Detections
Analytics

3.1.2.1 Control Plane ACL for BGP Peering Sessions

Information

Utilizing the control-place ACL functionality to limit BGP communication to configured BGP peers

Control Plane ACLs (CP-ACLs) are essential for securing BGP peering sessions by restricting unauthorized access to the control plane. They prevent threats like spoofed packets, unauthorized session attempts, and malicious traffic, ensuring only legitimate BGP traffic is processed. This protects the routing infrastructure's stability and prevents vulnerabilities

Solution

Devices running BGP listen for connections on TCP port 179. When establishing a BGP peer session, onedevice actively establishes a relationship with the other peer by sending the first TCP SYN packet. Thisdevice is at the outgoing side of the connection. The other peer, hearing the TCP SYN, responds with aSYN or ACK at the incoming connection. As each peer can assume either role, ACL entries need to beconfigured for BGP in both directions.Sample Control Plane ACL example is shown below, the these entries permit traffic from10.20.0.10 so that it can establish a BGP peering session with the device. Either side could play theoutgoing or incoming role in the BGP connection, so the ACL requires two entries per peerAfter allowing traffic from all configured peers, block all other devices fromestablishing a BGP peering session by denying all other traffic to or from TCPport 179.

switch(config)# access-list ip <CONTROLPLANE-ACL-NAME>
switch(config-acl-ip)# 800 comment LOCKDOWN BGP SESSIONS
switch(config-acl-ip)# 805 permit tcp <10.20.0.10> gt 1023 any eq 179
switch(config-acl-ip)# 810 permit tcp <10.20.0.10> eq 179 any gt 1023
switch(config-acl-ip)# 815 deny tcp any gt 1023 any eq 179
switch(config-acl-ip)# 820 deny tcp any eq 179 any gt 1023
switch(config-acl-ip)# 990 comment ALLOW ANYTHING ELSE
switch(config-acl-ip)# 1000 permit any any any
switch(config-acl-ip)# exit
switch(config) apply access-list {ip|ipv6} <CONTROLPLANE-ACL-NAME> control-plane vrf <VRF-NAME>

Impact:

Implementing CP-ACLs enhances network security and stability by safeguarding the control plane from attacks such as DDoS or unauthorized BGP manipulation. This ensures secure and reliable routing updates, reduces disruptions, and strengthens the overall resilience and trustworthiness of the routing infrastructure.

See Also

https://workbench.cisecurity.org/benchmarks/24202

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: ArubaOS

Control ID: 8a68f3e8c2873f1cf8e34d62d17fa228e4e7c603920fbeaf5c413deef164190b