STIGQter: STIG Summary: Router Security Requirements Guide Version: 4 Release: 2 Benchmark Date: 23 Apr 2021:

The BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.

DISA Rule

SV-207102r604135_rule

Vulnerability Number

V-207102

Group Title

SRG-NET-000018

Rule Version

SRG-NET-000018-RTR-000006

Severity

CAT III

CCI(s)

• CCI-000032 - The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

Weight

10

Fix Recommendation

Configure all ASBRs to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.

Check Contents

Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.

If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.

Vulnerability Number

V-207102

Documentable

False

Rule Version

SRG-NET-000018-RTR-000006

Severity Override Guidance

Review the router configuration to verify the router is configured to deny updates received from eBGP peers that do not list their AS number as the first AS in the AS_PATH attribute.

If the router is not configured to reject updates from peers that do not list their AS number as the first AS in the AS_PATH attribute, this is a finding.

Check Content Reference

M

Target Key

2917

Comments