The router must validate certificates used for PKI-based authentication by constructing a certification path with status information to an accepted trust anchor for routing protocol authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000164-RTR-000076 | SRG-NET-000164-RTR-000076 | SRG-NET-000164-RTR-000076_rule | Medium |
| Description |
|---|
| A trust anchor is an authoritative entity represented via a public key. Within a chain of trust, the top entity to be trusted is the "root certificate" or "trust anchor" such as a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a replying party to make an informed trust decision when presented with any certificate not already explicitly trusted. This will be a permanent finding because routing protocols do not currently support the utilization of PKI-based authentication. The requirement while a permanent finding is not listed as NA because this should be a security element that is supported. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2013-07-30 |
Details
| Check Text ( C-SRG-NET-000164-RTR-000076_chk ) |
|---|
| Verify the router validates certificates used for PKI-based authentication. If the router does not validate certificates used for PKI-based authentication, this is a finding. |
| Fix Text (F-SRG-NET-000164-RTR-000076_fix) |
|---|
| Configure the router to validate certificates for PKI-based authentication. |