STIGQter STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

DISA Rule

SV-216704r531086_rule

Vulnerability Number

V-216704

Group Title

SRG-NET-000343-RTR-000001

Rule Version

CISC-RT-000660

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the example below.

R5(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxx

Check Contents

The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below.

mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp

If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.

Vulnerability Number

V-216704

Documentable

False

Rule Version

CISC-RT-000660

Severity Override Guidance

The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below.

mpls ldp neighbor 10.1.1.2 password xxxxxxx
mpls label protocol ldp

If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.

Check Content Reference

M

Target Key

4028

Comments