An error occurred:

Check: CACI-RT-000003

Cisco ACI Router STIG: CACI-RT-000003 (in version v1 r0.1)

Title

The BGP Cisco ACI must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS). (Cat II impact)

Discussion

Advertisement of routes by an autonomous system for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes.

Check Content

Review the ACI configuration to verify it will reject routes belonging to the local AS. Step 1: Verify a prefix list has been configured containing prefixes belonging to the local AS. In the example below, x.13.1.0/24 is the global address space allocated to the local AS. ip prefix-list PREFIX_FILTER seq 74 deny x.13.1.0/24 le 32 Step 2: Verify the prefix list has been applied to all external BGP peers as shown in the example below: router bgp <AS_number> neighbor <peer_IP> prefix-list LOCAL_AS_PREFIX_FILTER out If the ACI is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.

Fix Text

Configure the router to reject outbound route advertisements for any prefixes belonging to the local AS. Use a prefix list containing the local AS prefixes and apply it as an outbound filter on the BGP neighbor configuration, as shown in the following examples. Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system. apci1(config)# ip prefix-list LOCAL_AS_PREFIX_FILTER seq 70 deny <local_AS_prefixes> Step 2: Apply the prefix list filter outbound to each external BGP neighbor. apci1(config)# router bgp <AS_number> neighbor <peer_IP> prefix-list LOCAL_AS_PREFIX_FILTER out

Additional Identifiers

Rule ID: SV-272063r1064466_rule

Vulnerability ID: V-272063

Group Title: SRG-NET-000018-RTR-000005

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001368

Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement