UCF STIG Viewer Logo

An Infinite Lifetime key must be set to never expire. The lifetime of the key will be configured as infinite for route authentication, if supported by the current approved router software version.


Overview

Finding ID Version Rule ID IA Controls Severity
V-7009 NET0425 SV-7363r3_rule High
Description
Only Interior Gateway Protocols (IGPs) use key chains. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates--both with a 180-day or less lifetime. A third key must also be defined with an infinite lifetime. Both of these steps ensure there will always be a key that can be placed into service by all peers. If a time period occurs during which no key is activated, authentication cannot occur; hence, route updates will not occur. The lifetime key should be changed 7 days after successful key rotation and synchronization has occurred with all peers.
STIG Date
Infrastructure Router - Cisco Security Technical Implementation Guide 2017-09-28

Details

Check Text ( C-3496r6_chk )
Review the running configuration to determine if key authentication has been defined with an infinite lifetime.

If an infinite key has not been configured, this is a finding.

OSPFv2 Example

interface GigabitEthernet0/1
ip address 10.1.12.2 255.255.255.0
ip ospf authentication key-chain OSPF_KEY


key chain OSPF_KEY

key 1
key-string WWWWW
send-lifetime 16:00:00 Feb 22 2017 16:00:00 Aug 22 2017
accept-lifetime 16:00:00 Feb 22 2017 16:00:00 Aug 22 2017
cryptographic-algorithm hmac-sha-256

key 2
key-string XXXXX
send-lifetime 16:00:00 Aug 21 2017 16:00:00 Feb 20 2018
accept-lifetime 16:00:00 Aug 21 2017 16:00:00 Feb 20 2018
cryptographic-algorithm hmac-sha-256

key 99999
key-string YYYYY
send-lifetime 15:59:00 Feb 20 2018 infinite
accept-lifetime 15:59:00 Feb 20 2018 infinite
cryptographic-algorithm hmac-sha-256

Notes: Note: Only Interior Gateway Protocols (IGPs) use key chains.

Notes: When using authentication keys, it is imperative the site is in compliance with the NTP policies. The router has to know the time!

Notes: Must make this a high number to ensure you have plenty of room to put keys in before it. All subsequent keys will be decremented by one (9998, 9997...).
Fix Text (F-6611r3_fix)
This check is in place to ensure keys do not expire creating a DOS due to adjacencies being dropped and routes being aged out. The recommendation is to use two rotating six month keys with a third key set as infinite lifetime. The lifetime key should be changed 7 days after the rotating keys have expired and redefined.