An error occurred:

Check: RCKS-RTR-000050

RUCKUS ICX Router STIG: RCKS-RTR-000050 (in version v1 r1)

Title

The RUCKUS ICX BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customer or the local autonomous system (AS). (Cat II impact)

Discussion

Advertisement of routes by an autonomous system for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes.

Check Content

Review the router configuration to verify there is a filter defined to only advertise routes for prefixes that belong to any customers or the local AS. This requirement is not applicable for the DODIN Backbone. 1. Verify a prefix-list is configured for routes belonging to the local AS. ICX# show ip prefix-lists ip prefix-list local-AS: 2 entries seq 5 permit x.1.1.0/24 seq 10 permit x.1.2.0/24 2. Verify the prefix-list is applied to outbound routes to neighbors. ICX# show ip bgp config Current BGP configuration: router bgp local-as 1000 neighbor x.x.x.x remote-as 1001 neighbor x.x.x.x prefix-list local-AS out If the router does not filter out prefix advertisements that do not belong on the local AS, this is a finding.

Fix Text

Configure a prefix-list representing prefixes that belong to the local-AS and apply them to BGP neighbors similar to what is shown below: ip prefix-list mylist seq 10 permit x.1.1.0/24 ip prefix-list mylist seq 10 permit x.1.2.0/24 ip prefix-list mylist seq 15 deny 0.0.0.0/0 ge 8 router bgp local-as 1000 neighbor x.x.x.x remote-as 1001 neighbor x.x.x.x prefix-list local-AS out

Additional Identifiers

Rule ID: SV-273573r1111031_rule

Vulnerability ID: V-273573

Group Title: SRG-NET-000018-RTR-000005

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001368

Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement