STIGQter STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020: The Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

DISA Rule

SV-105767r1_rule

Vulnerability Number

V-96629

Group Title

SRG-NET-000343-RTR-000001

Rule Version

CISC-RT-000660

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the example below.

R5(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxx

Check Contents

The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be mitigated to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below.

mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp

If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a category 2.

Vulnerability Number

V-96629

Documentable

False

Rule Version

CISC-RT-000660

Severity Override Guidance

The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be mitigated to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below.

mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp

If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a category 2.

Check Content Reference

M

Target Key

3477

Comments