Detections
Analytics
ARST-RT-000620 - The Arista perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.
Information
Bogons include IP packets on the public internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional internet registry (RIR) and allowed for public internet use. Bogons also include multicast, IETF reserved, and special purpose address space as defined in RFC 6890.Security of the internet's routing system relies on the ability to authenticate an assertion of unique control of an address block. Measures to authenticate such assertions rely on the validation the address block forms as part of an existing allocated address block, and must be a trustable and unique reference in the IANA address registries. The intended use of a Bogon address would only be for the purpose of address spoofing in denial-of-service attacks. Hence, it is imperative that IP packets with a source Bogon address are blocked at the network's perimeter.
Solution
This requirement is not applicable for the DODIN backbone.Configure the Arista router to block inbound packets with Bogon source addresses.
Step 1: Configure the ACL to block the IPv4 Bogon prefixes.
LEAF-1A(config)#ip access-list BOGON_PREFIXES
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 0.0.0.0/8 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 10.0.0.0/8 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 100.64.0.0/10 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 127.0.0.0/8 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 169.254.0.0/16 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 172.16.0.0/12 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 192.0.0.0/24 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 192.0.2.0/24 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 192.88.99.0/24 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 192.168.0.0/16 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 198.18.0.0/15 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 198.51.100.0/24 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 203.0.113.0/24 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 224.0.0.0/4 any
LEAF-1A(config-acl-BOGON_PREFIXES)#deny ip 240.0.0.0/4 any
LEAF-1A(config-acl-BOGON_PREFIXES)#exit
Step 2: Configure the ACL to block the ipv6 Bogon prefixes.
LEAF-1A(config)#ipv6 access-list BOGON_PREFIXES
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 ::/128 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 ::1/128 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 0::/96 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 ::ffff:0:0/96 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 3ffe::/16 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 64:ff9b::/96 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 100::/64 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 2001:10::/28 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 2001:db8::/32 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 2001:2::/48 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 2001::/32 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 2001::/23 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 2002::/16 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 fc00::/7 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 fe80::/10 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 fec0::/10 any
LEAF-1A(config-ipv6-acl-BOGON_PREFIXES)#deny ipv6 ff00::/8 any
Step 3: Apply the IPv4 and IPv6 Bogon access lists to the external interface.
LEAF-1A(config)#interface ethernet 3
LEAF-1A(config-if-Et3)#ip access-group BOGON_PREFIXES in
LEAF-1A(config-if-Et3)#ipv6 access-group BOGON_PREFIXES in
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip
Item Details
Audit Name: DISA STIG Arista MLS EOS 4.2x Router v2r1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7(11), CAT|II, CCI|CCI-002403, Rule-ID|SV-256041r882465_rule, STIG-ID|ARST-RT-000620, Vuln-ID|V-256041
Plugin: Arista
Control ID: 987b4d67579e1f1bc92d0b75c438d125e6b092fdf8f076062e1c801efe194cc8