GROUPS from route-filter 224.0.1.2/32 exact set policy-statement SA_IMPORT term BAD_GROUPS from route-filter 224.77.0.0/16 orlonger set policy-statement SA_IMPORT term BAD_GROUPS then reject set policy-statement SA_IMPORT term BAD_SOURCES from source-address-filter x.x.x.x/8 orlonger set policy-statement SA_IMPORT term BAD_SOURCES from source-address-filter x.x.x.x/16 orlonger set policy-statement SA_IMPORT term BAD_SOURCES then reject set policy-statement SA_IMPORT term ACCEPT_OTHERS then accept Configure the source-active filter to be an import filter. [edit protocols msdp] set import SA_IMPORT