The following are some of the samples available under Compliance, Route Path Integrity in the Library Manager.

Move your cursor over each sample to view a description of the samples within this category.

routepath

Deny Your Network Space as Source

This test ensures that all packets which use the specified Source Subnet as a source address, are dropped if the source address does not reside within a range of legitimately advertised prefixes. If not, the device is flagged as non-compliant.

The Access Control List (ACL) identified by the user ensures that any packet coming in from the specified Source Subnet as the source address is denied access, regardless of where it is comes from.

If an ISP is aggregating routing announcements for multiple downstream networks, strict traffic filtering is used to prohibit traffic which claims to have originated from outside of these aggregated announcements.

By implementing this type of filtering, it enables the originator to be easily traced to its true source, since the attacker would have to use a valid and legitimately reachable source address.

Explicitly Permit Return Traffic

This test ensures that specific Internet Control Message Protocol (ICMP) types are explicitly permitted in an ACL specified by the user.

This test allows for return traffic, and flags the device as non-compliant if the device is not explicitly permitted.

The ACL defined by the user ensures the following specific ICMP types:

  • Permit Echo-Reply

  • Permit Unreachables

  • Permit Time-Exceeded

  • Deny All Other ICMP Types

Permit BGP to the Edge Router

This test ensures that unauthorized traffic at the edge of the network is dropped by using ingress filtering, if not, the device is flagged as non-compliant.

This test also ensures that Border Gateway Protocol (BGP) is explicitly permitted on the specified ACL to the edge router by:

  • Permitting TCP connections from the ISP Router on ports greater than 1023 for BGP to the Edge Router

  • Permitting TCP connections from the ISP Router for BGP on ports greater than 1023 from the Edge Router

This form of edge (or transit traffic filtering) can be used effectively to limit the flow of transit traffic to and from customers to specific permitted protocols only.

This is done by using Transit Access Control Lists (tACL). As a best practice, it is important that you explicitly permit BGP to the edge router, so when an explicit Deny is configured at the end of the tACL, you do not drop genuine traffic.