UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.


Overview

Finding ID Version Rule ID IA Controls Severity
V-217057 JUNI-RT-000520 SV-217057r639663_rule Medium
Description
Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path.
STIG Date
Juniper Router RTR Security Technical Implementation Guide 2021-02-11

Details

Check Text ( C-18286r297039_chk )
Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core.

Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below.

policy-options {



prefix-list CORE_PREFIX {
x.x.x.x/16;
}

Verify that a policy has been configured to not advertise prefixes belong to the core as shown in the example below.

policy-options {



policy-statement BGP_ADVERTISE_POLICY {
term EXCLUDE_CORE {
from {
prefix-list CORE_PREFIX;
}
then reject;
}
term INCLUDE_OTHER {
then accept;
}
}

Verify that the export statement as shown below references the advertise policy.

protocols {
bgp {
group AS4 {
type external;
export BGP_ADVERTISE_POLICY;
peer-as 4;
neighbor x.x.x.x;
}

If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.
Fix Text (F-18284r297040_fix)
Configure the router to filter outbound route advertisements belonging to the IP core.

Configure a prefix list containing prefixes belonging to the IP core.

[edit policy-options]
set prefix-list CORE_PREFIX x.x.x.x/16

Configure a policy-statement to filter BGP route advertisements that will exclude core prefixes.

[edit policy-options]
set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE from prefix-list CORE_PREFIX
set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE then reject
set policy-statement BGP_ADVERTISE_POLICY term INCLUDE_OTHER then accept

Configure an export statement referencing the advertise policy on all external BGP peer groups as shown in the example below.

[edit protocols bgp group GROUP_AS4]
set export BGP_ADVERTISE_POLICY