4.8.1 Ensure authentication is set to MD5

Information

MSDP Peers should be authenticated.

Rationale:

When deployed MSDP it provides PIM-SM with information for routing Multicast traffic and is critical to operation of Multicast services on the network. If no authentication is used, an attacker may inject false information into the PIM-SM distribution tree, resulting in potential Denial of Service or Integrity compromise.

MSDP packets can be authenticated using a Keyed Hash-based Message Authentication Code (HMAC) generated by hashing elements of the of the update packet combined with a shared secret using MD5.

Solution

If you have deployed MSDP, authentication can be configured on a peer by peer basis, by issuing the following command from the [edit protocols msdp] hierarchy:

[edit protocols msdp]
user@host#set peer <peer address> authentication-key <key>

Default Value:

No MSDP is configured by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 09a61c1a448a0830e26dd8bda7cc495bb2ef74b376a1c9c671d47fe17b924961