Detections
Analytics

4.1.3 Ensure EBGP peers are set to use GTSM

Information

GTSM should be used with all EBGP peers.

Rationale:

Where it is deployed, External BGP routing is vital for normal operation of an organization's network infrastructure. Correct route information is required for routers to correctly direct traffic destined for external networks. An attacker may attempt to exhaust the routers CPU and memory resources by flooding a target router with fake routing updates, resulting in a DoS condition. Potentially an attack may also inject fake routing information into the route table.

General TTL Security Mechanism (GTSM) is defined in RFC5082 and takes advantage of the fact that routers normally peer with adjacent neighbors, i.e. with routers only 1 hop away. GTSM uses the Time to Live (TTL) field of routing update packets to determine whether or not the packet originated from an adjacent router, denying those which do not.

Juniper routers effectively implement GTSM by default. Administrators can use the multihop command hierarchy to increase the maximum acceptable TTL for route updates, allowing updates from non adjacent peers. When peering with adjacent routers then multihop should not be configured, using the default to effectively configure GTSM with a TTL limit of 254 (or 1 hop). If your network requires peering with routers more than 1 hop away (non adjacent peers), multihop should be configured on a per peer or per group basis with the minimum possible value so as to limit the distance, in terms of networks, from which an attack can be launched.

Solution

If you have deployed multihop in your network but do not have any peers more then 1 hop away, disable multihop with the following command from the [edit protocols bgp], [edit protocols bgp group <group name>] or [edit protocols bgp group <group name> neighbor <neighbor address>] depending at which level you have configured multihop;

[edit protocols bgp]
user@host#delete multihop

To change the number of hops distance from which a route update can originate, enter the following command from the [edit protocols bgp group <group name>] to apply multihop to a group or [edit protocols bgp group <group name> neighbor <neighbor address>] to apply multihop to a single neighbor;

[edit protocols bgp group <group name>]
user@host#set multihop ttl <number of hops>

Remember that, in both cases, more specific settings override less specific ones. So if multihop is set to 5 at the neighbor level, but the default of 1 at the global level, the neighbor level setting will apply for communications with that peer.

Default Value:

A TTL of 1 is used by default on eBGP sessions and a default TTL of 64 is used for iBGP.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: 0238eaf44b0199a7c68c3d446671d6073324579b94bf873d960aa28208dc3766