The Cisco IOS XE router must encrypt all methods of configured authentication for routing protocols.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-74127	CISR-RT-000016	SV-88801r2_rule		Medium

Description
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network, or merely used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and Multicast-related protocols.

Description

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network, or merely used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and Multicast-related protocols.

STIG	Date
Cisco IOS XE Release 3 RTR Security Technical Implementation Guide	2018-12-20

Details

Check Text ( C-74213r2_chk )
Review the configuration of the Cisco IOS XE router. Verify that an encrypted HMAC authentication is being used for all routing protocols as shown in the following configuration examples: key chain OSPF_KEY key 1 key-string OSPFKEY cryptographic-algorithm hmac-sha-1 ! interface GigabitEthernet3 ip address 1.1.35.3 255.255.255.0 ip ospf authentication key-chain OSPF_KEY ------------------------------------------- key chain EIGRP_KEY key 1 key-string EIGRPKEY ! interface GigabitEthernet3 ip address 1.1.35.3 255.255.255.0 ip authentication mode eigrp 22 md5 ip authentication key-chain eigrp 22 EIGRP_KEY ---------------------------------------- key chain ISIS_KEY key 1 key-string ISISKEY ! interface GigabitEthernet3 ip address 1.1.35.3 255.255.255.0 ip router isis isis authentication mode md5 isis authentication key-chain ISIS_KEY --------------------------------------------- router bgp 44 neighbor 1.1.1.1 remote-as 44 neighbor 1.1.1.1 password xxxxx --------------------------------------------- If not all routing protocols are configured to authenticate all routing protocol messages using an encrypted HMAC, this is a finding.

Check Text ( C-74213r2_chk )

Review the configuration of the Cisco IOS XE router.

Verify that an encrypted HMAC authentication is being used for all routing protocols as shown in the following configuration examples:

key chain OSPF_KEY
key 1
key-string OSPFKEY
cryptographic-algorithm hmac-sha-1
!
interface GigabitEthernet3
ip address 1.1.35.3 255.255.255.0
ip ospf authentication key-chain OSPF_KEY
-------------------------------------------
key chain EIGRP_KEY
key 1
key-string EIGRPKEY
!
interface GigabitEthernet3
ip address 1.1.35.3 255.255.255.0
ip authentication mode eigrp 22 md5
ip authentication key-chain eigrp 22 EIGRP_KEY
----------------------------------------
key chain ISIS_KEY
key 1
key-string ISISKEY
!
interface GigabitEthernet3
ip address 1.1.35.3 255.255.255.0
ip router isis
isis authentication mode md5
isis authentication key-chain ISIS_KEY
---------------------------------------------
router bgp 44
neighbor 1.1.1.1 remote-as 44
neighbor 1.1.1.1 password xxxxx
---------------------------------------------

If not all routing protocols are configured to authenticate all routing protocol messages using an encrypted HMAC, this is a finding.

Fix Text (F-80669r2_fix)
Configure the Cisco IOS XE router to use an encrypted HMAC authentication for all routing protocols.