STIGQter STIGQter: STIG Summary: Juniper Router RTR Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 25 Oct 2019: The Juniper multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.

DISA Rule

SV-101177r1_rule

Vulnerability Number

V-90967

Group Title

SRG-NET-000362-RTR-000123

Rule Version

JUNI-RT-000880

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the multicast router to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed.

Configure a policy statement to set SPT threshold to infinity for all multicast groups or only specific groups and sources.

[edit policy-options]
set policy-statement SPT_INFINITY term ALL_GROUPS from route-filter 234.0.0.0/8 orlonger
set policy-statement SPT_INFINITY term ALL_GROUPS then accept

Apply the SPT infinity policy.

[edit protocols pim]
set spt-threshold infinity SPT_INFINITY

Check Contents

Review the multicast last-hop router configuration to verify that the SPT switchover threshold is set to infinity for all or specific multicast groups and sources.

Verify that an infinity policy has been enabled for PIM.

protocols {



}
pim {
spt-threshold {
infinity SPT_INFINITY;
}
}
}

Verify that the infinity policy defines specific multicast groups and sources or all multicast groups and sources as shown in the example below.

policy-options {



}
policy-statement SPT_INFINITY {
term ALL_GROUPS {
from {
route-filter 234.0.0.0/8 orlonger;
}
then accept;
}
}
}

If any multicast router is not configured to set the SPT threshold to infinity to minimalize (S, G) state, this is a finding.

Vulnerability Number

V-90967

Documentable

False

Rule Version

JUNI-RT-000880

Severity Override Guidance

Review the multicast last-hop router configuration to verify that the SPT switchover threshold is set to infinity for all or specific multicast groups and sources.

Verify that an infinity policy has been enabled for PIM.

protocols {



}
pim {
spt-threshold {
infinity SPT_INFINITY;
}
}
}

Verify that the infinity policy defines specific multicast groups and sources or all multicast groups and sources as shown in the example below.

policy-options {



}
policy-statement SPT_INFINITY {
term ALL_GROUPS {
from {
route-filter 234.0.0.0/8 orlonger;
}
then accept;
}
}
}

If any multicast router is not configured to set the SPT threshold to infinity to minimalize (S, G) state, this is a finding.

Check Content Reference

M

Target Key

3387

Comments