IGP instances configured on the OOBM gateway router do not peer only with their appropriate routing domain

From Infrastructure Router Security Technical Implementation Guide Juniper

Part of IGP instances do not peer with appropriate domain

SV-19298r1_rule IGP instances configured on the OOBM gateway router do not peer only with their appropriate routing domain

Vulnerability discussion

If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. Since the managed network and the management network are separate routing domains, separate IGP routing instances must be configured on the router—one for the managed network and one for the OOBM network.

Check content

Verify that the OOBM interface is an adjacency only in the IGP routing domain for the management network. The following would be an example where RIP is run on the management network 10.0.0.0 and OSPF in the managed network 172.20.0.0. The network 10.1.20.0/24 is the OOBM backbone and 10.1.1.0 is the local management LAN connecting to the OOBM interfaces of the managed network (i.e., the private and service network) elements. interfaces { fe-0/0/0 { description “link to our Private Net” unit 0 { family inet { address 172.20.4.2/24; } } } fe-0/0/1 { description “link to our Service Net” unit 0 { family inet { address 172.20.5.2/24; } } } fe-0/0/2 { description “Enclave Management LAN” unit 0 { family inet { address 10.1.1.1/24; } } } t3-3/0/3 { description “link to OOBM Backbone” unit 0 { family inet { address 10.1.20.3/24; } } } } protocols { ospf { area 0.0.0.0 { interface fe-0/0/0.0; interface fe-0/0/1.0; interface lo0.0; } } rip { group rip-neighbor { neighbor t3-3/0/3.0; export rip-advertisements; } } } policy-options { policy-statement rip-advertisements { from protocol rip; then accept; } } policy-statement direct-management-LAN { from { protocol direct; interface [ lo0.0 t3-3/0/3.0 fe-0/0/2 ]; } then accept; } } Note: When you enable RIP, the default JUNOS behavior is to accept all learned RIP routes but export no routes to RIP neighbors. To have RIP send routing information to its neighbors, you need to configure a routing policy that has RIP export routes to its neighbors. In the example above, the OOBM gateway router will only have a RIP neighbor adjacency with its upstream OOB backbone router. However, it will advertise to the RIP domain the local management address prefix and the loopback address which also belongs to the management network.

Fix text

Ensure that multiple IGP instances configured on the OOBM gateway router peer only with their appropriate routing domain. Verify that the all interfaces are configured for the appropriate IGP instance.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer