UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.


Overview

Finding ID Version Rule ID IA Controls Severity
V-96773 CISC-RT-000550 SV-105911r1_rule Low
Description
Verifying the path a route has traversed will ensure that the local AS is not used as a transit network for unauthorized traffic. To ensure that the local AS does not carry any prefixes that do not belong to any customers, all PE routers must be configured to reject routes with an originating AS other than that belonging to the customer.
STIG Date
Cisco IOS XR Router RTR Security Technical Implementation Guide 2019-07-24

Details

Check Text ( C-95609r2_chk )
This requirement is not applicable for the DODIN Backbone.

Review the router configuration to verify the router is configured to deny updates received from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.

Step 1: verify that an inbound route policy has been configured for each customer neighbor as shown in the example below.

router bgp xx
address-family ipv4 unicast
!
neighbor x.12.4.14
remote-as 64514
address-family ipv4 unicast
route-policy FILTER _64514_ROUTES in
!
!
neighbor x.12.4.16
remote-as 64516
address-family ipv4 unicast
route-policy FILTER_64516_ROUTES in
!

Step 2: Verify that the route policy permits only routes from each CE router with an originating AS that does not belong to that customer.

route-policy FILTER_64514_ROUTES
if as-path originates-from 64514' then
pass
else
drop
endif
end-policy
!
route-policy FILTER_64516_ROUTES
if as-path originates-from 64516' then
pass
else
drop
endif
end-policy

Note: The inbound route policy to filter customer prefixes can be nested with the above route policy as shown in the example below.

route-policy CUST1_INBOUND_FILTER
apply CUST1_FILTER
apply FILTER_64514_ROUTES
end-policy

If the router is not configured to reject updates from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer, this is a finding.
Fix Text (F-102451r1_fix)
This requirement is not applicable for the DODIN Backbone.

Configure the router to reject updates from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.

Step 1: Configure an inbound route policy for each customer to only accept routes with an originating AS that belongs to that customer as shown in the example below.

RP/0/0/CPU0:R2(config)#route-policy FILTER_64514_ROUTES
RP/0/0/CPU0:R2(config-rpl)#if as-path originates-from '64514' then
RP/0/0/CPU0:R2(config-rpl-if)#pass
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#drop
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy
RP/0/0/CPU0:R2(config)#route-policy FILTER_64516_ROUTES
RP/0/0/CPU0:R2(config-rpl)#if as-path originates-from '64516' then
RP/0/0/CPU0:R2(config-rpl-if)#pass
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#drop
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy

Step 2: Apply the appropriate inbound route policy with each peering CE router as shown in the example below.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.14
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy route-policy FILTER_64514_ROUTES in
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.16
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy FILTER_64516_ROUTES in
RP/0/0/CPU0:R2(config-bgp-nbr-af)#end