The router must use NIST-validated FIPS 140-2 cryptography to implement authentication encryption mechanisms for routing protocols.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-55767	SRG-NET-000168-RTR-000078	SV-70021r1_rule		Medium

Description
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network, or merely used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. Since MD5 is vulnerable to "birthday" attacks and may be compromised, routing protocol authentication must use FIPS 140-2 validated algorithms and modules to encrypt the authentication key. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and Multicast-related protocols.

Description

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network, or merely used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. Since MD5 is vulnerable to "birthday" attacks and may be compromised, routing protocol authentication must use FIPS 140-2 validated algorithms and modules to encrypt the authentication key. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and Multicast-related protocols.

STIG	Date
Router Security Requirements Guide	2016-07-01

Details

Check Text ( C-56333r2_chk )
Review the router documentation to verify it is using NIST-validated FIPS 140-2 compliant cryptography for encrypted authentication mechanisms. If NIST-validated FIPS 140-2 compliant cryptography is not being used for all encrypted authentication mechanisms, this is a finding. Review the router configuration; for every protocol that affects the routing or forwarding tables (where information is exchanged between neighbors), verify that neighbor router authentication uses FIPS 140-2 validated algorithms to encrypt the authentication key. If routing protocol authentication is not using FIPS 140-2 validated algorithms to encrypt the authentication key, this is a finding.

Check Text ( C-56333r2_chk )

Review the router documentation to verify it is using NIST-validated FIPS 140-2 compliant cryptography for encrypted authentication mechanisms. If NIST-validated FIPS 140-2 compliant cryptography is not being used for all encrypted authentication mechanisms, this is a finding.

Review the router configuration; for every protocol that affects the routing or forwarding tables (where information is exchanged between neighbors), verify that neighbor router authentication uses FIPS 140-2 validated algorithms to encrypt the authentication key.

If routing protocol authentication is not using FIPS 140-2 validated algorithms to encrypt the authentication key, this is a finding.

Fix Text (F-60637r2_fix)
Configure routing protocol authentication to use FIPS 140-2 validated algorithms and modules to encrypt the authentication key.