STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Juniper Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: The router must use its loopback interface address as the source address for all iBGP peering sessions.

DISA Rule

SV-15360r2_rule

Vulnerability Number

V-14681

Group Title

Loopback address is not used as the iBGP source IP.

Rule Version

NET0903

Severity

CAT III

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the network device's loopback address as the source address for iBGP peering.

Check Contents

Review the configuration and verify the loopback interface address is used as the source address for all iBGP peering.

Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following:

interfaces {
lo0 {
unit 0 {
family inet {
address 10.10.2.1/32;
}
}
}

Note: Only one loopback interface can be configured on Juniper routers; however, multiple addresses can be defined.

Step 2: The vulnerability does not require eBGP peering to use the loopback address. Hence, the BGP router only requires that the loopback address is used to peer with its iBGP neighbors. You should find a configuration similar to the example below:

protocols {
bgp {
group iBGP_111 {
type internal;
local-address 10.10.2.1;
export next-hop-self;
peer-as 111;
neighbor 10.10.2.2;
}
}
}

STIGQter: STIG Summary: Infrastructure Router Security Technical Implementation Guide Juniper Version: 8 Release: 29 Benchmark Date: 25 Jan 2019: The router must use its loopback interface address as the source address for all iBGP peering sessions.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments