The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254038	JUEX-RT-000660	SV-254038r844147_rule		Low

Description
The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix deaggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

STIG	Date
Juniper EX Series Switches Router Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-57490r844145_chk )
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that there is a filter to reject inbound route advertisements that are greater than /24, or the least significant prefixes issued to the customer, whichever is larger. Verify each BGP neighbor implements an import policy. BGP import policies are supported in three locations: Global (at [edit protocols bgp]), group (at [edit protocols bgp group ]), and for each neighbor (at [edit protocols bgp group neighbor ]) with the most specific import statement being applied. Multiple policy statements may be necessary to address each customer's requirements. [edit policy-options] policy-statement reject-long-prefixes { term 1 { from { route-filter 0.0.0.0/0 prefix-length-range /25-/32; } then reject; } } [edit protocols] bgp { group { type external; import ; << Applied instead of global BGP policy unless a more specific neighbor import filter exists. Excludes all terms in the global filter. local-as ; neighbor { import ; << Most specific import filter. If configured, only this filter applies to this neighbor (all other terms in all other filters ignored). authentication-key "$8$aes256-gcm$hmac-sha2-256$100$cFQ99Gy83Og$SCMVXvnfna7/cZqH9fCECQ$bCVokm+es94xFJONmbKFNA$4561Uc/r"; ## SECRET-DATA } neighbor { import ; << Most specific import filter. If configured, only this filter applies to this neighbor (all other terms in all other filters ignored). ipsec-sa ; } } import ; << Least specific import filter. } If the router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.

Check Text ( C-57490r844145_chk )

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to verify that there is a filter to reject inbound route advertisements that are greater than /24, or the least significant prefixes issued to the customer, whichever is larger. Verify each BGP neighbor implements an import policy. BGP import policies are supported in three locations: Global (at [edit protocols bgp]), group (at [edit protocols bgp group ]), and for each neighbor (at [edit protocols bgp group neighbor ]) with the most specific import statement being applied. Multiple policy statements may be necessary to address each customer's requirements.

[edit policy-options]
policy-statement reject-long-prefixes {
term 1 {
from {
route-filter 0.0.0.0/0 prefix-length-range /25-/32;
}
then reject;
}

}
[edit protocols]
bgp {
group {
type external;
import ; << Applied instead of global BGP policy unless a more specific neighbor import filter exists. Excludes all terms in the global filter.
local-as ;
neighbor {
import ; << Most specific import filter. If configured, only this filter applies to this neighbor (all other terms in all other filters ignored).
authentication-key "$8$aes256-gcm$hmac-sha2-256$100$cFQ99Gy83Og$SCMVXvnfna7/cZqH9fCECQ$bCVokm+es94xFJONmbKFNA$4561Uc/r"; ## SECRET-DATA
}
neighbor {
import ; << Most specific import filter. If configured, only this filter applies to this neighbor (all other terms in all other filters ignored).
ipsec-sa ;
}
}
import ; << Least specific import filter.
}

If the router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.

Fix Text (F-57441r844146_fix)
Configure all eBGP routers to use the prefix limit feature to protect against route table flooding and prefix deaggregation attacks. set policy-options policy-statement term 1 from route-filter 0.0.0.0/0 prefix-length-range /25-/32 set policy-options policy-statement term 1 then reject set protocols bgp group type external set protocols bgp group import set protocols bgp group local-as set protocols bgp group neighbor import set protocols bgp group neighbor authentication-key set protocols bgp group neighbor import set protocols bgp group neighbor ipsec-sa set protocols bgp import

Fix Text (F-57441r844146_fix)

Configure all eBGP routers to use the prefix limit feature to protect against route table flooding and prefix deaggregation attacks.

set policy-options policy-statement term 1 from route-filter 0.0.0.0/0 prefix-length-range /25-/32
set policy-options policy-statement term 1 then reject

set protocols bgp group type external
set protocols bgp group import
set protocols bgp group local-as
set protocols bgp group neighbor import
set protocols bgp group neighbor authentication-key
set protocols bgp group neighbor import
set protocols bgp group neighbor ipsec-sa
set protocols bgp import