UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco BGP switch must be configured to enable the Generalized TTL Security Mechanism (GTSM).


Overview

Finding ID Version Rule ID IA Controls Severity
V-221021 CISC-RT-000470 SV-221021r622190_rule Low
Description
As described in RFC 3682, GTSM is designed to protect a switch's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking switches. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent switches; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.
STIG Date
Cisco IOS-XE Switch RTR Security Technical Implementation Guide 2021-03-26

Details

Check Text ( C-22736r408857_chk )
Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below:

router bgp xx
no synchronization
bgp log-neighbor-changes
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 password xxxxxxxx
neighbor x.1.1.9 ttl-security hops 1
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 password xxxxxxxx
neighbor x.2.1.7 ttl-security hops 1

If the switch is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.
Fix Text (F-22725r408858_fix)
Configure TTL security on all external BGP neighbors as shown in the example below:

SW1(config)#router bgp xx
SW1(config-switch)#neighbor x.1.1.9 ttl-security hops 1
SW1(config-switch)#neighbor x.2.1.7 ttl-security hops 1