The Dell OS10 BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269852	SRG-NET-000018-RTR-000004	OS10-RTR-000040	SV-269852r1051941_rule	2024-12-11	1

Description
As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multihomed customer with BGP speaking routers connected to the internet or other external networks could be breached and used to launch a prefix deaggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.

Description

As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multihomed customer with BGP speaking routers connected to the internet or other external networks could be breached and used to launch a prefix deaggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers.

ℹ️ Check
Review the router configuration to verify that there are filters defined to only accept routes for prefixes that belong to specific customers. The prefix filter must be referenced inbound on the appropriate BGP neighbor statement. Step 1: Verify prefix lists have been configured for each customer containing prefixes that belong to that customer. OS10# show running-configuration prefix-list ! ... ip prefix-list PREFIX_FILTER_CUST1 seq 5 permit 50.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER_CUST1 seq 10 deny 0.0.0.0/0 ge 8 ip prefix-list PREFIX_FILTER_CUST2 seq 5 permit 60.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER_CUST2 seq 10 deny 0.0.0.0/0 ge 8 ... Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. OS10# show running-configuration route-map ! route-map PREFIX_FILTER_CUST1_MAP permit 50 match ip address prefix-list PREFIX_FILTER_CUST1 ! route-map PREFIX_FILTER_CUST2_MAP permit 60 match ip address prefix-list PREFIX_FILTER_CUST2 ! Step 3: Verify the route map applied to the external neighbors references the appropriate route maps shown above. ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast route-map PREFIX_FILTER_CUST1_MAP in neighbor 60.1.1.1 ! address-family ipv4 unicast route-map PREFIX_FILTER_CUST2_MAP in If the router is not configured to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer, this is a finding.

ℹ️ Check

Review the router configuration to verify that there are filters defined to only accept routes for prefixes that belong to specific customers. The prefix filter must be referenced inbound on the appropriate BGP neighbor statement. Step 1: Verify prefix lists have been configured for each customer containing prefixes that belong to that customer. OS10# show running-configuration prefix-list ! ... ip prefix-list PREFIX_FILTER_CUST1 seq 5 permit 50.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER_CUST1 seq 10 deny 0.0.0.0/0 ge 8 ip prefix-list PREFIX_FILTER_CUST2 seq 5 permit 60.10.10.0/24 le 32 ip prefix-list PREFIX_FILTER_CUST2 seq 10 deny 0.0.0.0/0 ge 8 ... Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. OS10# show running-configuration route-map ! route-map PREFIX_FILTER_CUST1_MAP permit 50 match ip address prefix-list PREFIX_FILTER_CUST1 ! route-map PREFIX_FILTER_CUST2_MAP permit 60 match ip address prefix-list PREFIX_FILTER_CUST2 ! Step 3: Verify the route map applied to the external neighbors references the appropriate route maps shown above. ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast route-map PREFIX_FILTER_CUST1_MAP in neighbor 60.1.1.1 ! address-family ipv4 unicast route-map PREFIX_FILTER_CUST2_MAP in If the router is not configured to reject inbound route advertisements from each CE router for prefixes that are not allocated to that customer, this is a finding.

✔️ Fix
Configure all eBGP routers to reject inbound route advertisements from a CE router for prefixes that are not allocated to that customer. Step 1: Configure a prefix list for each customer containing prefixes belonging to each. OS10(config)# ip prefix-list PREFIX_FILTER_CUST1 seq 5 permit 50.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER_CUST1 seq 10 deny 0.0.0.0/0 ge 8 OS10(config)# ip prefix-list PREFIX_FILTER_CUST2 seq 5 permit 60.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER_CUST2 seq 10 deny 0.0.0.0/0 ge 8 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map PREFIX_FILTER_CUST1_MAP 50 OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER_CUST1 OS10(config-route-map)# exit OS10(config)# route-map PREFIX_FILTER_CUST2_MAP 50 OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER_CUST2 OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 50.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_CUST1_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# neighbor 60.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_CUST2_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# exit

✔️ Fix

Configure all eBGP routers to reject inbound route advertisements from a CE router for prefixes that are not allocated to that customer. Step 1: Configure a prefix list for each customer containing prefixes belonging to each. OS10(config)# ip prefix-list PREFIX_FILTER_CUST1 seq 5 permit 50.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER_CUST1 seq 10 deny 0.0.0.0/0 ge 8 OS10(config)# ip prefix-list PREFIX_FILTER_CUST2 seq 5 permit 60.10.10.0/24 le 32 OS10(config)# ip prefix-list PREFIX_FILTER_CUST2 seq 10 deny 0.0.0.0/0 ge 8 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map PREFIX_FILTER_CUST1_MAP 50 OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER_CUST1 OS10(config-route-map)# exit OS10(config)# route-map PREFIX_FILTER_CUST2_MAP 50 OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER_CUST2 OS10(config-route-map)# exit Step 3: Apply the route-map inbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 50.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_CUST1_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# neighbor 60.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_CUST2_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# exit