From Juniper Router RTR Security Technical Implementation Guide
Part of SRG-NET-000362-RTR-000120
Associated with: CCI-002385
MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial-of-service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.
Review the router configuration to determine if forwarding cache thresholds are defined as shown in the example below. routing-options { multicast { … … … } forwarding-cache { threshold { suppress 5000; reuse 4000; } } } } If the RP router is not configured to limit the multicast forwarding cache to ensure that its resources are not saturated, this is a finding.
Configure the router to limit the multicast forwarding cache for source-active entries. [edit routing-options multicast] set forwarding-cache threshold suppress 5000 reuse 4000
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer