DISA STIGS Viewer

The Dell OS10 BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.

Overview

Finding ID Version Rule ID IA Controls Severity
V-269850 OS10-RTR-000020 SV-269850r1051935_rule   Medium
Description
Accepting route advertisements for Bogon prefixes can result in the local autonomous system (AS) becoming a transit for malicious traffic as it will in turn advertise these prefixes to neighbor autonomous systems.
STIG Date
Dell OS10 Switch Router Security Technical Implementation Guide 2024-12-11

Details

Check Text (C-73883r1051933_chk)
Review the router configuration to verify it will reject routes of any Bogon prefixes.

The prefix filter must be referenced inbound on the appropriate BGP neighbor statements.

Step 1: Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below.

ip prefix-list BOGON_PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 10 deny 10.0.0.0/8 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 15 deny 100.64.0.0/10 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 20 deny 127.0.0.0/8 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 25 deny 169.254.0.0/16 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 30 deny 172.16.0.0/12 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 35 deny 192.0.2.0/24 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 40 deny 192.88.99.0/24 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 45 deny 192.168.0.0/16 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 50 deny 198.18.0.0/15 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 55 deny 198.51.100.0/24 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 60 deny 203.0.113.0/24 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 65 deny 224.0.0.0/4 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 70 deny 240.0.0.0/4 le 32
ip prefix-list BOGON_PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8

Step 2: Verify the route map applied to the external neighbors references the configured Bogon prefix list shown above.

!
route-map PREFIX_FILTER_MAP permit 10
match ip address prefix-list BOGON_PREFIX_FILTER

!
router bgp 10
!
template ebgp
!
address-family ipv4 unicast
route-map PREFIX_FILTER_MAP in
!
neighbor 123.1.1.10
!
address-family ipv4 unicast
route-map PREFIX_FILTER_MAP in

If the router is not configured to reject inbound route advertisements for any Bogon prefixes, this is a finding.
Fix Text (F-73784r1051934_fix)
Ensure all eBGP routers are configured to reject inbound route advertisements for any Bogon prefixes.

Step 1: Configure a prefix list containing the current Bogon prefixes.

OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 5 deny 0.0.0.0/8 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 10 deny 10.0.0.0/8 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 15 deny 100.64.0.0/10 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 20 deny 127.0.0.0/8 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 25 deny 169.254.0.0/16 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 30 deny 172.16.0.0/12 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 35 deny 192.0.2.0/24 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 40 deny 192.88.99.0/24 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 45 deny 192.168.0.0/16 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 50 deny 198.18.0.0/15 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 55 deny 198.51.100.0/24 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 60 deny 203.0.113.0/24 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 65 deny 224.0.0.0/4 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 70 deny 240.0.0.0/4 le 32
OS10(config)# ip prefix-list BOGON_PREFIX_FILTER seq 75 permit 0.0.0.0/0 ge 8

Step 2: Configure the route map referencing the configured Bogon prefix list.

OS10(config)# route-map PREFIX_FILTER_MAP 10
OS10(config-route-map)# match ip address prefix-list BOGON_PREFIX_FILTER
OS10(config-route-map)# exit

Step 3: Apply the route-map inbound to each external BGP neighbor.

OS10(config)# router bgp 10
OS10(config-router-bgp-10)# neighbor 123.1.1.10
OS10(config-router-neighbor)# address-family ipv4 unicast
OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_MAP in
OS10(config-router-bgp-neighbor-af)# exit
OS10(config-router-neighbor)# exit
OS10(config-router-bgp-10)# template ebgp
OS10(config-router-template)# address-family ipv4 unicast
OS10(config-router-bgp-template-af)# route-map PREFIX_FILTER_MAP in
OS10(config-router-bgp-template-af)# exit
OS10(config-router-template)# exit
OS10(config-router-bgp-10)# exit