An error occurred:

Check: CACI-RT-000034

Cisco ACI Router STIG: CACI-RT-000034 (in version v1 r2)

Title

Cisco ACI must be configured so the BGP neighbor is directly connected and will not connect a BGP session to a directly connected neighbor device's loopback address. (Cat III impact)

Discussion

Generalized Time To Live Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from denial-of-service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. ACI mitigates this risk in a different way, as currently there is no option for TTL-security or GTSM support; however, ACI, by default, is setup to validate that the BGP neighbor is directly connected and will not even connect a BGP session to a directly connected neighbor devices loopback address.

Check Content

Review the BGP configuration to verify that TTL security has been configured to the default settings. Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy. Verify the following in the policy: Disable Connected Check is unmarked EBGP Multihop TTL = 1 If the Cisco ACI is not configured to use GTSM for all Exterior BGP peering sessions, this is a finding.

Fix Text

If ACI is determined to be configured differently than the default settings, reconfigure to default settings by performing the actions on the BGP connectivity profile (path below). Navigate to Tenants >> {{your_Tenant}} >> Networking >> L3Out >> {{your_l3out}} >> Logical Node Profiles >> {{your_Logical_node_Profile}} >> Logical Interface Profiles >> {{your_logical_interface_profile}} >> BGP peer x.x.x.x >> Policy. Reset the following in the policy: Disable Connected Check is unmarked EBGP Multihop TTL = 1

Additional Identifiers

Rule ID: SV-272094r1168411_rule

Vulnerability ID: V-272094

Group Title: SRG-NET-000362-RTR-000124

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial-of-service Protection