RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 6192, "Protecting the Router Control Plane", March 2011

Source of RFC: opsec (ops)
See Also: RFC 6192w/ inline errata

Errata ID: 4851
Status: Verified
Type: Technical
Publication Format(s) : TEXT

Reported By: Hugo Leonardo Canalli
Date Reported: 2016-11-01
Verifier Name: joel jaeggli
Date Verified: 2017-03-29

Section A.2 says:

   term ebgp-reply {
                   from {
                       source-prefix-list {
                           EBGP-NEIGHBORS;
                       }
                       protocol tcp;
                       port bgp;
                   }
                   then accept;
               }

It should say:

   term ebgp-reply {
                   from {
                       source-prefix-list {
                           EBGP-NEIGHBORS;
                       }
                       protocol tcp;
                       tcp-established;
                       source-port bgp;
                   }
                   then accept;
               }


Notes:

There is a security question in that firewall relating to bgp reply.
Any neighbor that fakes a tcp source port to 179 can access any router port, for example, ssh.
Need to add the line tcp-established. Would also be better to add source-port bgp since bgp protocol uses the 179 port to destination. Add the fix to all bgps, including ipv6.

Report New Errata