The router must use its loopback interface address as the source address for all iBGP peering sessions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-14681 | NET0903 | SV-15360r2_rule | Low |
| Description |
|---|
| Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability. It is easier to construct appropriate filters for control plane traffic. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the numerous physical interface addresses. |
| STIG | Date |
|---|---|
| Infrastructure Router - Juniper Security Technical Implementation Guide | 2017-09-28 |
Details
| Check Text ( C-12827r2_chk ) |
|---|
| Review the configuration and verify the loopback interface address is used as the source address for all iBGP peering. Step 1: Verify that a loopback address has been configured with an IP address. The configuration should look similar to the following: interfaces { lo0 { unit 0 { family inet { address 10.10.2.1/32; } } } Note: Only one loopback interface can be configured on Juniper routers; however, multiple addresses can be defined. Step 2: The vulnerability does not require eBGP peering to use the loopback address. Hence, the BGP router only requires that the loopback address is used to peer with its iBGP neighbors. You should find a configuration similar to the example below: protocols { bgp { group iBGP_111 { type internal; local-address 10.10.2.1; export next-hop-self; peer-as 111; neighbor 10.10.2.2; } } } |
| Fix Text (F-14148r3_fix) |
|---|
| Configure the network device's loopback address as the source address for iBGP peering. |