RFC Errata
RFC 6192, "Protecting the Router Control Plane", March 2011
Source of RFC: opsec (ops)See Also: RFC 6192 w/ inline errata
Errata ID: 4851
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Hugo Leonardo Canalli
Date Reported: 2016-11-01
Verifier Name: joel jaeggli
Date Verified: 2017-03-29
Section A.2 says:
term ebgp-reply { from { source-prefix-list { EBGP-NEIGHBORS; } protocol tcp; port bgp; } then accept; }
It should say:
term ebgp-reply { from { source-prefix-list { EBGP-NEIGHBORS; } protocol tcp; tcp-established; source-port bgp; } then accept; }
Notes:
There is a security question in that firewall relating to bgp reply.
Any neighbor that fakes a tcp source port to 179 can access any router port, for example, ssh.
Need to add the line tcp-established. Would also be better to add source-port bgp since bgp protocol uses the 179 port to destination. Add the fix to all bgps, including ipv6.