4.1.5 Ensure Ingress Filtering is set for EBGP peers

Information

Filter prefixes advertised to the router through eBGP.

Rationale:

In addition to filtering Bogon and Maritan routes JUNOS routers peering with eBGP neighbors should also apply Ingress Filtering to prevent the router processing bad updates sent from the neighbor router, either maliciously or by accident. At a minimum prefix filters should deny any prefix which belong to your own AS. Depending on your type of deployment you may also wish to block prefixes which are more specific than those issues by RIR's or limit ISP customers to advertising those prefixes which you have assigned to them.

Solution

From the [edit policy-options] hierarchy, define a new policy by issuing the following commands:

[edit policy-options]
user@host#edit policy-statement <policy name> term <term name>
[edit policy-options policy-statement <policy name> term <term name>]
user@host# set from route-filter <network>/<mask> <exact | orlonger | prefix-length-range <start>-<end>> reject

Now apply the policy, either globally, to a group or to an individual peer as required by your environment.

[edit protocols bgp <group name>]
user@host#set import <policy name>

Default Value:

No Ingress Filtering is applies by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv7|12

Plugin: Juniper

Control ID: aa563246c4fcbd47ab93ae3e9c78aded1869058328b6b0bc99791746aefa2246