UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).


Overview

Finding ID Version Rule ID IA Controls Severity
V-90887 JUNI-RT-000460 SV-101097r2_rule Low
Description
GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.
STIG Date
Juniper Router RTR Security Technical Implementation Guide 2020-06-04

Details

Check Text ( C-90151r2_chk )
Verify that a filter has been configured to only allow BGP packets with a TTL of 255 as shown in the example below.

firewall {



filter GTSM_FILTER {
term TTL_SECURITY {
from {
protocol tcp;
ttl-except 255;
port bgp;
}
then {
syslog;
discard;
}
}
term ELSE_ACCEPT {
then accept;
}
}
}

Verify that the filter is applied to all interfaces connecting to eBGP peers.

interfaces {



ge-0/0/0 {
unit 0 {
family inet {
filter {
input-list [INBOUND_FILTER GTSM_FILTER];
}
address x.x.x.x/30;
}
}
}
}

Configure the router to send all BGP packets with a TTL of 255 as shown in the example below.

If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.
Fix Text (F-97195r2_fix)
Configure a filter to only accept bgp packets with a TTL of 255 as shown in the example below.

[edit firewall]
set filter GTSM_FILTER term TTL_SECURITY from protocol tcp port bgp ttl-except 255
set filter GTSM_FILTER term TTL_SECURITY then syslog discard
set filter GTSM_FILTER term ELSE_ACCEPT then accept

Apply the firewall filter to the inbound interface for all eBGP single-hop peer as shown in the example below.

[edit interfaces ge-0/0/0 unit 0 family inet]
set filter input-list INBOUND_FILTER
set filter input-list GTSM_FILTER