STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.

DISA Rule

SV-216739r531087_rule

Vulnerability Number

V-216739

Group Title

SRG-NET-000168-RTR-000078

Rule Version

CISC-RT-000050

Severity

CAT II

CCI(s)

• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Weight

10

Fix Recommendation

Configure routing protocol authentication to use a NIST-validated FIPS 198-1 message authentication code algorithm as shown in the example.

RP/0/0/CPU0:R2(config)#key chain BGP_KEY_CHAIN
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN)#key 1
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#accept-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key-string password xxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#send-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#cryptographic-algorithm hmac-sha1-12
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key 2
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#key-string password xxxxxxxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#cryptographic-algorithm hmac-sha1-12
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#end

Check Contents

Review the router configuration to verify it is using a NIST-validated FIPS 198-1 message authentication code algorithm to authenticate routing protocol messages.

key chain BGP_KEY_CHAIN
key 1
accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
key-string password xxxxxxxxxxxxxxxx
send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
cryptographic-algorithm HMAC-SHA1-12
!
key 2
accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
key-string password xxxxxxxxxxxxxxx
send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
cryptographic-algorithm HMAC-SHA1-12
!

Note: OSPF, RIP, EIGRP, and IS-IS only support MD5.

If a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocol messages, this is a finding.

Vulnerability Number

V-216739

Documentable

False

Rule Version

CISC-RT-000050

Severity Override Guidance

Review the router configuration to verify it is using a NIST-validated FIPS 198-1 message authentication code algorithm to authenticate routing protocol messages.

key chain BGP_KEY_CHAIN
key 1
accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
key-string password xxxxxxxxxxxxxxxx
send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
cryptographic-algorithm HMAC-SHA1-12
!
key 2
accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
key-string password xxxxxxxxxxxxxxx
send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
cryptographic-algorithm HMAC-SHA1-12
!

Note: OSPF, RIP, EIGRP, and IS-IS only support MD5.

If a NIST-validated FIPS 198-1 message authentication code algorithm is not being used to authenticate routing protocol messages, this is a finding.

Check Content Reference

M

Target Key

4029

Comments