The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

An XCCDF Rule

Description

The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix deaggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

ID: SV-254038r844147_rule
Version: JUEX-RT-000660
Severity: Low
References: CCI-002385
Updated: 5 days ago

Remediation Templates

Configure all eBGP routers to use the prefix limit feature to protect against route table flooding and prefix deaggregation attacks.

set policy-options policy-statement <statement name> term 1 from route-filter 0.0.0.0/0 prefix-length-range /25-/32
set policy-options policy-statement <statement name> term 1 then reject

set protocols bgp group <group name> type externalset protocols bgp group <group name> import <statement name>
set protocols bgp group <group name> local-as <local AS number>
set protocols bgp group <group name> neighbor <neighbor 1 address> import <statement name>
set protocols bgp group <group name> neighbor <neighbor 1 address> authentication-key <PSK value>
set protocols bgp group <group name> neighbor <neighbor 2 address> import <statement name>
set protocols bgp group <group name> neighbor <neighbor 2 address> ipsec-sa <SA name>
set protocols bgp import <statement name>

The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

Description

Remediation Templates

A Manual Procedure