An error occurred:

Check: RCKS-RTR-000680

RUCKUS ICX Router STIG: RCKS-RTR-000680 (in version v1 r1)

Title

The RUCKUS ICX BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer. (Cat III impact)

Discussion

The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

Check Content

This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is compliant with this requirement. 1. Verify a route filter has been configured to reject prefixes longer than /24, or the least significant prefixes issued to the customers as shown in the example below: ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24 ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32 2. Verify prefix filtering has been applied to each eBGP peer as shown in the following example: router bgp neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone. Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. 1. Configure a prefix list to reject any prefix that is longer than /24. ICX(config)#ip prefix-list FILTER_PREFIX_LENGTH permit 0.0.0.0/0 ge 8 le 24 ICX(config)#ip prefix-list FILTER_PREFIX_LENGTH deny 0.0.0.0/0 le 32 2. Apply the prefix list to all eBGP peers as shown in the example below: ICX(config)#router bgp ICX(config-bgp-router)#neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in

Additional Identifiers

Rule ID: SV-273635r1110897_rule

Vulnerability ID: V-273635

Group Title: SRG-NET-000362-RTR-000118

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial of Service Protection