ARST-RT-000570 - The Arista BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

Information

The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

This requirement is not applicable for the DODIN backbone.

Ensure all eBGP Arista routers are configured to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.

Step 1: Configure the prefix-list.

ip prefix-list ADVERTISE_ROUTES deny 0.0.0.0/0 ge 25
ip prefix-list ADVERTISE_ROUTES permit 0.0.0.0/0 le 32

Step 2: Apply the prefix-list in the BGP process inbound.

LEAF-1A(config)#router bgp 65000
LEAF-1A(config)# neighbor 10.1.12.2 prefix-list ADVERTISE_ROUTES in

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-256036r882450_rule, STIG-ID|ARST-RT-000570, Vuln-ID|V-256036

Plugin: Arista

Control ID: 6da456ec300b89b218f38705477185eb8d0ab7457b0e4d7fc874a5d2440f60a2