The Cisco BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.

An XCCDF Rule

Description

<VulnDiscussion>Accepting route advertisements for Bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216777r531087_rule
Severity: Medium
References: CCI-001368
Updated: 17 days ago

Configure the router to reject inbound route advertisements for any Bogon prefixes.

Step 1: Configure a prefix set containing the current Bogon prefixes as shown below.

RP/0/0/CPU0:R2(config)#prefix-set BOGON_PREFIXES   
RP/0/0/CPU0:R2(config-pfx)#0.0.0.0/8 le 32,RP/0/0/CPU0:R2(config-pfx)#10.0.0.0/8 le 32,
RP/0/0/CPU0:R2(config-pfx)#100.64.0.0/10 le 32,
RP/0/0/CPU0:R2(config-pfx)#127.0.0.0/8 le 32,
RP/0/0/CPU0:R2(config-pfx)#169.254.0.0/16 le 32,
RP/0/0/CPU0:R2(config-pfx)#172.16.0.0/12 le 32,
RP/0/0/CPU0:R2(config-pfx)#192.0.2.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#192.88.99.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#192.168.0.0/16 le 32,
RP/0/0/CPU0:R2(config-pfx)#198.18.0.0/15 le 32,
RP/0/0/CPU0:R2(config-pfx)#198.51.100.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#203.0.113.0/24 le 32,
RP/0/0/CPU0:R2(config-pfx)#240.0.0.0/4 le 32,
RP/0/0/CPU0:R2(config-pfx)#224.0.0.0/4 le 32
RP/0/0/CPU0:R2(config-pfx)#end-set

Step 2: Configure the route policy to drop routes with BOGON prefixes as shown in the example below.

RP/0/0/CPU0:R2(config)#route-policy BGP_FILTER 
RP/0/0/CPU0:R2(config-rpl)#if destination in BOGON_PREFIXES then 
RP/0/0/CPU0:R2(config-rpl-if)#drop
RP/0/0/CPU0:R2(config-rpl-if)#else pass endif
RRP/0/0/CPU0:R2(config-rpl)#end-policy 
RP/0/0/CPU0:R2(config)#exit

Step 3: Apply the route policy to each external BGP neighbor as shown in the example.

RP/0/0/CPU0:R2(config)#router bgp xx
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.23.3
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast 
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER in
RP/0/0/CPU0:R2(config-bgp)#neighbor x.1.24.4
RP/0/0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast 
RP/0/0/CPU0:R2(config-bgp-nbr-af)#route-policy BGP_FILTER in

The Cisco BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.

Description

Remediation - Manual Procedure