STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

DISA Rule

SV-216605r531085_rule

Vulnerability Number

V-216605

Group Title

SRG-NET-000362-RTR-000118

Rule Version

CISC-RT-000570

Severity

CAT III

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.

Step 1: Configure a prefix list to reject any prefix that is longer than /24.

R1(config)#ip prefix-list FILTER_PREFIX_LENGTH permit 0.0.0.0/0 ge 8 le 24
R1(config)#ip prefix-list FILTER_PREFIX_LENGTH deny 0.0.0.0/0 le 32


Step 2: Apply the prefix list to all eBGP peers as shown in the example below.

R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in
R1(config-router)#neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Step 1: Verify that a route filter has been configured to reject prefixes longer than /24, or the least significant prefixes issued to the customers as shown in the example below:

ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32

Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example:

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in


If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.

Vulnerability Number

V-216605

Documentable

False

Rule Version

CISC-RT-000570

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Step 1: Verify that a route filter has been configured to reject prefixes longer than /24, or the least significant prefixes issued to the customers as shown in the example below:

ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32

Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example:

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in


If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.

Check Content Reference

M

Target Key

4027

Comments