OpenControls Logo

STIG Viewer

The RUCKUS ICX BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-273572RCKS-RTR-000040SV-273572r1110908_ruleCCI-001368medium
Description
As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multi-homed customer with BGP speaking routers connected to the internet or other external networks could be breached and used to launch a prefix de-aggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.
STIGDate
RUCKUS ICX Router Security Technical Implementation Guide2025-06-03

Details

Check Text (C-273572r1110908_chk)

Review the router configuration to verify there are filters defined to only accept routes for prefixes that belong to specific customers. 1. Verify a prefix-list exists for the customer ("show running-config | include prefix") similar to the following: ip prefix-list customer1 seq 5 permit x.x.1.0/24 le 32 ip prefix-list customer1 seq 10 deny 0.0.0.0/0 ge 8 2. Confirm the prefix list has been applied to eBGP neighbor similar to the following: route-map bgp_cust1 permit 10 match ip address prefix-list customer1 router bgp local-as 1001 neighbor x.x.x.x remote-as 500 neighbor x.x.x.x route-map in bgp_cust1 If the RUCKUS ICX router is not configured to reject prefixes not allocated to the customer, this is a finding.

Fix Text (F-77568r1109737_fix)

Configure a prefix list and apply to the eBGP neighbor configuration: ip prefix-list customer1 seq 5 permit x.x.1.0/24 le 32 ip prefix-list customer1 seq 10 deny 0.0.0.0/0 ge 8 route-map bgp_cust1 permit 10 match ip address prefix-list customer1 router bgp local-as 1001 neighbor x.x.x.x remote-as 500 neighbor x.x.x.x route-map in bgp_cust1