The RUCKUS ICX BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273572 | RCKS-RTR-000040 | SV-273572r1110908_rule | Medium |
| Description |
| As a best practice, a service provider should only accept customer prefixes that have been assigned to that customer and any peering autonomous systems. A multi-homed customer with BGP speaking routers connected to the internet or other external networks could be breached and used to launch a prefix de-aggregation attack. Without ingress route filtering of customers, the effectiveness of such an attack could impact the entire IP core and its customers. |
| STIG | Date |
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77663r1109736_chk) |
| Review the router configuration to verify there are filters defined to only accept routes for prefixes that belong to specific customers. 1. Verify a prefix-list exists for the customer ("show running-config | include prefix") similar to the following: ip prefix-list customer1 seq 5 permit x.x.1.0/24 le 32 ip prefix-list customer1 seq 10 deny 0.0.0.0/0 ge 8 2. Confirm the prefix list has been applied to eBGP neighbor similar to the following: route-map bgp_cust1 permit 10 match ip address prefix-list customer1 router bgp local-as 1001 neighbor x.x.x.x remote-as 500 neighbor x.x.x.x route-map in bgp_cust1 If the RUCKUS ICX router is not configured to reject prefixes not allocated to the customer, this is a finding. |
| Fix Text (F-77568r1109737_fix) |
| Configure a prefix list and apply to the eBGP neighbor configuration: ip prefix-list customer1 seq 5 permit x.x.1.0/24 le 32 ip prefix-list customer1 seq 10 deny 0.0.0.0/0 ge 8 route-map bgp_cust1 permit 10 match ip address prefix-list customer1 router bgp local-as 1001 neighbor x.x.x.x remote-as 500 neighbor x.x.x.x route-map in bgp_cust1 |