RFC Errata
RFC 6192, "Protecting the Router Control Plane", March 2011
Source of RFC: opsec (ops)See Also: RFC 6192 w/ inline errata
Errata ID: 4851
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Hugo Leonardo Canalli
Date Reported: 2016-11-01
Verifier Name: joel jaeggli
Date Verified: 2017-03-29
Section A.2 says:
term ebgp-reply {
from {
source-prefix-list {
EBGP-NEIGHBORS;
}
protocol tcp;
port bgp;
}
then accept;
}
It should say:
term ebgp-reply {
from {
source-prefix-list {
EBGP-NEIGHBORS;
}
protocol tcp;
tcp-established;
source-port bgp;
}
then accept;
}
Notes:
There is a security question in that firewall relating to bgp reply.
Any neighbor that fakes a tcp source port to 179 can access any router port, for example, ssh.
Need to add the line tcp-established. Would also be better to add source-port bgp since bgp protocol uses the 179 port to destination. Add the fix to all bgps, including ipv6.