Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-216738 | CISC-RT-000040 | SV-216738r894621_rule | Medium |
Description |
---|
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and multicast-related protocols. |
STIG | Date |
---|---|
Cisco IOS XR Router RTR Security Technical Implementation Guide | 2023-02-28 |
Check Text ( C-17970r894619_chk ) |
---|
Review the router configuration. For every routing protocol that affects the routing or forwarding tables, verify that neighbor router authentication is encrypting the authentication key as shown in the examples below. Step 1: Verify that the routing protocols are configured to use a key chain for authentication as shown in the examples below. BGP Example tcp ao keychain BGP_KEY_CHAIN key ! ! router bgp neighbor X.X.X.X remote-as ao BGP_KEY_CHAIN address-family ipv4 unicast ! EIGRP Example router eigrp 1 address-family ipv4 interface GigabitEthernet0/0/0/2 authentication keychain EIGRP_KEY_CHAIN IS-IS Example router isis 1 net 49.0001.0001.0001.0002.00 lsp-password keychain ISIS_KEY_CHAIN interface GigabitEthernet0/0/0/2 hello-password keychain ISIS_KEY_CHAIN OSPF Example router ospf 1 area 0 authentication message-digest keychain OSPF_KEY_CHAIN RIP Example router rip interface GigabitEthernet0/0/0/2 authentication keychain RIP_KEY_CHAIN mode md5 Step 2: Verify that the keys use an encryption algorithm as shown in the example below. BGP Example key chain BGP_KEY_CHAIN key accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019 key-string send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019 cryptographic-algorithm HMAC-SHA1-96 ! OSPF Example key chain OSPF_KEY_CHAIN key 1 accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019 key-string password 104300150004 send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019 cryptographic-algorithm HMAC-SHA1-96 ! key 2 accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019 key-string password 030654090416 send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019 cryptographic-algorithm HMAC-SHA1-96 If the routing protocol is not encrypting the authentication key, this is a finding. |
Fix Text (F-17968r894620_fix) |
---|
Configure the key chains used by the routing protocols to have the keys encrypted as shown in the example below. OSPF and BGP example shown, but others are configured similarly. RP/0/0/CPU0:R2(config)#key chain OSPF_KEY_CHAIN RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN)#key 1 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#accept-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key-string password xxxxxxxxxxxxxxx RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#send-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#cryptographic-algorithm HMAC-SHA1-96 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key 2 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#key-string password xxxxxxxxxxxxxxx RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#cryptographic-algorithm HMAC-SHA1-96 RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#end Configure BGP to use TCP-AO to replace MD5. Configure Keychain for BGP RP/0/0/CPU0:R2(config)#key chain BGP_KEY_CHAIN RP/0/RP0/CPU0:R2(config-BGP_KEY_CHAIN)# key 1 RP/0/RP0/CPU0:R2(config-BGP_KEY_CHAIN-1)#accept-lifetime 00:00:00 january 01 2022 infinite RP/0/RP0/CPU0:R2(config-BGP_KEY_CHAIN-1)#key-string password xxxxxxxxxxx RP/0/RP0/CPU0:R2(config-BGP_KEY_CHAIN-1)#send-lifetime 00:00:00 january 01 2022 infinite RP/0/RP0/CPU0:R2(config-BGP_KEY_CHAIN-1)#cryptographic-algorithm HMAC-SHA-256 RP/0/RP0/CPU0:R2(config-BGP_KEY_CHAIN-1)#exit RP/0/RP0/CPU0:R2(config-BGP_KEY_CHAIN)#exit Configure TCP AO RP/0/0/CPU0:R2(config)#tcp ao RP/0/0/CPU0:R2(config-tcp-ao)#keychain BGP_KEY_CHAIN RP/0/0/CPU0:R2(config-tcp-ao-BGP_KEY_CHAIN)#key RP/0/0/CPU0:R2(config-tcp-ao-BGP_KEY_CHAIN)#exit RP/0/0/CPU0:R2(config-tcp-ao)#exit Configure BGP Neighbor to use TCP AO RP/0/RP0/CPU0:R2(config)#router bgp RP/0/RP0/CPU0:R2(config-bgp)#neighbor X.X.X.X RP/0/RP0/CPU0:R2(config-bgp-nbr)#remote-as RP/0/RP0/CPU0:R2(config-bgp-nbr)#ao BGP_KEY_CHAIN RP/0/RP0/CPU0:R2(config-bgp-nbr)#address-family ipv4 unicast RP/0/RP0/CPU0:R2(config-bgp-nbr)#exit RP/0/RP0/CPU0:R2(config-bgp)#exit RP/0/RP0/CPU0:R2(config)#commit |