From Juniper Router RTR Security Technical Implementation Guide
Part of SRG-NET-000019-RTR-000005
Associated with: CCI-001414
If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel.
Review the multicast topology diagram to determine if there are any documented Local -Scope (239.255.0.0/16) or Organization-Scope (239.192.0.0/14) boundaries. Verify the boundaries have been enforced as shown in the configuration example below. routing-options { … … … multicast { scope LOCAL_SCOPE { prefix 239.255.0.0/16; interface [ge-1/0/1.0 ge-1/1/1.0]; } scope ORGANIZATION_SCOPE { prefix 239.192.0.0/14; interface ge-2/0/1.0; } } } If the appropriate boundaries are not configured on applicable multicast-enabled interfaces, this is a finding.
Configure the appropriate boundaries to contain packets addressed within the administratively scoped zone as shown in the example below. [edit routing-options] set multicast scope LOCAL_SCOPE interface ge-1/0/1.0 prefix 239.255.0.0/16 set multicast scope LOCAL_SCOPE interface ge-1/0/1.0 prefix 239.255.0.0/16 set multicast scope ORGANIZATION_SCOPE interface ge-2/0/1.0 prefix 239.192.0.0/14
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer