UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).


Overview

Finding ID Version Rule ID IA Controls Severity
V-217054 JUNI-RT-000490 SV-217054r604135_rule Medium
Description
Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path.
STIG Date
Juniper Router RTR Security Technical Implementation Guide 2024-06-12

Details

Check Text ( C-18283r297030_chk )
Review the router configuration to verify that it will reject routes belonging to the local AS.

Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below.

policy-options {



prefix-list OUR_PREFIXES {
x.x.x.x/16;
}

Verify that a policy has been configured to reject the local prefixes.

policy-options {



policy-statement FILTER_ROUTES {
term REJECT_BOGONS {
from {
prefix-list BOGON_PREFIXES;
}
then reject;
}
term REJECT_OUR_PREFIXES {
from {
prefix-list OUR_PREFIXES;
}
then reject;
}
term ACCEPT_OTHER {
then accept;
}
}
}

Verify that the configured policy to filter local prefixes has been applied to external BGP peers as shown in the example below.

protocols {
bgp {
group GROUP_AS4 {
type external;
import FILTER_ROUTES;
peer-as 4;
neighbor x.x.x.x;
}
}

If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.
Fix Text (F-18281r297031_fix)
Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS.

Configure a prefix list containing prefixes belonging to the local autonomous system.

[edit policy-options]
set prefix-list OUR_PREFIXES x.x.x.x/16

Configure a policy-statement to reject prefixes belonging to the local autonomous system. This can be done by adding a term to the existing policy to filter Bogons as shown in the example below.

[edit policy-options policy-statement FILTER_ROUTES]
set term REJECT_OUR_PREFIXES from prefix-list OUR_PREFIXES
set term REJECT_OUR_PREFIXES then reject
insert term REJECT_OUR_PREFIXES before term ACCEPT_OTHER

Note: There is no need change the BGP configuration assuming the import statement is already configured for all external neighbors.