UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.


Overview

Finding ID Version Rule ID IA Controls Severity
V-78271 SRG-NET-000018-RTR-000004 SV-92977r1_rule Medium
Description
As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multi-homed customer with BGP speaking routers connected to the Internet or other external networks could be breached and used to launch a prefix de-aggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.
STIG Date
Router Security Requirements Guide 2018-01-26

Details

Check Text ( C-77827r1_chk )
Review the router configuration to verify that there are filters defined to only accept routes for prefixes that belong to specific customers.

The prefix filter must be referenced inbound on the appropriate BGP neighbor statement.

If the router is not configured to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer, this is a finding.

Note: Routes to PE-CE links within a VPN are needed for troubleshooting end-to-end connectivity across the MPLS/IP backbone. Hence, these prefixes are an exception to this requirement.
Fix Text (F-84999r1_fix)
Configure all eBGP routers to reject inbound route advertisements from a CE router for prefixes that are not allocated to that customer.