Title

The RUCKUS ICX BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core. (Cat II impact)

Discussion

Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a nonoptimized path.

Check Content

Review the router configuration to verify there is a filter defined to block route advertisements for prefixes that belong to the IP core. 1. Verify a prefix-list has been configured containing prefixes belonging to the IP core. ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32 ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32 ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8 2. Verify the prefix-list has been applied to all external BGP peers as shown in the example below: router bgp local-as xxxx neighbor x.0.0.1 remote-as yy neighbor x.0.0.1 ao mykeychain address-family ipv4 unicast neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out If the router is not configured to reject outbound route advertisements for prefixes belonging to the IP core, this is a finding.

Fix Text

Configure all eBGP routers to filter outbound route advertisements belonging to the IP core. 1. Configure a prefix-list for containing all customer and local AS prefixes as shown in the example below: ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 10 deny x.1.1.0/24 le 32 ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 20 deny x.1.2.0/24 le 32 ICX(config)#ip prefix-list FILTER_CORE_PREFIXES seq 30 permit 0.0.0.0/0 ge 8 2. Apply the prefix-list filter outbound to each neighbor as shown in the following example: ICX(config)#router bgp ICX(config-bgp-router)#neighbor x.0.0.1 prefix-list FILTER_CORE_PREFIXES out

Additional Identifiers

Rule ID: SV-273610r1110922_rule

Vulnerability ID: V-273610

Group Title: SRG-NET-000205-RTR-000006

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.