AMLS-L3-000260 - Arista MLS must ensure all eBGP routers are configured to use GTSM or are configured to meet RFC3682.

Information

As described in RFC 3682, Generalized TTL Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.

Solution

Configure all Exterior Border Gateway Protocol peering sessions to use Generalized TTL Security Mechanism (GTSM) or an equivalent configuration as per RFC3682.

For adjacent EBGP neighbors, under the router configuration section, enter:

config
router bgp [AS number]
neighbor [address] ebgp-multihop 255
exit
ip access-list [name]
permit tcp [src address/mask] [dst address/mask] eq bgp ttl eq 255 log
exit
control-plane
ip access-group [name] [direction]

See Also

http://iasecontent.disa.mil/stigs/zip/Apr2016/U_Arista_MLS_DCS-7000_Series_RTR_V1R2_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Group-ID|V-60921, Rule-ID|SV-75379r1_rule, STIG-ID|AMLS-L3-000260

Plugin: Arista

Control ID: 4e33e136e9bb5e9ff5418e09d0b86dd361b954247a7678da766fc406b7f28c30