IGP instances configured on the OOBM gateway router do not peer only with their appropriate routing domain

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17815	NET0985	SV-19298r1_rule		Medium

Description
If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. Since the managed network and the management network are separate routing domains, separate IGP routing instances must be configured on the router—one for the managed network and one for the OOBM network.

STIG	Date
Infrastructure Router - Juniper Security Technical Implementation Guide	2017-09-28

Details

Check Text ( C-20143r1_chk )
Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network. The following would be an example where RIP is run on the management network 10.0.0.0 and OSPF in the managed network 172.20.0.0. The network 10.1.20.0/24 is the OOBM backbone and 10.1.1.0 is the local management LAN connecting to the OOBM interfaces of the managed network (i.e., the private and service network) elements. interfaces { fe-0/0/0 { description “link to our Private Net” unit 0 { family inet { address 172.20.4.2/24; } } } fe-0/0/1 { description “link to our Service Net” unit 0 { family inet { address 172.20.5.2/24; } } } fe-0/0/2 { description “Enclave Management LAN” unit 0 { family inet { address 10.1.1.1/24; } } } t3-3/0/3 { description “link to OOBM Backbone” unit 0 { family inet { address 10.1.20.3/24; } } } } protocols { ospf { area 0.0.0.0 { interface fe-0/0/0.0; interface fe-0/0/1.0; interface lo0.0; } } rip { group rip-neighbor { neighbor t3-3/0/3.0; export rip-advertisements; } } } policy-options { policy-statement rip-advertisements { from protocol rip; then accept; } } policy-statement direct-management-LAN { from { protocol direct; interface [ lo0.0 t3-3/0/3.0 fe-0/0/2 ]; } then accept; } } Note: When you enable RIP, the default JUNOS behavior is to accept all learned RIP routes but export no routes to RIP neighbors. To have RIP send routing information to its neighbors, you need to configure a routing policy that has RIP export routes to its neighbors. In the example above, the OOBM gateway router will only have a RIP neighbor adjacency with its upstream OOB backbone router. However, it will advertise to the RIP domain the local management address prefix and the loopback address which also belongs to the management network.

Check Text ( C-20143r1_chk )

Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network. The following would be an example where RIP is run on the management network 10.0.0.0 and OSPF in the managed network 172.20.0.0. The network 10.1.20.0/24 is the OOBM backbone and 10.1.1.0 is the local management LAN connecting to the OOBM interfaces of the managed network (i.e., the private and service network) elements.
interfaces {
fe-0/0/0 {
description “link to our Private Net”
unit 0 {
family inet {
address 172.20.4.2/24;
}
}
}
fe-0/0/1 {
description “link to our Service Net”
unit 0 {
family inet {
address 172.20.5.2/24;
}
}
}
fe-0/0/2 {
description “Enclave Management LAN”
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
t3-3/0/3 {
description “link to OOBM Backbone”
unit 0 {
family inet {
address 10.1.20.3/24;
}
}
}
}
protocols {
ospf {
area 0.0.0.0 {
interface fe-0/0/0.0;
interface fe-0/0/1.0;
interface lo0.0;
}
}
rip {
group rip-neighbor {
neighbor t3-3/0/3.0;
export rip-advertisements;
}
}
}
policy-options {
policy-statement rip-advertisements {
from protocol rip;
then accept;
}
}
policy-statement direct-management-LAN {
from {
protocol direct;
interface [ lo0.0 t3-3/0/3.0 fe-0/0/2 ];
}
then accept;
}
}

Note: When you enable RIP, the default JUNOS behavior is to accept all learned RIP routes but export no routes to RIP neighbors. To have RIP send routing information to its neighbors, you need to configure a routing policy that has RIP export routes to its neighbors. In the example above, the OOBM gateway router will only have a RIP neighbor adjacency with its upstream OOB backbone router. However, it will advertise to the RIP domain the local management address prefix and the loopback address which also belongs to the management network.

Fix Text (F-17730r1_fix)
Ensure that multiple IGP instances configured on the OOBM gateway router peer only with their appropriate routing domain. Verify that the all interfaces are configured for the appropriate IGP instance.