Detections
Analytics

JUNI-RT-000500 - The Juniper BGP router must be configured to reject inbound route advertisements from a customer edge (CE) Juniper router for prefixes that are not allocated to that customer - CE Juniper router.

Information

As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multi-homed customer with BGP speaking routers connected to the Internet or other external networks could be breached and used to launch a prefix de-aggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.

Solution

Configure the router to reject inbound route advertisements from a CE router for prefixes that are not allocated to that customer.

Configure a prefix list containing prefixes belonging to the customers.

[edit policy-options]
set prefix-list CUST1_PREFIXES x.x.x.x/24
set prefix-list CUST1_PREFIXES x.x.x.x/24
set prefix-list CUST2_PREFIXES x.x.x.x/24
set prefix-list CUST2_PREFIXES x.x.x.x/24

Configure a policy-statement to filter customer routes.

set policy-statement FILTER_CUST1_ROUTES term ACCEPT_ROUTES from prefix-list CUST1_PREFIXES
set policy-statement FILTER_CUST1_ROUTES term then accept
set policy-statement FILTER_CUST1_ROUTES term REJECT_OTHER then reject
set policy-statement FILTER_CUST2_ROUTES term ACCEPT_ROUTES from prefix-list CUST2_PREFIXES
set policy-statement FILTER_CUST2_ROUTES term then accept
set policy-statement FILTER_CUST2_ROUTES term REJECT_OTHER then reject

Apply the import policy to filter received routes for each customer group.

[edit protocols bgp group CUST1]
set import FILTER_CUST1_ROUTES
[edit protocols bgp group CUST2]
set import FILTER_CUST2_ROUTES

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y25M01_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4, CAT|II, CCI|CCI-001368, Rule-ID|SV-217055r604135_rule, STIG-ID|JUNI-RT-000500, STIG-Legacy|SV-101105, STIG-Legacy|V-90895, Vuln-ID|V-217055

Plugin: Juniper

Control ID: 76e9065cd8b601efa45678b379d9f9c92fd395f5ad4b69bd9e37c1e74fcc4e35