← Back to Juniper EX Series Switches Router Security Technical Implementation Guide

V-254040

CAT III (Low)

The Juniper multicast RP router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of PIM and MSDP source-active entries.

Rule ID

SV-254040r997535_rule

STIG

Juniper EX Series Switches Router Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-002385, CCI-004866

Discussion

MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial-of-service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.

Check Content

Review the router configuration to determine if forwarding cache thresholds are defined.

[edit routing-options]
multicast {
    forwarding-cache {
        threshold {
            suppress <1..200000>;
            reuse <1..200000>;
            log-warning <percent to generate warning>;
        }
    }
}

If the RP router is not configured to limit the multicast forwarding cache to ensure that its resources are not saturated, this is a finding.

Fix Text

Configure MSDP-enabled RP routers to limit the multicast forwarding cache for source-active entries.

set routing-options multicast forwarding-cache threshold suppress <1..200000>
set routing-options multicast forwarding-cache threshold reuse <1..200000>
set routing-options multicast forwarding-cache threshold log-warning <percent to generate warning>