The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253977	JUEX-RT-000050	SV-253977r843964_rule		Medium

Description
Advertisement of routes by an AS for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes.

Description

Advertisement of routes by an AS for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes.

STIG	Date
Juniper EX Series Switches Router Security Technical Implementation Guide	2023-03-23

Details

Check Text ( C-57429r843962_chk )
This requirement is not applicable for the DODIN Backbone. Review the BGP router configuration to verify there is a filter defined to only advertise routes for prefixes belonging to any customer or the local AS. Example route-filter-list of customer addresses with corresponding policy-statement referencing the list: [edit policy-options] route-filter-list customer1-routes { exact; exact; } route-filter-list customer1-routes-ipv6 { exact; exact; } policy-statement bgp-advertise-cust-routes { term 1 { from { route-filter-list customer1-routes; route-filter-list customer1-routes-ipv6; } then accept; } term default { then reject; } } Note: The example shows using route-filter-lists to ease management. The policy-statement also supports the route directly in the match condition. For example, "route-filter exact" (in place of route-filter-list customer-routes). The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Verify the eBGP export statement prevents Junos from exporting routes from the route table into BGP. Junos accepts export statements at three hierarchy levels: Global protocol, group, and neighbor (peer). Global is the most general, followed by group, and neighbor is the most restrictive. Junos applies only the most restrictive policy so if a policy is configured at the protocol, group, and neighbor level, only the neighbor policy is applied. [edit protocols bgp] group eBGP { export bgp-advertise-cust-routes; neighbor { export bgp-advertise-cust-routes; } } export bgp-advertise-cust-routes; If the router is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.

Check Text ( C-57429r843962_chk )

This requirement is not applicable for the DODIN Backbone.

Review the BGP router configuration to verify there is a filter defined to only advertise routes for prefixes belonging to any customer or the local AS.

Example route-filter-list of customer addresses with corresponding policy-statement referencing the list:
[edit policy-options]
route-filter-list customer1-routes {
exact;
exact;
}
route-filter-list customer1-routes-ipv6 {
exact;
exact;
}

policy-statement bgp-advertise-cust-routes {
term 1 {
from {
route-filter-list customer1-routes;
route-filter-list customer1-routes-ipv6;
}
then accept;
}

term default {
then reject;
}
}
Note: The example shows using route-filter-lists to ease management. The policy-statement also supports the route directly in the match condition. For example, "route-filter exact" (in place of route-filter-list customer-routes).

The prefix filter must be referenced outbound on the appropriate BGP neighbor statements.

Verify the eBGP export statement prevents Junos from exporting routes from the route table into BGP. Junos accepts export statements at three hierarchy levels: Global protocol, group, and neighbor (peer). Global is the most general, followed by group, and neighbor is the most restrictive. Junos applies only the most restrictive policy so if a policy is configured at the protocol, group, and neighbor level, only the neighbor policy is applied.
[edit protocols bgp]
group eBGP {

export bgp-advertise-cust-routes;
neighbor

{

export bgp-advertise-cust-routes;
}
}
export bgp-advertise-cust-routes;

If the router is not configured to reject outbound route advertisements that do not belong to any customers or the local AS, this is a finding.

Fix Text (F-57380r843963_fix)
Configure all eBGP routers to filter outbound route advertisements for prefixes that are not allocated to or belong to any customer or the local AS. set policy-options route-filter-list customer1-routes exact set policy-options route-filter-list customer1-routes exact set policy-options route-filter-list customer1-routes-ipv6 exact set policy-options route-filter-list customer1-routes-ipv6 exact set policy-options policy-statement bgp-advertise-cust-routes term 1 from route-filter-list customer1-routes set policy-options policy-statement bgp-advertise-cust-routes term 1 from route-filter-list customer1-routes-ipv6 set policy-options policy-statement bgp-advertise-cust-routes term 1 then accept set policy-options policy-statement bgp-advertise-cust-routes term default then reject set protocols bgp group eBGP export bgp-advertise-cust-routes set protocols bgp group eBGP neighbor export bgp-advertise-cust-routes set protocols bgp export bgp-advertise-cust-routes

Fix Text (F-57380r843963_fix)

Configure all eBGP routers to filter outbound route advertisements for prefixes that are not allocated to or belong to any customer or the local AS.

set policy-options route-filter-list customer1-routes exact
set policy-options route-filter-list customer1-routes exact
set policy-options route-filter-list customer1-routes-ipv6 exact
set policy-options route-filter-list customer1-routes-ipv6 exact

set policy-options policy-statement bgp-advertise-cust-routes term 1 from route-filter-list customer1-routes
set policy-options policy-statement bgp-advertise-cust-routes term 1 from route-filter-list customer1-routes-ipv6
set policy-options policy-statement bgp-advertise-cust-routes term 1 then accept

set policy-options policy-statement bgp-advertise-cust-routes term default then reject

set protocols bgp group eBGP export bgp-advertise-cust-routes
set protocols bgp group eBGP neighbor

export bgp-advertise-cust-routes
set protocols bgp export bgp-advertise-cust-routes