JUNI-RT-000830 - The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Juniper router (DR) for any undesirable multicast groups - policy-options

Information

Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial-of-service (DoS) condition. Hence, it is imperative that join messages are only accepted for authorized multicast groups and sources.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block join messages for any undesirable multicast groups.

Step 1: Configure a multicast join policy to filter bad groups and sources as shown in the example below:

[edit policy-options policy-statement MULTICAST_JOIN_POLICY]
set term BAD_GROUPS from route-filter 224.1.1.0/24 orlonger
set term BAD_GROUPS from route-filter 225.1.2.3/32 exact
...
...
...
set term BAD_GROUPS then reject
set term ALLOW_OTHER then accept

Step 2: Configure PIM to enable the join policy as shown in the example below:

[edit protocols pim]
set import MULTICAST_JOIN_POLICY

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y24M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|III, CCI|CCI-001414, Rule-ID|SV-217087r604135_rule, STIG-ID|JUNI-RT-000830, STIG-Legacy|SV-101167, STIG-Legacy|V-90957, Vuln-ID|V-217087

Plugin: Juniper

Control ID: 9a48742726ecc5fb1292a4184f8b3b6ee09e5c3cd2d58ae6b57e17aa48cf9764