STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.

DISA Rule

SV-216779r531087_rule

Vulnerability Number

V-216779

Group Title

SRG-NET-000018-RTR-000004

Rule Version

CISC-RT-000510

Severity

CAT II

CCI(s)

• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

Configure the router to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer.

Step 1: Configure a prefix set for each customer containing prefixes belonging to each as shown in the example.

RP/0/0/CPU0:R2(config)#prefix-set CUST1_PREFIX
RP/0/0/CPU0:R2(config-pfx)#x.1.1.0/24 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set
RP/0/0/CPU0:R2(config)#prefix-set CUST2_PREFIX
RP/0/0/CPU0:R2(config-pfx)#x.2.1.0/24 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set

Step 2: Configure a route policy filter for each customer as shown in the example.

RP/0/0/CPU0:R2(config)#route-policy CUST1_PREFIX_FILTER
RP/0/0/CPU0:R2(config-rpl)#if destination in CUST1_PREFIX then
RP/0/0/CPU0:R2(config-rpl-if)#pass
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#drop
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy
RP/0/0/CPU0:R2(config)#route-policy CUST2_PREFIX_FILTER
RP/0/0/CPU0:R2(config-rpl)#if destination in CUST2_PREFIX then
RP/0/0/CPU0:R2(config-rpl-if)#pass
RP/0/0/CPU0:R2(config-rpl-if)#else
RP/0/0/CPU0:R2(config-rpl-else)#drop
RP/0/0/CPU0:R2(config-rpl-else)#endif
RP/0/0/CPU0:R2(config-rpl)#end-policy

Step 3: Apply the route policy to each customer neighbor as shown in the example.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.14
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy CUST1_PREFIX_FILTER in
RP/0/0/CPU0:R2(config-bgp)#neighbor x.12.4.16
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy CUST2_PREFIX_FILTER in

Check Contents

Review the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers.

Step 1: Verify that an inbound route policy has been configured for each customer neighbor as shown in the example below.

router bgp xx
address-family ipv4 unicast
!
neighbor x.12.4.14
remote-as 64514
address-family ipv4 unicast
route-policy CUST1_PREFIX_FILTER in
!
!
neighbor x.12.4.16
remote-as 64516
address-family ipv4 unicast
route-policy CUST2_PREFIX_FILTER in
!
!

Step 2: Review the route policies to determine if it is accepting only prefixes belonging to each customer as shown in the example below.

route-policy CUST1_PREFIX_FILTER
if destination in CUST1_PREFIX then
pass
else
drop
endif
end-policy
!
route-policy CUST2_PREFIX_FILTER
if destination in CUST2_PREFIX then
pass
else
drop
endif
end-policy

Step 3: Review the prefix sets referenced in the route policies above to determine if they include only prefixes belonging to each customer.

prefix-set CUST1_PREFIX
x.1.1.0/24 le 32
end-set
!
prefix-set CUST2_PREFIX
x.2.1.0/24 le 32
end-set

Note: Routes to PE-CE links within a VPN are needed for troubleshooting end-to-end connectivity across the MPLS/IP backbone. Hence, these prefixes are an exception to this requirement.

If the router is not configured to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer, this is a finding.

Vulnerability Number

V-216779

Documentable

False

Rule Version

CISC-RT-000510

Severity Override Guidance

Review the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers.

Step 1: Verify that an inbound route policy has been configured for each customer neighbor as shown in the example below.

router bgp xx
address-family ipv4 unicast
!
neighbor x.12.4.14
remote-as 64514
address-family ipv4 unicast
route-policy CUST1_PREFIX_FILTER in
!
!
neighbor x.12.4.16
remote-as 64516
address-family ipv4 unicast
route-policy CUST2_PREFIX_FILTER in
!
!

Step 2: Review the route policies to determine if it is accepting only prefixes belonging to each customer as shown in the example below.

route-policy CUST1_PREFIX_FILTER
if destination in CUST1_PREFIX then
pass
else
drop
endif
end-policy
!
route-policy CUST2_PREFIX_FILTER
if destination in CUST2_PREFIX then
pass
else
drop
endif
end-policy

Step 3: Review the prefix sets referenced in the route policies above to determine if they include only prefixes belonging to each customer.

prefix-set CUST1_PREFIX
x.1.1.0/24 le 32
end-set
!
prefix-set CUST2_PREFIX
x.2.1.0/24 le 32
end-set

Note: Routes to PE-CE links within a VPN are needed for troubleshooting end-to-end connectivity across the MPLS/IP backbone. Hence, these prefixes are an exception to this requirement.

If the router is not configured to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer, this is a finding.

Check Content Reference

M

Target Key

4029

Comments