STIGQter STIGQter: STIG Summary: Cisco IOS Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

DISA Rule

SV-216614r531085_rule

Vulnerability Number

V-216614

Group Title

SRG-NET-000343-RTR-000001

Rule Version

CISC-RT-000660

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the example below.

R5(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxx

Check Contents

The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be mitigated to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below.

mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp

If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a category 2.

Vulnerability Number

V-216614

Documentable

False

Rule Version

CISC-RT-000660

Severity Override Guidance

The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be mitigated to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below.

mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp

If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a category 2.

Check Content Reference

M

Target Key

4027

Comments