The Cisco router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-217003	CISC-RT-000030	SV-217003r531087_rule		Medium

Description
If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed. Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.

Description

If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed. Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.

STIG	Date
Cisco IOS XR Router RTR Security Technical Implementation Guide	2020-09-23

Details

Check Text ( C-18233r288849_chk )
This requirement is not applicable for the DODIN Backbone. Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below. key chain BGP_KEY_CHAIN key 1 accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019 key-string password 104300150004 send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019 cryptographic-algorithm HMAC-SHA1-12 ! key 2 accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019 key-string password 030654090416 send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019 cryptographic-algorithm HMAC-SHA1-12 Note: Key chains must be configured to authenticate routing protocol messages as it is the only way to set an expiration. If any key has a lifetime of more than 180 days, this is a finding.

Check Text ( C-18233r288849_chk )

This requirement is not applicable for the DODIN Backbone.

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below.

key chain BGP_KEY_CHAIN
key 1
accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
key-string password 104300150004
send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
cryptographic-algorithm HMAC-SHA1-12
!
key 2
accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
key-string password 030654090416
send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
cryptographic-algorithm HMAC-SHA1-12

Note: Key chains must be configured to authenticate routing protocol messages as it is the only way to set an expiration.

If any key has a lifetime of more than 180 days, this is a finding.

Fix Text (F-18231r288850_fix)
This requirement is not applicable for the DODIN Backbone. Configure each key used for routing protocol authentication to have a lifetime of no more than 180 days as shown in the example below. RP/0/0/CPU0:R2(config)#key chain OSPF_KEY_CHAIN RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN)#key 1 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#accept-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key-string password xxxxxxxxxxxxxxxx RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#send-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#cryptographic-algorithm hmac-md5 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key 2 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#key-string password xxxxxxxxxxxxxxxxxxx RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#cryptographic-algorithm hmac-md5 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#end

Fix Text (F-18231r288850_fix)

This requirement is not applicable for the DODIN Backbone.

Configure each key used for routing protocol authentication to have a lifetime of no more than 180 days as shown in the example below.

RP/0/0/CPU0:R2(config)#key chain OSPF_KEY_CHAIN
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN)#key 1
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#accept-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key-string password xxxxxxxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#send-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#cryptographic-algorithm hmac-md5
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key 2
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#key-string password xxxxxxxxxxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#cryptographic-algorithm hmac-md5
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#end