Title

The RUCKUS ICX BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer. (Cat II impact)

Discussion

As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multi-homed customer with BGP speaking routers connected to the internet or other external networks could be breached and used to launch a prefix de-aggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.

Check Content

Review the router configuration to verify there are filters defined to only accept routes for prefixes that belong to specific customers. 1. Verify a prefix-list exists for the customer ("show running-config | include prefix") similar to the following: ip prefix-list customer1 seq 5 permit x.x.1.0/24 le 32 ip prefix-list customer1 seq 10 deny 0.0.0.0/0 ge 8 2. Confirm the prefix list has been applied to eBGP neighbor similar to the following: route-map bgp_cust1 permit 10 match ip address prefix-list customer1 router bgp local-as 1001 neighbor x.x.x.x remote-as 500 neighbor x.x.x.x route-map in bgp_cust1 If the RUCKUS ICX router is not configured to reject prefixes not allocated to the customer, this is a finding.

Fix Text

Configure a prefix list and apply to the eBGP neighbor configuration: ip prefix-list customer1 seq 5 permit x.x.1.0/24 le 32 ip prefix-list customer1 seq 10 deny 0.0.0.0/0 ge 8 route-map bgp_cust1 permit 10 match ip address prefix-list customer1 router bgp local-as 1001 neighbor x.x.x.x remote-as 500 neighbor x.x.x.x route-map in bgp_cust1

Additional Identifiers

Rule ID: SV-273572r1110908_rule

Vulnerability ID: V-273572

Group Title: SRG-NET-000018-RTR-000004

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.