The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

An XCCDF Rule

Description

<VulnDiscussion>The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-217061r855901_rule
Severity: Low
References: CCI-002385
Updated: 17 days ago

Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer.

Configure a route filter to reject any prefix that is longer than /24.

[edit policy-options]
set policy-statement NO_LONG_PREFIXES from route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject
Apply the policy statement to the BGP customer groups.

[edit protocols bgp group CUST1]
set import NO_LONG_PREFIXES
[edit protocols bgp group CUST2]
set import NO_LONG_PREFIXES

The Juniper BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

Description

Remediation - Manual Procedure