STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jan 2020: The Cisco router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.

DISA Rule

SV-105823r1_rule

Vulnerability Number

V-96685

Group Title

SRG-NET-000168-RTR-000078

Rule Version

CISC-RT-000050

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure routing protocol authentication to use a NIST-validated FIPS 198-1 message authentication code algorithm as shown in the example.

RP/0/0/CPU0:R2(config)#key chain BGP_KEY_CHAIN
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN)#key 1
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#accept-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key-string password xxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#send-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#cryptographic-algorithm hmac-sha1-12
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key 2
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#key-string password xxxxxxxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#cryptographic-algorithm hmac-sha1-12
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#end

Check Contents

Review the router configuration to verify it is using a NIST-validated FIPS 198-1 message authentication code algorithm to authenticate routing protocol messages.

key chain BGP_KEY_CHAIN
key 1
accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
key-string password xxxxxxxxxxxxxxxx
send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
cryptographic-algorithm HMAC-SHA1-12
!
key 2
accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
key-string password xxxxxxxxxxxxxxx
send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
cryptographic-algorithm HMAC-SHA1-12
!

Note: OSPF, RIP, EIGRP, and IS-IS only support MD5.

If a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocol messages, this is a finding.

Vulnerability Number

V-96685

Documentable

False

Rule Version

CISC-RT-000050

Severity Override Guidance

Review the router configuration to verify it is using a NIST-validated FIPS 198-1 message authentication code algorithm to authenticate routing protocol messages.

key chain BGP_KEY_CHAIN
key 1
accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
key-string password xxxxxxxxxxxxxxxx
send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
cryptographic-algorithm HMAC-SHA1-12
!
key 2
accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
key-string password xxxxxxxxxxxxxxx
send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
cryptographic-algorithm HMAC-SHA1-12
!

Note: OSPF, RIP, EIGRP, and IS-IS only support MD5.

If a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocol messages, this is a finding.

Check Content Reference

M

Target Key

3481

Comments