STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.

DISA Rule

SV-217086r639663_rule

Vulnerability Number

V-217086

Group Title

SRG-NET-000019-RTR-000013

Rule Version

JUNI-RT-000820

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources.

[edit policy-options policy-statement MULTICAST_REGISTER_POLICY]
set term BAD_SOURCES from source-address-filter x.x.x.x/32 exact
set term BAD_SOURCES from source-address-filter x.x.x.x/24 orlonger
set term BAD_GROUPS from route-filter 224.1.1.0/24 orlonger
set term BAD_GROUPS from route-filter 225.1.2.3/32 exact
set term BAD_GROUPS from route-filter 239.0.0.0/8 orlonger
set term BAD_GROUPS then reject
set term ALLOW_OTHER then accept

[edit protocols pim rp]
set rp-register-policy MULTICAST_REGISTER_POLICY

Check Contents

Verify that the RP router is configured to filter PIM register messages.

Verify that the RP has a register policy enabled as shown in the example below.

protocols {



}
pim {
rp {
rp-register-policy MULTICAST_REGISTER_POLICY;
local {
address 2.2.2.2;
}
}

Verify that the register policy has defined both bad multicast groups and sources as shown in the example below.

policy-options {



}
policy-statement MULTICAST_REGISTER_POLICY {
term BAD_SOURCES {
from {
source-address-filter x.x.x.x/32 exact;
source-address-filter x.x.x.x/24 orlonger;
}
then reject;
}
term BAD_GROUPS {
from {
route-filter 224.1.1.0/24 orlonger;
route-filter 225.1.2.3/32 exact;
route-filter 239.0.0.0/8 orlonger;



route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
term ALLOW_OTHER {
then accept;
}
}

If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.

Vulnerability Number

V-217086

Documentable

False

Rule Version

JUNI-RT-000820

Severity Override Guidance

Verify that the RP router is configured to filter PIM register messages.

Verify that the RP has a register policy enabled as shown in the example below.

protocols {



}
pim {
rp {
rp-register-policy MULTICAST_REGISTER_POLICY;
local {
address 2.2.2.2;
}
}

Verify that the register policy has defined both bad multicast groups and sources as shown in the example below.

policy-options {



}
policy-statement MULTICAST_REGISTER_POLICY {
term BAD_SOURCES {
from {
source-address-filter x.x.x.x/32 exact;
source-address-filter x.x.x.x/24 orlonger;
}
then reject;
}
term BAD_GROUPS {
from {
route-filter 224.1.1.0/24 orlonger;
route-filter 225.1.2.3/32 exact;
route-filter 239.0.0.0/8 orlonger;



route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
term ALLOW_OTHER {
then accept;
}
}

If the RP router peering with PIM-SM routers is not configured with a policy to block registration messages for any undesirable multicast groups and sources, this is a finding.

Check Content Reference

M

Target Key

4032

Comments