STIGQter STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

DISA Rule

SV-216605r531085_rule

Vulnerability Number

V-216605

Group Title

SRG-NET-000362-RTR-000118

Rule Version

CISC-RT-000570

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.

Step 1: Configure a prefix list to reject any prefix that is longer than /24.

R1(config)#ip prefix-list FILTER_PREFIX_LENGTH permit 0.0.0.0/0 ge 8 le 24
R1(config)#ip prefix-list FILTER_PREFIX_LENGTH deny 0.0.0.0/0 le 32


Step 2: Apply the prefix list to all eBGP peers as shown in the example below.

R1(config)#router bgp xx
R1(config-router)#neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in
R1(config-router)#neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Step 1: Verify that a route filter has been configured to reject prefixes longer than /24, or the least significant prefixes issued to the customers as shown in the example below:

ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32

Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example:

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in


If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.

Vulnerability Number

V-216605

Documentable

False

Rule Version

CISC-RT-000570

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the router configuration to determine if it is compliant with this requirement.

Step 1: Verify that a route filter has been configured to reject prefixes longer than /24, or the least significant prefixes issued to the customers as shown in the example below:

ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24
ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32

Step 2: Verify that prefix filtering has been applied to each eBGP peer as shown in the example:

router bgp xx
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 prefix-list FILTER_PREFIX_LENGTH in


If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.

Check Content Reference

M

Target Key

4027

Comments