UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The MPLS router must be configured to have TTL Propagation disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-78291 SRG-NET-000512-RTR-000004 SV-92997r2_rule Medium
Description
The head end of the label-switched path (LSP), the label edge router (LER) will decrement the IP packet's time-to-live (TTL) value by one and then copy the value to the MPLS TTL field. At each label-switched router (LSR) hop, the MPLS TTL value is decremented by one. The MPLS router that pops the label (either the penultimate LSR or the egress LER) will copy the packet's MPLS TTL value to the IP TTL field and decrement it by one. This TTL propagation is the default behavior. Because the MPLS TTL is propagated from the IP TTL, a traceroute will list every hop in the path, be it routed or label switched, thereby exposing core nodes. With TTL propagation disabled, LER decrements the IP packet's TTL value by one and then places a value of 255 in the packet's MPLS TTL field, which is then decremented by one as the packet passes through each LSR in the MPLS core. Because the MPLS TTL never drops to zero, none of the LSP hops triggers an ICMP TTL exceeded message and consequently, these hops are not recorded in a traceroute. Hence, nodes within the MPLS core cannot be discovered by an attacker.
STIG Date
Router Security Requirements Guide 2020-06-30

Details

Check Text ( C-77849r1_chk )
Review the router configuration to verify that TTL propagation is disabled.

If the router is not configured to disable TTL propagation, this is a finding.
Fix Text (F-85019r1_fix)
Configure LERs to disable TTL propagation.