STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode enabled on all CE-facing interfaces.

DISA Rule

SV-217077r639663_rule

Vulnerability Number

V-217077

Group Title

SRG-NET-000205-RTR-000008

Rule Version

JUNI-RT-000720

Severity

CAT II

CCI(s)

• CCI-001097 - The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Weight

10

Fix Recommendation

Configure uRPF loose mode on all CE-facing interfaces as shown in the example.

[edit interfaces ge-0/1/0 unit 0 family inet]
set rpf-check mode loose

Check Contents

Review the router configuration to determine if uRPF loose mode is enabled on all CE-facing interfaces.

interfaces {
ge-0/1/0 {
description "link to Customer 2";
unit 0 {
family inet {
rpf-check {
mode loose;
}
address x.x.x.x/30;
}
}
}

If uRPF loose mode is not enabled on all CE-facing interfaces, this is a finding.

Vulnerability Number

V-217077

Documentable

False

Rule Version

JUNI-RT-000720

Severity Override Guidance

Review the router configuration to determine if uRPF loose mode is enabled on all CE-facing interfaces.

interfaces {
ge-0/1/0 {
description "link to Customer 2";
unit 0 {
family inet {
rpf-check {
mode loose;
}
address x.x.x.x/30;
}
}
}

If uRPF loose mode is not enabled on all CE-facing interfaces, this is a finding.

Check Content Reference

M

Target Key

4032

Comments