The HP FlexFabric Switch must ensure all Exterior Border Gateway Protocol (eBGP) HP FlexFabric Switches are configured to use Generalized TTL Security Mechanism (GTSM).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-66133	HFFS-RT-000023	SV-80623r1_rule		Medium

Description
As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all eBGP speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the eBGP peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.

Description

As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all eBGP speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the eBGP peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.

STIG	Date
HP FlexFabric Switch RTR Security Technical Implementation Guide	2016-02-26

Details

Check Text ( C-66779r1_chk )
Review the HP FlexFabric Switch configuration. If the HP FlexFabric Switch is not configured to use GTSM for all eBGP peering sessions, this is a finding. [HP] display current-configuration # bgp 2000 graceful-restart peer 10.10.10.1 as-number 2000 peer 10.10.10.1 ttl-security hops 254 peer 201.6.1.193 as-number 1473 peer 201.6.1.193 route-update-interval 0 peer 201.6.1.193 password cipher $c$3$6jyBDW1nVs/F0410R54zhmhD1HYhs5I= peer 2115:B:1::C1 as-number 1473 peer 2115:B:1::C1 route-update-interval 0

Check Text ( C-66779r1_chk )

Review the HP FlexFabric Switch configuration.

If the HP FlexFabric Switch is not configured to use GTSM for all eBGP peering sessions, this is a finding.

[HP] display current-configuration
#
bgp 2000
graceful-restart
peer 10.10.10.1 as-number 2000
peer 10.10.10.1 ttl-security hops 254
peer 201.6.1.193 as-number 1473
peer 201.6.1.193 route-update-interval 0
peer 201.6.1.193 password cipher $c$3$6jyBDW1nVs/F0410R54zhmhD1HYhs5I=
peer 2115:B:1::C1 as-number 1473
peer 2115:B:1::C1 route-update-interval 0

Fix Text (F-72209r1_fix)
Configure all eBGP peering sessions to use GTSM. [HP] bgp 2000 [HP-bgp] peer 192.178.19.1 as-number 2100 [HP-bgp] peer 192.178.19.1 ttl-security hops 254