The RUCKUS ICX BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customer or the local autonomous system (AS).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273573 | RCKS-RTR-000050 | SV-273573r1111031_rule | Medium |
| Description |
| Advertisement of routes by an autonomous system for networks that do not belong to any of its customers pulls traffic away from the authorized network. This causes a denial of service (DoS) on the network that allocated the block of addresses and may cause a DoS on the network that is inadvertently advertising it as the originator. It is also possible that a misconfigured or compromised router within the GIG IP core could redistribute IGP routes into BGP, thereby leaking internal routes. |
| STIG | Date |
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77664r1109739_chk) |
| Review the router configuration to verify there is a filter defined to only advertise routes for prefixes that belong to any customers or the local AS. This requirement is not applicable for the DODIN Backbone. 1. Verify a prefix-list is configured for routes belonging to the local AS. ICX# show ip prefix-lists ip prefix-list local-AS: 2 entries seq 5 permit x.1.1.0/24 seq 10 permit x.1.2.0/24 2. Verify the prefix-list is applied to outbound routes to neighbors. ICX# show ip bgp config Current BGP configuration: router bgp local-as 1000 neighbor x.x.x.x remote-as 1001 neighbor x.x.x.x prefix-list local-AS out If the router does not filter out prefix advertisements that do not belong on the local AS, this is a finding. |
| Fix Text (F-77569r1111030_fix) |
| Configure a prefix-list representing prefixes that belong to the local-AS and apply them to BGP neighbors similar to what is shown below: ip prefix-list mylist seq 10 permit x.1.1.0/24 ip prefix-list mylist seq 10 permit x.1.2.0/24 ip prefix-list mylist seq 15 deny 0.0.0.0/0 ge 8 router bgp local-as 1000 neighbor x.x.x.x remote-as 1001 neighbor x.x.x.x prefix-list local-AS out |