STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

DISA Rule

SV-217007r531087_rule

Vulnerability Number

V-217007

Group Title

SRG-NET-000362-RTR-000124

Rule Version

CISC-RT-000470

Severity

CAT III

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure TTL security on all external BGP neighbors as shown in the example below.

RP/0/0/CPU0:R2(config)#router bgp n
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.23.3
RP/0/0/CPU0:R2(config-bgp-nbr)#ttl-security

Check Contents

Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below.

router bgp n
address-family ipv4 unicast
!
neighbor x.1.23.3
remote-as n
ttl-security
address-family ipv4 unicast
!
!
!

If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Vulnerability Number

V-217007

Documentable

False

Rule Version

CISC-RT-000470

Severity Override Guidance

Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below.

router bgp n
address-family ipv4 unicast
!
neighbor x.1.23.3
remote-as n
ttl-security
address-family ipv4 unicast
!
!
!

If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Check Content Reference

M

Target Key

4029

Comments