STIGQter STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020: The Cisco router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.

DISA Rule

SV-105649r1_rule

Vulnerability Number

V-96511

Group Title

SRG-NET-000168-RTR-000078

Rule Version

CISC-RT-000050

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure routing protocol authentication to use a NIST-validated FIPS 198-1 message authentication code algorithm as shown in the example.

R5(config)#key chain OSPF_KEY_CHAIN
R5(config-keychain)#key 1
R5(config-keychain-key)#key-string xxxxxx
R5(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2018 23:59:59 Mar 31 2018
R5(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2018 01:05:00 Apr 1 2018
R5(config-keychain-key)#cryptographic-algorithm hmac-sha-256
R5(config-keychain-key)#exit
R5(config-keychain)#key 2
R5(config-keychain-key)#key-string yyyyyyy
R5(config-keychain-key)#send-lifetime 00:00:00 Apr 1 2018 23:59:59 Jun 30 2018
R5(config-keychain-key)#accept-lifetime 23:55:00 Mar 31 2018 01:05:00 Jul 1 2018
R5(config-keychain-key)#cryptographic-algorithm hmac-sha-256
R5(config-keychain-key)#end
R5(config)#interface GigabitEthernet0/2
R5(config-if)#ip ospf authentication key-chain OSPF_KEY_CHAIN

Check Contents

Review the router configuration to verify it is using a NIST-validated FIPS 198-1 message authentication code algorithm to authenticate routing protocol messages.

OSPF Example

key chain OSPF_KEY_CHAIN
key 1
key-string xxxxxxx
send-lifetime 00:00:00 Jan 1 2018 23:59:59 Mar 31 2018
accept-lifetime 00:00:00 Jan 1 2018 01:05:00 Apr 1 2018
cryptographic-algorithm hmac-sha-256
key 2
key-string yyyyyyy
send-lifetime 00:00:00 Apr 1 2018 23:59:59 Jun 30 2018
accept-lifetime 23:55:00 Mar 31 2018 01:05:00 Jul 1 2018
cryptographic-algorithm hmac-sha-256



interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
ip ospf authentication key-chain OSPF_KEY_CHAIN

If a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocol messages, this is a finding.

Vulnerability Number

V-96511

Documentable

False

Rule Version

CISC-RT-000050

Severity Override Guidance

Review the router configuration to verify it is using a NIST-validated FIPS 198-1 message authentication code algorithm to authenticate routing protocol messages.

OSPF Example

key chain OSPF_KEY_CHAIN
key 1
key-string xxxxxxx
send-lifetime 00:00:00 Jan 1 2018 23:59:59 Mar 31 2018
accept-lifetime 00:00:00 Jan 1 2018 01:05:00 Apr 1 2018
cryptographic-algorithm hmac-sha-256
key 2
key-string yyyyyyy
send-lifetime 00:00:00 Apr 1 2018 23:59:59 Jun 30 2018
accept-lifetime 23:55:00 Mar 31 2018 01:05:00 Jul 1 2018
cryptographic-algorithm hmac-sha-256



interface GigabitEthernet0/1
ip address x.x.x.x 255.255.255.0
ip ospf authentication key-chain OSPF_KEY_CHAIN

If a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocol messages, this is a finding.

Check Content Reference

M

Target Key

3477

Comments