UCF STIG Viewer Logo

The Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216755 CISC-RT-000270 SV-216755r531087_rule Medium
Description
Packets with Bogon IP source addresses should never be allowed to traverse the IP core. Bogon IP networks are RFC1918 addresses or address blocks that have never been assigned by the IANA or have been reserved.
STIG Date
Cisco IOS XR Router RTR Security Technical Implementation Guide 2020-09-23

Details

Check Text ( C-17987r288654_chk )
This requirement is not applicable for the DODIN Backbone.

Review the router configuration to verify that an ingress ACL applied to all external interfaces is blocking packets with Bogon source addresses.

Step 1: Verify an ACL has been configured containing the current Bogon prefixes as shown in the example below.

ipv4 access-list EXTERNAL_ACL_INBOUND
10 deny ipv4 0.0.0.0 0.255.255.255 any log-input
20 deny ipv4 10.0.0.0 0.255.255.255 any log-input
30 deny ipv4 100.64.0.0 0.63.255.255 any log-input
40 deny ipv4 127.0.0.0 0.255.255.255 any log-input
50 deny ipv4 169.254.0.0 0.0.255.255 any log-input
60 deny ipv4 172.16.0.0 0.15.255.255 any log-input
70 deny ipv4 192.0.0.0 0.0.0.255 any log-input
80 deny ipv4 192.0.2.0 0.0.0.255 any log-input
90 deny ipv4 192.168.0.0 0.0.255.255 any log-input
100 deny ipv4 198.18.0.0 0.1.255.255 any log-input
110 deny ipv4 198.51.100.0 0.0.0.255 any log-input
120 deny ipv4 203.0.113.0 0.0.0.255 any log-input
130 deny ipv4 224.0.0.0 31.255.255.255 any log-input
140 permit tcp any any established
150 permit tcp host x.12.1.9 host x.12.1.10 eq bgp
160 permit tcp host x.12.1.9 eq bgp host x.12.1.10
170 permit icmp host x.12.1.9 host x.12.1.10 echo
180 permit icmp host x.12.1.9 host x.12.1.10 echo-reply



260 deny ipv4 any any log-input

External Interfaces connected to the NIPRNet or SIPRNet

Review the inbound ACLs on external facing interfaces attached to the NIPRNet or SIPRNet to validate access control lists are configured to block inbound packets with IP sources addresses as documented in RFC5735 and RFC6598.

External Interfaces connected to a commercial ISP or other non-DoD network

Review the inbound ACLs on external facing interfaces validate access control lists are configured to block inbound packets with IP sources addresses as documented in RFC5735 and RFC6598 as well as address space that has been allocated to the RIRs but not assigned by the RIR to an ISP or other enterprise network. The full list of bogons can be found at the following link: www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

Step 2: Verify that the inbound ACL applied to all external interfaces will block all traffic from Bogon source addresses.

interface GigabitEthernet0/0/0/1
ipv4 address x.12.1.10 255.255.255.2
ipv4 access-group EXTERNAL_ACL_INBOUND ingress

If the router is not configured to block inbound packets with source Bogon IP addresses, this is a finding.
Fix Text (F-17985r288655_fix)
This requirement is not applicable for the DODIN Backbone.

Configure the perimeter to block inbound packets with Bogon source addresses.

Step 1: Configure an ACL containing the current Bogon prefixes as shown below.

RP/0/0/CPU0:R2(config)#ipv4 access-list EXTERNAL_ACL_INBOUND
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 0.0.0.0 0.255.255.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 10.0.0.0 0.255.255.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 100.64.0.0 0.63.255.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 127.0.0.0 0.255.255.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 169.254.0.0 0.0.255.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 172.16.0.0 0.15.255.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 192.0.0.0 0.0.0.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 192.0.2.0 0.0.0.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 192.168.0.0 0.0.255.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 198.18.0.0 0.1.255.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 198.51.100.0 0.0.0.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 203.0.113.0 0.0.0.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip 224.0.0.0 31.255.255.255 any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp any any established
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp host x.12.1.9 host x.12.1.10 eq bgp
RP/0/0/CPU0:R2(config-ipv4-acl)#permit tcp host x.12.1.9 eq bgp host x.12.1.10
RP/0/0/CPU0:R2(config-ipv4-acl)#permit icmp host x.12.1.9 host x.12.1.10 echo
RP/0/0/CPU0:R2(config-ipv4-acl)#permit icmp host x.12.1.9 host x.12.1.10 echo-reply



RP/0/0/CPU0:R2(config-ipv4-acl)#deny ip any any log-input
RP/0/0/CPU0:R2(config-ipv4-acl)#end

Step 2: Apply the ACL inbound on all external interfaces.

RP/0/0/CPU0:R3(config)#int g0/0/0/1
RP/0/0/CPU0:R3(config-if)#ipv4 access-group EXTERNAL_ACL_INBOUND in
RP/0/0/CPU0:R3(config-if)#end