Title

Cisco ACI must be configured to enable the Generalized TTL Security Mechanism (GTSM) for BGP sessions. (Cat III impact)

Discussion

GTSM is designed to protect a router's IP-based control plane from denial-of-service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers, that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.

Check Content

Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below: policy BGP_Peer_Profile no neighbor 10.1.1.1 ebgp-multihop neighbor 10.1.1.1 ttl-security If the Cisco ACI is not configured to use GTSM for all Exterior BGP peering sessions, this is a finding.

Fix Text

Configure TTL security on all external BGP neighbors as shown in the example below: Step 1: Access the BGP Peer Connectivity Profile. policy BGP_Peer_Profile Step 2: Disable Multihop for external neighbor. no neighbor 10.1.1.1 ebgp-multihop Step 3: Enable TTL security on the neighbor. neighbor 10.1.1.1 ttl-security

Additional Identifiers

Rule ID: SV-272094r1064497_rule

Vulnerability ID: V-272094

Group Title: SRG-NET-000362-RTR-000124

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.