An Infinite Lifetime key must be set to never expire. The lifetime of the key will be configured as infinite for route authentication, if supported by the current approved router software version.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7009	NET0425	SV-7363r3_rule		High

Description
Only Interior Gateway Protocols (IGPs) use key chains. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates--both with a 180-day or less lifetime. A third key must also be defined with an infinite lifetime. Both of these steps ensure there will always be a key that can be placed into service by all peers. If a time period occurs during which no key is activated, authentication cannot occur; hence, route updates will not occur. The lifetime key should be changed 7 days after successful key rotation and synchronization has occurred with all peers.

Description

Only Interior Gateway Protocols (IGPs) use key chains. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates--both with a 180-day or less lifetime. A third key must also be defined with an infinite lifetime. Both of these steps ensure there will always be a key that can be placed into service by all peers. If a time period occurs during which no key is activated, authentication cannot occur; hence, route updates will not occur. The lifetime key should be changed 7 days after successful key rotation and synchronization has occurred with all peers.

STIG	Date
Perimeter Router Security Technical Implementation Guide Cisco	2017-12-07

Details

Check Text ( C-3496r6_chk )
Review the running configuration to determine if key authentication has been defined with an infinite lifetime. If an infinite key has not been configured, this is a finding. OSPFv2 Example interface GigabitEthernet0/1 ip address 10.1.12.2 255.255.255.0 ip ospf authentication key-chain OSPF_KEY key chain OSPF_KEY key 1 key-string WWWWW send-lifetime 16:00:00 Feb 22 2017 16:00:00 Aug 22 2017 accept-lifetime 16:00:00 Feb 22 2017 16:00:00 Aug 22 2017 cryptographic-algorithm hmac-sha-256 key 2 key-string XXXXX send-lifetime 16:00:00 Aug 21 2017 16:00:00 Feb 20 2018 accept-lifetime 16:00:00 Aug 21 2017 16:00:00 Feb 20 2018 cryptographic-algorithm hmac-sha-256 key 99999 key-string YYYYY send-lifetime 15:59:00 Feb 20 2018 infinite accept-lifetime 15:59:00 Feb 20 2018 infinite cryptographic-algorithm hmac-sha-256 Notes: Note: Only Interior Gateway Protocols (IGPs) use key chains. Notes: When using authentication keys, it is imperative the site is in compliance with the NTP policies. The router has to know the time! Notes: Must make this a high number to ensure you have plenty of room to put keys in before it. All subsequent keys will be decremented by one (9998, 9997...).

Check Text ( C-3496r6_chk )

Review the running configuration to determine if key authentication has been defined with an infinite lifetime.

If an infinite key has not been configured, this is a finding.

OSPFv2 Example

interface GigabitEthernet0/1
ip address 10.1.12.2 255.255.255.0
ip ospf authentication key-chain OSPF_KEY

key chain OSPF_KEY

key 1
key-string WWWWW
send-lifetime 16:00:00 Feb 22 2017 16:00:00 Aug 22 2017
accept-lifetime 16:00:00 Feb 22 2017 16:00:00 Aug 22 2017
cryptographic-algorithm hmac-sha-256

key 2
key-string XXXXX
send-lifetime 16:00:00 Aug 21 2017 16:00:00 Feb 20 2018
accept-lifetime 16:00:00 Aug 21 2017 16:00:00 Feb 20 2018
cryptographic-algorithm hmac-sha-256

key 99999
key-string YYYYY
send-lifetime 15:59:00 Feb 20 2018 infinite
accept-lifetime 15:59:00 Feb 20 2018 infinite
cryptographic-algorithm hmac-sha-256

Notes: Note: Only Interior Gateway Protocols (IGPs) use key chains.

Notes: When using authentication keys, it is imperative the site is in compliance with the NTP policies. The router has to know the time!

Notes: Must make this a high number to ensure you have plenty of room to put keys in before it. All subsequent keys will be decremented by one (9998, 9997...).

Fix Text (F-6611r3_fix)
This check is in place to ensure keys do not expire creating a DOS due to adjacencies being dropped and routes being aged out. The recommendation is to use two rotating six month keys with a third key set as infinite lifetime. The lifetime key should be changed 7 days after the rotating keys have expired and redefined.