The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-217054 | JUNI-RT-000490 | SV-217054r604135_rule | CCI-001368 | medium |
| Description | ||||
| Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a non-optimized path. | ||||
| STIG | Date | |||
| Juniper Router RTR Security Technical Implementation Guide | 2024-12-05 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-4
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.3
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001368
1.00
- DISA · V3R2 · disa_xccdf · related
Details
Check Text (C-217054r604135_chk)
Review the router configuration to verify that it will reject routes belonging to the local AS.
Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below.
policy-options {
…
…
…
prefix-list OUR_PREFIXES {
x.x.x.x/16;
}
Verify that a policy has been configured to reject the local prefixes.
policy-options {
…
…
…
policy-statement FILTER_ROUTES {
term REJECT_BOGONS {
from {
prefix-list BOGON_PREFIXES;
}
then reject;
}
term REJECT_OUR_PREFIXES {
from {
prefix-list OUR_PREFIXES;
}
then reject;
}
term ACCEPT_OTHER {
then accept;
}
}
}
Verify that the configured policy to filter local prefixes has been applied to external BGP peers as shown in the example below.
protocols {
bgp {
group GROUP_AS4 {
type external;
import FILTER_ROUTES;
peer-as 4;
neighbor x.x.x.x;
}
}
If the router is not configured to reject inbound route advertisements belonging to the local AS, this is a finding.
Fix Text (F-18281r297031_fix)
Configure the router to reject inbound route advertisements for any prefixes belonging to the local AS.
Configure a prefix list containing prefixes belonging to the local autonomous system.
[edit policy-options]
set prefix-list OUR_PREFIXES x.x.x.x/16
Configure a policy-statement to reject prefixes belonging to the local autonomous system. This can be done by adding a term to the existing policy to filter Bogons as shown in the example below.
[edit policy-options policy-statement FILTER_ROUTES]
set term REJECT_OUR_PREFIXES from prefix-list OUR_PREFIXES
set term REJECT_OUR_PREFIXES then reject
insert term REJECT_OUR_PREFIXES before term ACCEPT_OTHER
Note: There is no need change the BGP configuration assuming the import statement is already configured for all external neighbors.