UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221040 CISC-RT-000660 SV-221040r622190_rule Medium
Description
LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE switch advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE switch during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.
STIG Date
Cisco IOS-XE Switch RTR Security Technical Implementation Guide 2021-03-26

Details

Check Text ( C-22755r507597_chk )
The Cisco switch is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below:

mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp

If the switch is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.
Fix Text (F-22744r507598_fix)
The severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the example below:

SW1(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxx