The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.
An XCCDF Rule
Description
<VulnDiscussion>The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix deaggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-254038r844147_rule
- Severity
- Low
- References
- Updated
Remediation - Manual Procedure
Configure all eBGP routers to use the prefix limit feature to protect against route table flooding and prefix deaggregation attacks.
set policy-options policy-statement <statement name> term 1 from route-filter 0.0.0.0/0 prefix-length-range /25-/32
set policy-options policy-statement <statement name> term 1 then reject
set protocols bgp group <group name> type external