Detections
Analytics
ARST-RT-000570 - The Arista BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
Information
The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
This requirement is not applicable for the DODIN backbone.Ensure all eBGP Arista routers are configured to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.
Step 1: Configure the prefix-list.
ip prefix-list ADVERTISE_ROUTES deny 0.0.0.0/0 ge 25
ip prefix-list ADVERTISE_ROUTES permit 0.0.0.0/0 le 32
Step 2: Apply the prefix-list in the BGP process inbound.
LEAF-1A(config)#router bgp 65000
LEAF-1A(config)# neighbor 10.1.12.2 prefix-list ADVERTISE_ROUTES in
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-X_Y25M07_STIG.zip
Item Details
Audit Name: DISA Arista MLS EOS 4.X Router STIG v2r2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-256036r882450_rule, STIG-ID|ARST-RT-000570, Vuln-ID|V-256036
Plugin: Arista
Control ID: 39ff97b7b6ccdd2dfc0dc01eb2f5a0d9b70c54fb612024c7e1ec70cdac2d07e8