Detections
Analytics
JUEX-RT-000740 - The Juniper perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.
Information
Bogons include IP packets on the public internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public internet use. Bogons also include multicast, IETF reserved, and special purpose address space as defined in RFC 6890.Security of the internet's routing system relies on the ability to authenticate an assertion of unique control of an address block. Measures to authenticate such assertions rely on the validation the address block forms as part of an existing allocated address block, and must be a trustable and unique reference in the IANA address registries. The intended use of a Bogon address would only be for the purpose of address spoofing in denial-of-service attacks. Hence, it is imperative that IP packets with a source Bogon address are blocked at the network's perimeter.
Solution
This requirement is not applicable for the DODIN Backbone.Configure the router to block inbound packets with Bogon source addresses.
Example Bogon prefix lists:
set policy-options prefix-list bogon-ipv4 0.0.0.0/8
set policy-options prefix-list bogon-ipv4 10.0.0.0/8
set policy-options prefix-list bogon-ipv4 100.64.0.0/10
set policy-options prefix-list bogon-ipv4 127.0.0.0/8
set policy-options prefix-list bogon-ipv4 169.254.0.0/16
set policy-options prefix-list bogon-ipv4 172.16.0.0/12
set policy-options prefix-list bogon-ipv4 192.0.0.0/24
set policy-options prefix-list bogon-ipv4 192.0.2.0/24
set policy-options prefix-list bogon-ipv4 192.88.99.0/24
set policy-options prefix-list bogon-ipv4 192.168.0.0/16
set policy-options prefix-list bogon-ipv4 198.18.0.0/15
set policy-options prefix-list bogon-ipv4 198.51.100.0/24
set policy-options prefix-list bogon-ipv4 203.0.113.0/24
set policy-options prefix-list bogon-ipv4 224.0.0.0/24
set policy-options prefix-list bogon-ipv4 240.0.0.0/4
set policy-options prefix-list bogon-ipv6 ::/128
set policy-options prefix-list bogon-ipv6 ::1/128
set policy-options prefix-list bogon-ipv6 0::/96
set policy-options prefix-list bogon-ipv6 ::ffff:0:0/96
set policy-options prefix-list bogon-ipv6 3ffe::/16
set policy-options prefix-list bogon-ipv6 64:ff9b::/96
set policy-options prefix-list bogon-ipv6 100::/64
set policy-options prefix-list bogon-ipv6 2001:10::/28
set policy-options prefix-list bogon-ipv6 2001:db8::/32
set policy-options prefix-list bogon-ipv6 2001:2::/48
set policy-options prefix-list bogon-ipv6 2001::/32
set policy-options prefix-list bogon-ipv6 2001::/23
set policy-options prefix-list bogon-ipv6 2002::/16
set policy-options prefix-list bogon-ipv6 fc00::/7
set policy-options prefix-list bogon-ipv6 fec0::/10
set policy-options prefix-list bogon-ipv6 ff00::/8
Example firewall filters:
set firewall family inet filter inbound-ipv4 term 1 from source-prefix-list bogon-ipv4
set firewall family inet filter inbound-ipv4 term 1 then log
set firewall family inet filter inbound-ipv4 term 1 then syslog
set firewall family inet filter inbound-ipv4 term 1 then discard
set firewall family inet filter inbound-ipv4 term <permitted traffic terms>
set firewall family inet6 filter inbound-ipv6 term 1 from source-prefix-list bogon-ipv6
set firewall family inet6 filter inbound-ipv6 term 1 then log
set firewall family inet6 filter inbound-ipv6 term 1 then syslog
set firewall family inet6 filter inbound-ipv6 term 1 then discard
set firewall family inet6 filter inbound-ipv6 term <permitted traffic terms>
Example application on external interfaces:
set interfaces <interface name> unit <number> family inet filter input inbound-ipv4
set interfaces <interface name> unit <number> family inet address <IPv4 address / mask>
set interfaces <interface name> unit <number> family inet6 filter input inbound-ipv6
set interfaces <interface name> unit <number> family inet6 address <IPv6 address / prefix>
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y23M07_STIG.zip
Item Details
Audit Name: DISA Juniper EX Series Router v1r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7(11), CAT|II, CCI|CCI-002403, Rule-ID|SV-254046r844171_rule, STIG-ID|JUEX-RT-000740, Vuln-ID|V-254046
Plugin: Juniper
Control ID: 8855fc91bd3ddfeadbe0a5ed87acc970637c3925f990a5b645f8c9c3939e2c44