The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
An XCCDF Rule
Description
<VulnDiscussion>To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-253980r843973_rule
- Severity
- Low
- References
- Updated
Remediation - Manual Procedure
Ensure an export policy is implemented on all MSDP routers to avoid global visibility of local multicast (S, G) states.
set protocols msdp peer <address> export source-active-filter
set policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.1.2/32 exact
set policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.2.2/32 exact