The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes belonging to the IP core.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-217057 | JUNI-RT-000520 | SV-217057r604135_rule | CCI-001097 | medium |
| Description | ||||
| Outbound route advertisements belonging to the core can result in traffic either looping or being black holed, or at a minimum, using a non-optimized path. | ||||
| STIG | Date | |||
| Juniper Router RTR Security Technical Implementation Guide | 2024-12-05 | |||
Related Frameworks
5 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-7
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1713 mappings
3.13.1
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.13.2
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.13.5
1.00
- DISA · V3R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001097
1.00
- DISA · V3R2 · disa_xccdf · related
Details
Check Text (C-217057r604135_chk)
Review the router configuration to verify that there is a filter defined to block route advertisements for prefixes that belong to the IP core.
Verify a prefix list has been configured containing prefixes belonging to the local autonomous system as shown in the example below.
policy-options {
…
…
…
prefix-list CORE_PREFIX {
x.x.x.x/16;
}
Verify that a policy has been configured to not advertise prefixes belong to the core as shown in the example below.
policy-options {
…
…
…
policy-statement BGP_ADVERTISE_POLICY {
term EXCLUDE_CORE {
from {
prefix-list CORE_PREFIX;
}
then reject;
}
term INCLUDE_OTHER {
then accept;
}
}
Verify that the export statement as shown below references the advertise policy.
protocols {
bgp {
group AS4 {
type external;
export BGP_ADVERTISE_POLICY;
peer-as 4;
neighbor x.x.x.x;
}
If the router is not configured to reject outbound route advertisements that belong to the IP core, this is a finding.
Fix Text (F-18284r297040_fix)
Configure the router to filter outbound route advertisements belonging to the IP core.
Configure a prefix list containing prefixes belonging to the IP core.
[edit policy-options]
set prefix-list CORE_PREFIX x.x.x.x/16
Configure a policy-statement to filter BGP route advertisements that will exclude core prefixes.
[edit policy-options]
set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE from prefix-list CORE_PREFIX
set policy-statement BGP_ADVERTISE_POLICY term EXCLUDE_CORE then reject
set policy-statement BGP_ADVERTISE_POLICY term INCLUDE_OTHER then accept
Configure an export statement referencing the advertise policy on all external BGP peer groups as shown in the example below.
[edit protocols bgp group GROUP_AS4]
set export BGP_ADVERTISE_POLICY