JUNI-RT-000550 - The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer - prefix-length-range

Information

The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

Solution

Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.

Configure a route filter to reject any prefix that is longer than /24.

[edit policy-options]
set policy-statement NO_LONG_PREFIXES from route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject

Apply the policy statement to the BGP customer groups.

[edit protocols bgp group CUST1]
set import NO_LONG_PREFIXES
[edit protocols bgp group CUST2]
set import NO_LONG_PREFIXES

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-217061r855901_rule, STIG-ID|JUNI-RT-000550, STIG-Legacy|SV-101115, STIG-Legacy|V-90905, Vuln-ID|V-217061

Plugin: Juniper

Control ID: 84b4cc7574b9679f64327a32c532e2bd00805755fb6c4a7c46652819d229efb1