An error occurred:

Check: JUNI-RT-000550

Juniper Router RTR STIG: JUNI-RT-000550 (in versions v2 r4 through v1 r4)

Title

The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer. (Cat III impact)

Discussion

The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

Check Content

This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is compliant with this requirement. Verify that a policy statement has been configured to reject prefixes longer than /24 or the least significant prefixes issued to the customers as shown in the example below. policy-options { … … … } policy-statement NO_LONG_PREFIXES { from { route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject; } } Note: It may be necessary to configure separate policy statements depending on the address space issued to each customer. Verify that there is an import statement referencing the policy statement to filter prefix length. protocols { bgp { … … … } group CUST1 { type external; import [ FILTER_CUST1_ROUTES NO_LONG_PREFIXES ]; peer-as 55; neighbor x.x.x.x; neighbor x.x.x.x; } group CUST2 { type external; import [ FILTER_CUST1_ROUTES NO_LONG_PREFIXES ]; peer-as 44; neighbor x.x.x.x; neighbor x.x.x.x; } If the router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.

Fix Text

Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. Configure a route filter to reject any prefix that is longer than /24. [edit policy-options] set policy-statement NO_LONG_PREFIXES from route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject Apply the policy statement to the BGP customer groups. [edit protocols bgp group CUST1] set import NO_LONG_PREFIXES [edit protocols bgp group CUST2] set import NO_LONG_PREFIXES

Additional Identifiers

Rule ID: SV-217061r604135_rule

Vulnerability ID: V-217061

Group Title: SRG-NET-000362-RTR-000118

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial Of Service Protection