Detections
Analytics
OS10-RTR-000680 - The Dell OS10 BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
Information
The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix deaggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.Solution
Ensure all eBGP routers are configured to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.Step 1: Configure a prefix list for each customer containing prefixes belonging to each.
OS10(config)# ip prefix-list LONG_PREFIX_FILTER permit 0.0.0.0/0 ge 8 le 24
OS10(config)# ip prefix-list LONG_PREFIX_FILTER deny 0.0.0.0/0
Step 2: Configure the route map referencing the configured prefix list.
OS10(config)# route-map LONG_PREFIX_FILTER_MAP 50
OS10(config-route-map)# match ip address prefix-list LONG_PREFIX_FILTER
OS10(config-route-map)# exit
Step 3: Apply the route-map outbound to each external BGP neighbor.
OS10(config)# router bgp 10
OS10(config-router-bgp-10)# neighbor 50.1.1.1
OS10(config-router-neighbor)# address-family ipv4 unicast
OS10(config-router-bgp-neighbor-af)# route-map LONG_PREFIX_FILTER_MAP in
OS10(config-router-bgp-neighbor-af)# exit
OS10(config-router-neighbor)# exit
OS10(config-router-bgp-10)# exit
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Dell_OS10_Switch_Y24M12_STIG.zip
Item Details
Audit Name: DISA Dell OS10 Switch Router STIG v1r1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-269891r1052058_rule, STIG-ID|OS10-RTR-000680, Vuln-ID|V-269891
Plugin: Dell_OS10
Control ID: 4d07f2fe816f005ebb3eef15c734f7994e5dab879f16b61a1b08fc36e5b81196