← Back to Juniper Router RTR Security Technical Implementation Guide

V-217097

CAT III (Low)

The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on per-peer basis.

Rule ID

SV-217097r604135_rule

STIG

Juniper Router RTR Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-001368

Discussion

To reduce any risk of a denial-of-service (DoS) attack from a rogue or misconfigured MSDP router, the router must be configured to limit the number of source-active messages it accepts from each peer.

Check Content

Review the router configuration to determine if it is configured to limit the amount of source-active messages it accepts on a per-peer basis.

protocols {
    …
    …
    …
    }
    msdp {
        export SA_EXPORT;
        import SA_IMPORT;
        group AS25 {
            peer x.x.x.x {
                active-source-limit {
                    maximum nnn;
                }

If the router is not configured to limit the source-active messages it accepts, this is a finding.

Fix Text

Configure the router to limit the amount of source-active messages it accepts from each peer.

[edit protocols msdp group AS25 peer x.x.x.x]
set active-source-limit maximum nnn