Detections
Analytics

3.1.2.2 If Possible, Limit the BGP Routes Accepted from Peers

Information

Once a BGP relationship is established, the BGP process will accept routes from any connected peers and consider those routes to be valid. For this reason, especially in ISP or other carrier situations, it is important that only routes that are valid for any particular peer are accepted for that peer.

 Rationale:

 Impact:

 Without configuring route filtering, any route advertised by any BGP peer is considered valid. For this reason, especially in carrier or ISP situations it is important that route filtering be configured. Without filtering, a misconfigured or compromised peer can easily advertise entire subnets that should be routed elsewhere, either routing them to nul or receiving traffic to the compromised subnet for for interception or modification, then forwarding it on to it's final destination.

 NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

First, define the subnets that will be permitted from the peer PEERNAME (use descriptive, self documenting names in NX-OS constructions where possible). Note that any subnets not listed as permitted are by default denied (there is an implicit 'deny all' at the bottom of the list)

 switch(config)# ip prefix-list PL_PEERNAME_PERMIT_SUBNETS description Permitted Subnets from Peer PEERNAME
 switch(config)# ip prefix-list PL_PEERNAME_PERMIT_SUBNETS permit 10.11.11.0/24
 switch(config)# ip prefix-list PL_PEERNAME_PERMIT_SUBNETS permit 10.11.12.0/24

 In this example above, only 'permits' are defined. Deny lines are also allowed - refusing routes that are not accepted (for instance 'bogon' or 'martian' subnets), and may be more important in some situations, for example if this switch is accepting routes from the public internet. (note that this is not typical deployment scenario for an NX-OS switch)
 Next, create the route-map, will will apply that list:

 switch(config)# route-map RM_BGP_PEERNAME_IN permit 10
 switch(config-route-map)# match ip address prefix-list PL_PEERNAME_PERMIT_SUBNETS

 Finally, within the BGP configuration, apply that route-map to the BGP peer definition. Note that the 'in' keyword denotes inbound (accepted) information.:

 switch(config)# router bgp 65520
 switch(config-router)# router-id 10.10.10.10
 switch(config-router)# address-family ipv4 unicast
 switch(config-router-af)# network 10.10.10.0/24
 switch(config-router-af)# neighbor 10.10.10.11
 switch(config-router-neighbor)# remote-as 65521
 switch(config-router-neighbor)# address-family ipv4 unicast
 switch(config-router-neighbor-af)# route-map RM_BGP_PEERNAME_IN in

 Default Value:

 BGP filtering is not enabled by default. By default, all routes received from defined peers are accepted as valid.

See Also

https://workbench.cisecurity.org/files/3102

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv7|11.1

Plugin: Cisco

Control ID: 561d9ecfef3b35101ec9a16b04a8ded53974a0d6e4d92e5d85b2c190e8b0a267