UCF STIG Viewer Logo

The administrator must ensure that a PIM neighbor filter is bound to all interfaces that have PIM enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30578 NET-MCAST-002 SV-40316r1_rule Medium
Description
Protocol Independent Multicast (PIM) is a routing protocol used to build multicast distribution tress for forwarding multicast traffic across the network infrastructure. PIM traffic must be limited to only known PIM neighbors by configuring and binding a PIM neighbor filter to those interfaces that have PIM enabled.
STIG Date
Infrastructure Router - Juniper Security Technical Implementation Guide 2017-09-28

Details

Check Text ( C-39169r1_chk )
Review the router or multi-layer switch to determine if either IPv4 or IPv6 multicast routing is enabled. If either is enabled, verify that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram. JUNOS does not have a PIM neighbor filter; Hence, a firewall filter will have to be used similar to the example shown below.

Step 1: Verify that an input filter is configured that will specify the allowable PIM neighbors similar to the following example.

firewall {
filter input-filter {
term pim-neighbors {
from {
source-address {
192.0.2.1/32;
192.0.2.3/32;
}
destination-address {
224.0.0.13/32;
}
protocol pim;
}
then accept;
}
term …

Step 2: Verify that an input filter is applied to all PIM enabled interfaces. The configuration should look similar to the following:

interfaces fe-1/1/1 {
unit 0 {
family inet {
filter {
input input-filter;
}
address 192.0.2.2/32;
}
}
}

To determine which interfaces are enabled for PIM, review the interface section within the protocols pim hierarchy that will look similar to the following example:

protocols {

pim {
interface all {
mode sparse;
}
}
}
Fix Text (F-34301r1_fix)
If IPv4 or IPv6 multicast routing is enabled, ensure that all interfaces enabled for PIM has a neighbor filter to only accept PIM control plane traffic from the documented routers according to the multicast topology diagram.