UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The lifetime of the MD5 Key expiration must be set to never expire. The lifetime of the MD5 key will be configured as infinite for route authentication, if supported by the current approved router software version.


Overview

Finding ID Version Rule ID IA Controls Severity
V-7009 NET0425 SV-7363r2_rule ECSC-1 High
Description
Only Enhanced Interior Gateway Routing Protocol (EIGRP) and Routing Information Protocol (RIP) Version 2 use key chains. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates--both with a 180-day lifetime. A third key must also be defined with an infinite lifetime. Both of these steps must ensure that there will always be a key that can be placed into service by all peers. If a time period occurs during which no key is activated, authentication cannot occur; hence, route updates will not occur. The lifetime key should be changed 7 days after successful key rotation and synchronization has occurred with all peers.
STIG Date
Perimeter L3 Switch Security Technical Implementation Guide - Cisco 2016-07-07

Details

Check Text ( C-3496r5_chk )
Review the running configuration to determine if key authentication has been defined with an infinite lifetime.

If the key has been configured for a lifetime other than infinite, this is a finding.

RIP 2 Example EIGRP Example

interface ethernet 0 interface ethernet 0
ip rip authentication key-chain trees ip authentication mode eigrp 1 md5
ip rip authentication mode md5 ip authentication key-chain eigrp 1 trees

router rip router eigrp 1
network 172.19.0.0 network 172.19.0.0
version 2

key chain trees key chain trees
key 1 key 1
key-string willow key-string willow
accept-lifetime 22:45:00 Feb 10 2005 22:45:00 Aug 10 2005 accept-lifetime 22:45:00 Feb 10 2005 22:45:00 Aug 10 2005
send-lifetime 23:00:00 Feb 10 2005 22:45:00 Aug 10 2005 send-lifetime 23:00:00 Feb 10 2005 22:45:00 Aug 10 2005
key 2 key 2
key-string birch key-string birch
accept-lifetime 22:45:00 Aug 9 2005 22:45:00 Feb 10 2006 accept-lifetime 22:45:00 Dec 10 2005 22:45:00 Feb 10 2006
send-lifetime 23:00:00 Aug 9 2005 22:45:00 Feb 10 2006 send-lifetime 23:00:00 Dec 10 2005 22:45:00 Jan 10 2006
key 9999 key 9999
key-string maple key-string maple
accept-lifetime 22:45:00 Feb 9 2005 infinite accept-lifetime 22:45:00 Feb 9 2005 infinite
send-lifetime 23:00:00 Feb 9 2005 infinite send-lifetime 23:00:00 Feb 9 2005 infinite

Notes: Note: Only Enhanced Interior Gateway Routing Protocol (EIGRP) and Routing Information Protocol (RIP) Version 2 use key chains.

Notes: When using MD5 authentication keys, it is imperative the site is in compliance with the NTP policies. The router has to know the time!

Notes: Must make this a high number to ensure you have plenty of room to put keys in before it. All subsequent keys will be decremented by one (9998, 9997...).
Fix Text (F-6611r2_fix)
This check is in place to ensure keys do not expire creating a DOS due to adjacencies being dropped and routes being aged out. The recommendation is to use two rotating six month keys with a third key set as infinite lifetime. The lifetime key should be changed 7 days after the rotating keys have expired and redefined.