The RUCKUS ICX perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273643 | RCKS-RTR-000760 | SV-273643r1111037_rule | Medium |
| Description |
| Bogons include IP packets on the public internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional internet registry (RIR) and allowed for public Internet use. Bogons also include multicast, IETF reserved, and special purpose address space as defined in RFC 6890. Security of the internet's routing system relies on the ability to authenticate an assertion of unique control of an address block. Measures to authenticate such assertions rely on the validation the address block forms as part of an existing allocated address block and must be a trustable and unique reference in the IANA address registries. The intended use of a Bogon address would only be for the purpose of address spoofing in denial-of-service attacks. Hence, it is imperative that IP packets with a source Bogon address are blocked at the network's perimeter. |
| STIG | Date |
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77734r1109949_chk) |
| This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that an ingress Access Control List (ACL) applied to all external interfaces is blocking packets with Bogon source addresses. 1. Verify an ACL has been configured containing the current Bogon prefixes as shown in the example below: ip access-list extended FILTER_PERIMETER sequence 10 deny ip 0.0.0.0 0.255.255.255 any log sequence 20 deny ip 10.0.0.0 0.255.255.255 any log sequence 30 deny ip 100.64.0.0 0.63.255.255 any log sequence 40 deny ip 127.0.0.0 0.255.255.255 any log sequence 50 deny ip 169.254.0.0 0.0.255.255 any log sequence 60 deny ip 172.16.0.0 0.15.255.255 any log sequence 70 deny ip 192.0.0.0 0.0.0.255 any log sequence 80 deny ip 192.0.2.0 0.0.0.255 any log sequence 90 deny ip 192.168.0.0 0.0.255.255 any log sequence 100 deny ip 192.18.0.0 0.1.255.255 any log sequence 110 deny ip 192.51.100.0 0.0.0.255 any log sequence 120 deny ip 203.0.113.0 0.0.0.255 any log sequence 130 deny ip 224.0.0.0 31.255.255.255 any log sequence 140 permit tcp any any established sequence 150 permit tcp host x.0.1.2 host x.0.1.1 eq bgp sequence 160 permit tcp host x.0.1.1 eq bgp host x.0.1.2 sequence 170 permit icmp host x.0.1.2 host x.0.1.1 echo sequence 180 permit icmp host x.0.1.1 host x.0.1.2 echo-reply ... sequence 190 deny ip any any log 2. Verify the inbound ACL applied to all external interfaces will block all traffic from Bogon source addresses. interface ethernet 1/1/1 port-name link_to_DISN ip access-group FILTER_PERIMETER in logging enable ! If the router is not configured to block inbound packets with source Bogon IP address prefixes, this is a finding. |
| Fix Text (F-77639r1109950_fix) |
| This requirement is not applicable for the DODIN Backbone. Review the configuration to verify the command below is not present: 1. Configure an ACL containing the current Bogon prefixes as shown below: ICX(config)#ip access-list ext FILTER_PERIMETER ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 0.0.0.0/8 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 10.0.0.0/8 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 100.64.0.0/10 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 127.0.0.0/8 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 169.254.0.0/16 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 172.16.0.0/12 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.0.0.0/24 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.0.2.0/24 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.168.0.0/16 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.18.0.0/15 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 192.51.100.0/24 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 203.0.113.0/24 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip 224.0.0.0/3 any log ICX(config-ext-ipacl-FILTER_PERIMETER)#permit tcp any any established ICX(config-ext-ipacl-FILTER_PERIMETER)#permit tcp host x.0.1.2 host x.0.1.1 eq bgp ICX(config-ext-ipacl-FILTER_PERIMETER)#permit tcp host x.0.1.1 eq bgp host x.0.1.2 ICX(config-ext-ipacl-FILTER_PERIMETER)#permit icmp host x.0.1.2 host x.0.1.1 echo ICX(config-ext-ipacl-FILTER_PERIMETER)#permit icmp host x.0.1.1 host x.0.1.2 echo-reply ICX(config-ext-ipacl-FILTER_PERIMETER)#deny ip any any log 2. Apply the ACL inbound on all external interfaces. ICX(config)#interface ethernet x/x/x ICX(config-if-e10000-x/x/x)#ip access-group FILTER_PERIMETER in logging enable |