Rule ID
SV-273635r1110897_rule
Version
V1R1
CCIs
The effects of prefix de-aggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix de-aggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.
This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is compliant with this requirement. 1. Verify a route filter has been configured to reject prefixes longer than /24, or the least significant prefixes issued to the customers as shown in the example below: ip prefix-list FILTER_PREFIX_LENGTH seq 5 permit 0.0.0.0/0 ge 8 le 24 ip prefix-list FILTER_PREFIX_LENGTH seq 10 deny 0.0.0.0/0 le 32 2. Verify prefix filtering has been applied to each eBGP peer as shown in the following example: router bgp neighbor x.1.1.9 remote-as yy neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in If the router is not configured to limit the prefix size on any inbound route advertisement to /24, or the least significant prefixes issued to the customer, this is a finding.
This requirement is not applicable for the DODIN Backbone. Configure the router to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. 1. Configure a prefix list to reject any prefix that is longer than /24. ICX(config)#ip prefix-list FILTER_PREFIX_LENGTH permit 0.0.0.0/0 ge 8 le 24 ICX(config)#ip prefix-list FILTER_PREFIX_LENGTH deny 0.0.0.0/0 le 32 2. Apply the prefix list to all eBGP peers as shown in the example below: ICX(config)#router bgp ICX(config-bgp-router)#neighbor x.1.1.9 prefix-list FILTER_PREFIX_LENGTH in