CISC-RT-000510 - The Cisco BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.

Information

As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multi-homed customer with BGP speaking routers connected to the Internet or other external networks could be breached and used to launch a prefix de-aggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the router to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer.

Step 1: Configure a prefix set for each customer containing prefixes belonging to each as shown in the example.

RP/0/0/CPU0:R2(config)#prefix-set CUST1_PREFIX
RP/0/0/CPU0:R2(config-pfx)#x.1.1.0/24 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set
RP/0/0/CPU0:R2(config)#prefix-set CUST2_PREFIX
RP/0/0/CPU0:R2(config-pfx)#x.2.1.0/24 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set

Step 2: Configure a route policy filter for each customer as shown in the example.

RP/0/0/CPU0:R2(config)#route-policy CUST1_PREFIX_FILTER
RP/0/0/CPU0:R2(config-rpl)#if destination in CUST1_PREFIX then
RP/0/0/CPU0:R2(config-rpl-if)#pass
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#drop
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy
RP/0/0/CPU0:R2(config)#route-policy CUST2_PREFIX_FILTER
RP/0/0/CPU0:R2(config-rpl)#if destination in CUST2_PREFIX then
RP/0/0/CPU0:R2(config-rpl-if)#pass
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#drop
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy

Step 3: Apply the route policy to each customer neighbor as shown in the example.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.14
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy CUST1_PREFIX_FILTER in
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.16
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy CUST2_PREFIX_FILTER in

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-216779r531087_rule, STIG-ID|CISC-RT-000510, STIG-Legacy|SV-105903, STIG-Legacy|V-96765, Vuln-ID|V-216779

Plugin: Cisco

Control ID: f71401aa97fc2b8dd2ffb4da2af602f36f316b9d709926ed7aacc856cbf85f96