Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-7009 | NET0425 | SV-7363r2_rule | ECSC-1 | High |
Description |
---|
Only Enhanced Interior Gateway Routing Protocol (EIGRP) and Routing Information Protocol (RIP) Version 2 use key chains. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates--both with a 180-day lifetime. A third key must also be defined with an infinite lifetime. Both of these steps must ensure that there will always be a key that can be placed into service by all peers. If a time period occurs during which no key is activated, authentication cannot occur; hence, route updates will not occur. The lifetime key should be changed 7 days after successful key rotation and synchronization has occurred with all peers. |
STIG | Date |
---|---|
Perimeter L3 Switch Security Technical Implementation Guide - Cisco | 2015-04-06 |
Check Text ( C-3496r5_chk ) |
---|
Review the running configuration to determine if key authentication has been defined with an infinite lifetime. If the key has been configured for a lifetime other than infinite, this is a finding. RIP 2 Example EIGRP Example interface ethernet 0 interface ethernet 0 ip rip authentication key-chain trees ip authentication mode eigrp 1 md5 ip rip authentication mode md5 ip authentication key-chain eigrp 1 trees router rip router eigrp 1 network 172.19.0.0 network 172.19.0.0 version 2 key chain trees key chain trees key 1 key 1 key-string willow key-string willow accept-lifetime 22:45:00 Feb 10 2005 22:45:00 Aug 10 2005 accept-lifetime 22:45:00 Feb 10 2005 22:45:00 Aug 10 2005 send-lifetime 23:00:00 Feb 10 2005 22:45:00 Aug 10 2005 send-lifetime 23:00:00 Feb 10 2005 22:45:00 Aug 10 2005 key 2 key 2 key-string birch key-string birch accept-lifetime 22:45:00 Aug 9 2005 22:45:00 Feb 10 2006 accept-lifetime 22:45:00 Dec 10 2005 22:45:00 Feb 10 2006 send-lifetime 23:00:00 Aug 9 2005 22:45:00 Feb 10 2006 send-lifetime 23:00:00 Dec 10 2005 22:45:00 Jan 10 2006 key 9999 key 9999 key-string maple key-string maple accept-lifetime 22:45:00 Feb 9 2005 infinite accept-lifetime 22:45:00 Feb 9 2005 infinite send-lifetime 23:00:00 Feb 9 2005 infinite send-lifetime 23:00:00 Feb 9 2005 infinite Notes: Note: Only Enhanced Interior Gateway Routing Protocol (EIGRP) and Routing Information Protocol (RIP) Version 2 use key chains. Notes: When using MD5 authentication keys, it is imperative the site is in compliance with the NTP policies. The router has to know the time! Notes: Must make this a high number to ensure you have plenty of room to put keys in before it. All subsequent keys will be decremented by one (9998, 9997...). |
Fix Text (F-6611r2_fix) |
---|
This check is in place to ensure keys do not expire creating a DOS due to adjacencies being dropped and routes being aged out. The recommendation is to use two rotating six month keys with a third key set as infinite lifetime. The lifetime key should be changed 7 days after the rotating keys have expired and redefined. |