CISC-RT-000570 - The Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer - prefix-set

Information

The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

Solution

This requirement is not applicable for the DODIN Backbone.

Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.

Step 1: Configure a prefix set to not include prefixes are longer than /24.

RP/0/0/CPU0:R2(config)#prefix-set PREFIX_LENGTH
RP/0/0/CPU0:R2(config-pfx)#0.0.0.0/0 ge 8 le 24
RP/0/0/CPU0:R2(config-pfx)#end-set

Step 2: Configure a route policy to only accept prefixes that are /24 or shorter as shown in the example below.

RP/0/0/CPU0:R2(config)#route-policy FILTER_LONG_PREFIXES
RP/0/0/CPU0:R2(config-rpl)#if destination in PREFIX_LENGTH then
RP/0/0/CPU0:R2(config-rpl-if)#pass
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#drop
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy

Step 3: Apply the route policy above inbound with each peering CE router as shown in the example below.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.14
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy route-policy FILTER_LONG_PREFIXES in
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.16
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy FILTER_LONG_PREFIXES in
RP/0/0/CPU0:R2(config-bgp-nbr-af)#end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-216785r856446_rule, STIG-ID|CISC-RT-000570, STIG-Legacy|SV-105915, STIG-Legacy|V-96777, Vuln-ID|V-216785

Plugin: Cisco

Control ID: 9f3d9f793f8abe278176dbb370cffb2fd668db8697148fd90902de26af30d379