Rule ID
SV-273572r1110908_rule
Version
V1R1
CCIs
As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multi-homed customer with BGP speaking routers connected to the internet or other external networks could be breached and used to launch a prefix de-aggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.
Review the router configuration to verify there are filters defined to only accept routes for prefixes that belong to specific customers.
1. Verify a prefix-list exists for the customer ("show running-config | include prefix") similar to the following:
ip prefix-list customer1 seq 5 permit x.x.1.0/24 le 32
ip prefix-list customer1 seq 10 deny 0.0.0.0/0 ge 8
2. Confirm the prefix list has been applied to eBGP neighbor similar to the following:
route-map bgp_cust1 permit 10
match ip address prefix-list customer1
router bgp
local-as 1001
neighbor x.x.x.x remote-as 500
neighbor x.x.x.x route-map in bgp_cust1
If the RUCKUS ICX router is not configured to reject prefixes not allocated to the customer, this is a finding.Configure a prefix list and apply to the eBGP neighbor configuration: ip prefix-list customer1 seq 5 permit x.x.1.0/24 le 32 ip prefix-list customer1 seq 10 deny 0.0.0.0/0 ge 8 route-map bgp_cust1 permit 10 match ip address prefix-list customer1 router bgp local-as 1001 neighbor x.x.x.x remote-as 500 neighbor x.x.x.x route-map in bgp_cust1