The MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-207173 | SRG-NET-000512-RTR-000002 | SV-207173r604135_rule | Low |
| Description |
|---|
| Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2021-03-16 |
Details
| Check Text ( C-7434r382607_chk ) |
|---|
| Review the router configuration to determine if it uses its loopback address as the source address for LDP peering sessions. Verify that a loopback address has been configured as shown in the following example: An MPLS router will use the LDP router ID as the source address for LDP hellos and when establishing TCP sessions with LDP peers; hence, it is necessary to verify that the LDP router ID is the same as the loopback address. By default, routers will assign the LDP router ID using the highest IP address on the router, with preference given to loopback addresses. If the router-id command is specified that overrides this default behavior, verify that it is the IP address of the designated loopback interface. If the router is not configured do use its loopback address for LDP peering, this is a finding. |
| Fix Text (F-7434r382608_fix) |
|---|
| Configure MPLS routers to use their loopback address as the source address for LDP peering sessions. |