Detections
Analytics
CISC-RT-000520 - The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
Information
Advertisement of routes by an autonomous system for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes.Solution
This requirement is not applicable for the DODIN Backbone.Step 1: Configure a prefix set for customer and local autonomous system prefixes as shown in the example.
RP/0/0/CPU0:R2(config)#prefix-set CE_PREFIX_ADVERTISEMENTS
RP/0/0/CPU0:R2(config-pfx)#x.13.1.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#x.13.2.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#x.13.3.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#x.13.4.0/24 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set
Step 2: Configure a route policy filter for allow customer and local autonomous system prefixes as shown in the example.
RP/0/0/CPU0:R2(config)#route-policy CE_ADVERTISEMENTS
RP/0/0/CPU0:R2(config-rpl)#if destination in CE_PREFIX_ADVERTISEMENTS then
RP/0/0/CPU0:R2(config-rpl-if)#pass
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#drop
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy
Step 3: Apply the route policy to each customer neighbor as shown in the example.
RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.14
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy route-policy CE_ADVERTISEMENTS out
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.16
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy CE_ADVERTISEMENTS out
RP/0/0/CPU0:R2(config-bgp-nbr-af)#end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS-XR_Router_Y26M04_STIG.zip
Item Details
Audit Name: DISA Cisco IOS XR Router RTR STIG v3r3
Category: ACCESS CONTROL
References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-216780r1117236_rule, STIG-ID|CISC-RT-000520, STIG-Legacy|SV-105905, STIG-Legacy|V-96767, Vuln-ID|V-216780
Plugin: Cisco
Control ID: 346c10f6fa78e3f500c5a1914ef494f0d609e9bb4eca304039d5b73c7584084e