Detections
Analytics
JUEX-RT-000660 - The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
Information
The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix deaggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.Solution
Configure all eBGP routers to use the prefix limit feature to protect against route table flooding and prefix deaggregation attacks.set policy-options policy-statement <statement name> term 1 from route-filter 0.0.0.0/0 prefix-length-range /25-/32
set policy-options policy-statement <statement name> term 1 then reject
set protocols bgp group <group name> type external
set protocols bgp group <group name> import <statement name>
set protocols bgp group <group name> local-as <local AS number>
set protocols bgp group <group name> neighbor <neighbor 1 address> import <statement name>
set protocols bgp group <group name> neighbor <neighbor 1 address> authentication-key <PSK value>
set protocols bgp group <group name> neighbor <neighbor 2 address> import <statement name>
set protocols bgp group <group name> neighbor <neighbor 2 address> ipsec-sa <SA name>
set protocols bgp import <statement name>
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y26M01_STIG.zip
Item Details
Audit Name: DISA Juniper EX Series Router v2r1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-254038r844147_rule, STIG-ID|JUEX-RT-000660, Vuln-ID|V-254038
Plugin: Juniper
Control ID: 444bea0f1c7737ab49b43dc9dee3a26fdfed7678fe1b2eb44d9abc2c968be1d0