The Cisco BGP switch must be configured to enable the Generalized TTL Security Mechanism (GTSM).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-221021 | CISC-RT-000470 | SV-221021r856414_rule | CCI-002385 | low |
| Description | ||||
| As described in RFC 3682, GTSM is designed to protect a switch's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking switches. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent switches; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic. | ||||
| STIG | Date | |||
| Cisco IOS XE Switch RTR Security Technical Implementation Guide | 2025-05-20 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
SC-5
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-002385
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-221021r856414_chk)
Review the BGP configuration to verify that TTL security has been configured for each external neighbor as shown in the example below:
router bgp xx
no synchronization
bgp log-neighbor-changes
neighbor x.1.1.9 remote-as yy
neighbor x.1.1.9 password xxxxxxxx
neighbor x.1.1.9 ttl-security hops 1
neighbor x.2.1.7 remote-as zz
neighbor x.2.1.7 password xxxxxxxx
neighbor x.2.1.7 ttl-security hops 1
If the switch is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.
Fix Text (F-22725r408858_fix)
Configure TTL security on all external BGP neighbors as shown in the example below:
SW1(config)#router bgp xx
SW1(config-switch)#neighbor x.1.1.9 ttl-security hops 1
SW1(config-switch)#neighbor x.2.1.7 ttl-security hops 1