STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 12 Feb 2021:

The Juniper multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Join messages received from the Designated Juniper router (DR) for any undesirable multicast groups.

DISA Rule

SV-217087r639663_rule

Vulnerability Number

V-217087

Group Title

SRG-NET-000019-RTR-000014

Rule Version

JUNI-RT-000830

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

RP routers that are peering with customer PIM-SM routers must implement a PIM import policy to block join messages for any undesirable multicast groups.

Step 1: Configure a multicast join policy to filter bad groups and sources as shown in the example below:

[edit policy-options policy-statement MULTICAST_JOIN_POLICY]
set term BAD_GROUPS from route-filter 224.1.1.0/24 orlonger
set term BAD_GROUPS from route-filter 225.1.2.3/32 exact



set term BAD_GROUPS then reject
set term ALLOW_OTHER then accept

Step 2: Configure PIM to enable the join policy as shown in the example below:

[edit protocols pim]
set import MULTICAST_JOIN_POLICY

Check Contents

Review the RP router configuration to determine if it filters PIM join messages for any reserved multicast groups.

Step 1: Verify that a PIM import statement has been configured as shown in the example below:

protocols {



}
pim {
import MULTICAST_JOIN_POLICY;

Step 2: Verify that the join policy has defined both bad multicast groups and sources as shown in the example below:

policy-options {



}
policy-statement MULTICAST_JOIN_POLICY {
term BAD_GROUPS {
from {
route-filter 224.1.1.0/24 orlonger;
route-filter 225.1.2.3/32 exact;



route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
term ALLOW_OTHER {
then accept;
}
}
If the RP router peering with PIM-SM routers is not configured with a PIM import policy to block join messages for any undesirable multicast groups, this is a finding.

Vulnerability Number

V-217087

Documentable

False

Rule Version

JUNI-RT-000830

Severity Override Guidance

Review the RP router configuration to determine if it filters PIM join messages for any reserved multicast groups.

Step 1: Verify that a PIM import statement has been configured as shown in the example below:

protocols {



}
pim {
import MULTICAST_JOIN_POLICY;

Step 2: Verify that the join policy has defined both bad multicast groups and sources as shown in the example below:

policy-options {



}
policy-statement MULTICAST_JOIN_POLICY {
term BAD_GROUPS {
from {
route-filter 224.1.1.0/24 orlonger;
route-filter 225.1.2.3/32 exact;



route-filter 232.0.0.0/8 orlonger;
}
then reject;
}
term ALLOW_OTHER {
then accept;
}
}
If the RP router peering with PIM-SM routers is not configured with a PIM import policy to block join messages for any undesirable multicast groups, this is a finding.

Check Content Reference

M

Target Key

4032

Comments