The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221120	CISC-RT-000660	SV-221120r622190_rule		Medium

Description
LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE switch advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE switch during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.

Description

LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE switch advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE switch during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.

STIG	Date
Cisco NX-OS Switch RTR Security Technical Implementation Guide	2021-03-29

Details

Check Text ( C-22835r409849_chk )
The Cisco switch is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below: Step 1: Verify that LDP neighbors are authenticating session, advertisement, and notification messages as shown in the example below: mpls ldp configurations password required for LDP_NBR1 password option 1 for LDP_NBR1 key-chain LDP_KEY password required for LDP_NBR2 password option 1 for LDP_NBR2 key-chain LDP_KEY Step 2: Verify that the neighbors identified in step 1 have the correct prefix. ip prefix-list LDP_NBR1 permit 10.1.22.2/32 ip prefix-list LDP_NBR2 permit 10.1.12.4/32 If the switch is not configured to authenticate targeted LDP sessions using MD5, this is a finding. The finding will remain as a CAT II.

Check Text ( C-22835r409849_chk )

The Cisco switch is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below:

Step 1: Verify that LDP neighbors are authenticating session, advertisement, and notification messages as shown in the example below:

mpls ldp configurations
password required for LDP_NBR1
password option 1 for LDP_NBR1 key-chain LDP_KEY
password required for LDP_NBR2
password option 1 for LDP_NBR2 key-chain LDP_KEY

Step 2: Verify that the neighbors identified in step 1 have the correct prefix.

ip prefix-list LDP_NBR1 permit 10.1.22.2/32
ip prefix-list LDP_NBR2 permit 10.1.12.4/32

If the switch is not configured to authenticate targeted LDP sessions using MD5, this is a finding. The finding will remain as a CAT II.

Fix Text (F-22824r409850_fix)
The severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the example below: Step 1: Configure a key chain for LDP sessions. SW1(config)# key chain LDP_KEY SW1(config-keychain)# key 1 SW1(config-keychain-key)# key-string xxxxxxxxxxxx SW1(config-keychain-key)# send-lifetime 00:00:00 Oct 1 2019 23:59:59 Dec 31 2019 SW1(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2019 01:05:00 Jan 1 2020 SW1(config-keychain-key)# exit SW1(config-keychain)# exit Step 2: Configure a prefix lists to identify LDP neighbors. SW1(config)# ip prefix-list LDP_NBR1 permit 10.1.22.2/32 SW1(config)# ip prefix-list LDP_NBR2 permit 10.1.12.4/32 Step 3: Apply the key chain to the LDP neighbors. SW1 (config)# mpls ldp configurations SW1 (config-ldp)# password required for LDP_NBR1 SW1 (config-ldp)# password option 1 for LDP_NBR1 key-chain LDP_KEY SW1 (config-ldp)# password required for LDP_NBR2 SW1 (config-ldp)# password option 1 for LDP_NBR2 key-chain LDP_KEY SW1 (config-ldp)# end

Fix Text (F-22824r409850_fix)

The severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the example below:

Step 1: Configure a key chain for LDP sessions.

SW1(config)# key chain LDP_KEY
SW1(config-keychain)# key 1
SW1(config-keychain-key)# key-string xxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Oct 1 2019 23:59:59 Dec 31 2019
SW1(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2019 01:05:00 Jan 1 2020
SW1(config-keychain-key)# exit
SW1(config-keychain)# exit

Step 2: Configure a prefix lists to identify LDP neighbors.

SW1(config)# ip prefix-list LDP_NBR1 permit 10.1.22.2/32
SW1(config)# ip prefix-list LDP_NBR2 permit 10.1.12.4/32

Step 3: Apply the key chain to the LDP neighbors.

SW1 (config)# mpls ldp configurations
SW1 (config-ldp)# password required for LDP_NBR1
SW1 (config-ldp)# password option 1 for LDP_NBR1 key-chain LDP_KEY
SW1 (config-ldp)# password required for LDP_NBR2
SW1 (config-ldp)# password option 1 for LDP_NBR2 key-chain LDP_KEY
SW1 (config-ldp)# end