The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

An XCCDF Rule

Description

To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks.

ID: SV-253980r843973_rule
Version: JUEX-RT-000080
Severity: Low
References: CCI-001368
Updated: 15 days ago

Remediation Templates

Ensure an export policy is implemented on all MSDP routers to avoid global visibility of local multicast (S, G) states.

set protocols msdp peer <address> export source-active-filter

set policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.1.2/32 exact
set policy-options policy-statement source-active-filter term unauth-groups from route-filter 224.0.2.2/32 exactset policy-options policy-statement source-active-filter term unauth-groups then reject
set policy-options policy-statement source-active-filter term unauth-sources from source-address-filter 10.0.0.0/8 orlonger
set policy-options policy-statement source-active-filter term unauth-sources from source-address-filter 127.0.0.0/8 orlonger
set policy-options policy-statement source-active-filter term unauth-sources then reject

The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.

Description

Remediation Templates

A Manual Procedure