Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-217057 | JUNI-RT-000520 | SV-217057r639663_rule | Medium |
Description |
---|
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path. |
STIG | Date |
---|---|
Juniper Router RTR Security Technical Implementation Guide | 2021-02-11 |
Check Text ( C-18286r297039_chk ) |
---|
Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core. Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below. policy-options { … … … prefix-list CORE_PREFIX { x.x.x.x/16; } Verify that a policy has been configured to not advertise prefixes belong to the core as shown in the example below. policy-options { … … … policy-statement BGP_ADVERTISE_POLICY { term EXCLUDE_CORE { from { prefix-list CORE_PREFIX; } then reject; } term INCLUDE_OTHER { then accept; } } Verify that the export statement as shown below references the advertise policy. protocols { bgp { group AS4 { type external; export BGP_ADVERTISE_POLICY; peer-as 4; neighbor x.x.x.x; } If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding. |
Fix Text (F-18284r297040_fix) |
---|
Configure the router to filter outbound route advertisements belonging to the IP core. Configure a prefix list containing prefixes belonging to the IP core. [edit policy-options] set prefix-list CORE_PREFIX x.x.x.x/16 Configure a policy-statement to filter BGP route advertisements that will exclude core prefixes. [edit policy-options] set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE from prefix-list CORE_PREFIX set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE then reject set policy-statement BGP_ADVERTISE_POLICY term INCLUDE_OTHER then accept Configure an export statement referencing the advertise policy on all external BGP peer groups as shown in the example below. [edit protocols bgp group GROUP_AS4] set export BGP_ADVERTISE_POLICY |