The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216999	CISC-RT-000470	SV-216999r531086_rule		Low

Description
As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.

Description

As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.

STIG	Date
Cisco IOS XE Router RTR Security Technical Implementation Guide	2021-09-16

Details

Check Text ( C-18229r288159_chk )
Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below: router bgp xx no synchronization bgp log-neighbor-changes neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 password xxxxxxxx neighbor x.1.1.9 ttl-security hops 1 neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 password xxxxxxxx neighbor x.2.1.7 ttl-security hops 1 If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Check Text ( C-18229r288159_chk )

Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below:

router bgp xx
no synchronization
bgp log-neighbor-changes
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 password xxxxxxxx
neighbor x.1.1.9 ttl-security hops 1
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 password xxxxxxxx
neighbor x.2.1.7 ttl-security hops 1

If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Fix Text (F-18227r288160_fix)
Configure TTL security on all external BGP neighbors as shown in the example below: R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 ttl-security hops 1 R1(config-router)#neighbor x.2.1.7 ttl-security hops 1