STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.

DISA Rule

SV-217064r639663_rule

Vulnerability Number

V-217064

Group Title

SRG-NET-000512-RTR-000003

Rule Version

JUNI-RT-000580

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the MPLS router to synchronize IGP and LDP, minimizing packet loss when an IGP adjacency is established prior to LDP peers completing label exchange.

[edit protocols ospf area 0.0.0.0]
set interface ge-0/0/0.0 ldp-synchronization hold-time 10

[edit protocols isis]
set interface ge-0/0/0.0 ldp-synchronization hold-time 10

Note: The hold-time is the amount of time (in seconds) the routing device advertises the maximum cost metric for a link that is not fully operational. Default is infinity.

Check Contents

Review the router OSPF or IS-IS configuration and verify that LDP will synchronize with the link-state routing protocol as shown in the example below.

OSPF Example:

protocols {
mpls {
interface ge-0/0/0.0;
}



ospf {
export REDISTRIBUTE;
area 0.0.0.0 {
interface ge-0/0/0.0 {
ldp-synchronization {
hold-time 10;
}



}
}
ldp {
interface ge-0/0/0.0;
}
}

IS-IS Example:

protocols {
mpls {
interface ge-0/0/0.0;
}



isis {
level 1 authentication-key-chain ISIS_KEY;
level 2 authentication-key-chain ISIS_KEY;
interface ge-0/0/0.0 {
ldp-synchronization {
hold-time 10;
}



}
}
ldp {
interface ge-0/0/0.0;
}
}

If the router is not configured to synchronize IGP and LDP, this is a finding.

Vulnerability Number

V-217064

Documentable

False

Rule Version

JUNI-RT-000580

Severity Override Guidance

Review the router OSPF or IS-IS configuration and verify that LDP will synchronize with the link-state routing protocol as shown in the example below.

OSPF Example:

protocols {
mpls {
interface ge-0/0/0.0;
}



ospf {
export REDISTRIBUTE;
area 0.0.0.0 {
interface ge-0/0/0.0 {
ldp-synchronization {
hold-time 10;
}



}
}
ldp {
interface ge-0/0/0.0;
}
}

IS-IS Example:

protocols {
mpls {
interface ge-0/0/0.0;
}



isis {
level 1 authentication-key-chain ISIS_KEY;
level 2 authentication-key-chain ISIS_KEY;
interface ge-0/0/0.0 {
ldp-synchronization {
hold-time 10;
}



}
}
ldp {
interface ge-0/0/0.0;
}
}

If the router is not configured to synchronize IGP and LDP, this is a finding.

Check Content Reference

M

Target Key

4032

Comments