UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221120 CISC-RT-000660 SV-221120r622190_rule Medium
Description
LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE switch advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE switch during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.
STIG Date
Cisco NX-OS Switch RTR Security Technical Implementation Guide 2021-03-29

Details

Check Text ( C-22835r409849_chk )
The Cisco switch is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below:

Step 1: Verify that LDP neighbors are authenticating session, advertisement, and notification messages as shown in the example below:

mpls ldp configurations
password required for LDP_NBR1
password option 1 for LDP_NBR1 key-chain LDP_KEY
password required for LDP_NBR2
password option 1 for LDP_NBR2 key-chain LDP_KEY

Step 2: Verify that the neighbors identified in step 1 have the correct prefix.

ip prefix-list LDP_NBR1 permit 10.1.22.2/32
ip prefix-list LDP_NBR2 permit 10.1.12.4/32

If the switch is not configured to authenticate targeted LDP sessions using MD5, this is a finding. The finding will remain as a CAT II.
Fix Text (F-22824r409850_fix)
The severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the example below:

Step 1: Configure a key chain for LDP sessions.

SW1(config)# key chain LDP_KEY
SW1(config-keychain)# key 1
SW1(config-keychain-key)# key-string xxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Oct 1 2019 23:59:59 Dec 31 2019
SW1(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2019 01:05:00 Jan 1 2020
SW1(config-keychain-key)# exit
SW1(config-keychain)# exit

Step 2: Configure a prefix lists to identify LDP neighbors.

SW1(config)# ip prefix-list LDP_NBR1 permit 10.1.22.2/32
SW1(config)# ip prefix-list LDP_NBR2 permit 10.1.12.4/32

Step 3: Apply the key chain to the LDP neighbors.

SW1 (config)# mpls ldp configurations
SW1 (config-ldp)# password required for LDP_NBR1
SW1 (config-ldp)# password option 1 for LDP_NBR1 key-chain LDP_KEY
SW1 (config-ldp)# password required for LDP_NBR2
SW1 (config-ldp)# password option 1 for LDP_NBR2 key-chain LDP_KEY
SW1 (config-ldp)# end