STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

DISA Rule

SV-216794r531087_rule

Vulnerability Number

V-216794

Group Title

SRG-NET-000343-RTR-000001

Rule Version

CISC-RT-000660

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the example below.

RP/0/0/CPU0:R3(config)#mpls ldp
RP/0/0/CPU0:R3(config-ldp)#neighbor 10.1.1.1
RP/0/0/CPU0:R3(config-ldp)#neighbor password clear xxxxxxxx
RP/0/0/CPU0:R3(config-ldp)#neighbor 10.1.2.1
RP/0/0/CPU0:R3(config-ldp)#neighbor password clear xxxxxxxx
RP/0/0/CPU0:R3(config-ldp)#commit

Check Contents

The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below.

mpls ldp
router-id 10.1.1.2
neighbor 10.1.1.1
password encrypted xxxxxxxxxxxxxxx
neighbor 10.1.2.1
password encrypted xxxxxxxxxxxxxxx

If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.

Vulnerability Number

V-216794

Documentable

False

Rule Version

CISC-RT-000660

Severity Override Guidance

The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below.

mpls ldp
router-id 10.1.1.2
neighbor 10.1.1.1
password encrypted xxxxxxxxxxxxxxx
neighbor 10.1.2.1
password encrypted xxxxxxxxxxxxxxx

If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.

Check Content Reference

M

Target Key

4029

Comments