UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The router must use its loopback interface address as the source address for all iBGP peering sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14681 NET0903 SV-15360r2_rule ECSC-1 Low
Description
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability. It is easier to construct appropriate filters for control plane traffic. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the numerous physical interface addresses.
STIG Date
Perimeter Router Security Technical Implementation Guide Juniper 2015-04-06

Details

Check Text ( C-12827r2_chk )
Review the configuration and verify the loopback interface address is used as the source address for all iBGP peering.

Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following:


interfaces {
lo0 {
unit 0 {
family inet {
address 10.10.2.1/32;
}
}
}

Note: Only one loopback interface can be configured on Juniper routers; however, multiple addresses can be defined.

Step 2: The vulnerability does not require eBGP peering to use the loopback address. Hence, the BGP router only requires that the loopback address is used to peer with its iBGP neighbors. You should find a configuration similar to the example below:

protocols {
bgp {
group iBGP_111 {
type internal;
local-address 10.10.2.1;
export next-hop-self;
peer-as 111;
neighbor 10.10.2.2;
}
}
}
Fix Text (F-14148r3_fix)
Configure the network device's loopback address as the source address for iBGP peering.