The Dell OS10 BGP router must be configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-269891	SRG-NET-000362-RTR-000118	OS10-RTR-000680	SV-269891r1052058_rule	2024-12-11	1

Description
The effects of prefix deaggregation can degrade router performance due to the size of routing tables and also result in black-holing legitimate traffic. Initiated by an attacker or a misconfigured router, prefix deaggregation occurs when the announcement of a large prefix is fragmented into a collection of smaller prefix announcements.

ℹ️ Check
This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that there is a filter to reject inbound route advertisements that are greater than /24 or the least significant prefixes issued to the customer, whichever is larger. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: Verify prefix lists have been configured for each customer containing prefixes that belong to that customer. OS10# show running-configuration prefix-list ! ip prefix-list LONG_PREFIX_FILTER permit 0.0.0.0/0 ge 8 le 24 ip prefix-list LONG_PREFIX_FILTER deny 0.0.0.0/0 Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. OS10# show running-configuration route-map ! route-map LONG_PREFIX_FILTER_MAP permit 50 match ip address prefix-list LONG_PREFIX_FILTER Step 3: Verify the route map applied to the external neighbors references the appropriate route maps shown above. ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast route-map LONG_PREFIX_FILTER_MAP in If the router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.

ℹ️ Check

This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that there is a filter to reject inbound route advertisements that are greater than /24 or the least significant prefixes issued to the customer, whichever is larger. The prefix filter must be referenced outbound on the appropriate BGP neighbor statements. Step 1: Verify prefix lists have been configured for each customer containing prefixes that belong to that customer. OS10# show running-configuration prefix-list ! ip prefix-list LONG_PREFIX_FILTER permit 0.0.0.0/0 ge 8 le 24 ip prefix-list LONG_PREFIX_FILTER deny 0.0.0.0/0 Step 2: Verify the route map applied to the external neighbors references the configured prefix list shown above. OS10# show running-configuration route-map ! route-map LONG_PREFIX_FILTER_MAP permit 50 match ip address prefix-list LONG_PREFIX_FILTER Step 3: Verify the route map applied to the external neighbors references the appropriate route maps shown above. ! router bgp 10 ! neighbor 50.1.1.1 ! address-family ipv4 unicast route-map LONG_PREFIX_FILTER_MAP in If the router is not configured to limit the prefix size on any inbound route advertisement to /24 or the least significant prefixes issued to the customer, this is a finding.

✔️ Fix
Ensure all eBGP routers are configured to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. Step 1: Configure a prefix list for each customer containing prefixes belonging to each. OS10(config)# ip prefix-list LONG_PREFIX_FILTER permit 0.0.0.0/0 ge 8 le 24 OS10(config)# ip prefix-list LONG_PREFIX_FILTER deny 0.0.0.0/0 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map LONG_PREFIX_FILTER_MAP 50 OS10(config-route-map)# match ip address prefix-list LONG_PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map outbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 50.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map LONG_PREFIX_FILTER_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# exit

✔️ Fix

Ensure all eBGP routers are configured to limit the prefix size on any route advertisement to /24 or the least significant prefixes issued to the customer. Step 1: Configure a prefix list for each customer containing prefixes belonging to each. OS10(config)# ip prefix-list LONG_PREFIX_FILTER permit 0.0.0.0/0 ge 8 le 24 OS10(config)# ip prefix-list LONG_PREFIX_FILTER deny 0.0.0.0/0 Step 2: Configure the route map referencing the configured prefix list. OS10(config)# route-map LONG_PREFIX_FILTER_MAP 50 OS10(config-route-map)# match ip address prefix-list LONG_PREFIX_FILTER OS10(config-route-map)# exit Step 3: Apply the route-map outbound to each external BGP neighbor. OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor 50.1.1.1 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# route-map LONG_PREFIX_FILTER_MAP in OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# exit