STIGQter: STIG Summary: Cisco IOS XE Router RTR Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

DISA Rule

SV-216995r531086_rule

Vulnerability Number

V-216995

Group Title

SRG-NET-000230-RTR-000003

Rule Version

CISC-RT-000030

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002205 - The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer.

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure each key used for routing protocol authentication to have a lifetime of no more than 180 days as shown in the example below:

R5(config)#key chain OSPF_KEY_CHAIN
R5(config-keychain)#key 1
R5(config-keychain-key)#key-string xxxxxx
R5(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2018 23:59:59 Mar 31 2018
R5(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2018 01:05:00 Apr 1 2018
R5(config-keychain-key)#exit
R5(config-keychain)#key 2
R5(config-keychain-key)#key-string yyyyyyy
R5(config-keychain-key)#send-lifetime 00:00:00 Apr 1 2018 23:59:59 Jun 30 2018
R5(config-keychain-key)#accept-lifetime 23:55:00 Mar 31 2018 01:05:00 Jul 1 2018
R5(config-keychain-key)#end

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below:

key chain OSPF_KEY_CHAIN
key 1
key-string xxxxxxx
send-lifetime 00:00:00 Jan 1 2018 23:59:59 Mar 31 2018
accept-lifetime 00:00:00 Jan 1 2018 01:05:00 Apr 1 2018
key 2
key-string yyyyyyy
send-lifetime 00:00:00 Apr 1 2018 23:59:59 Jun 30 2018
accept-lifetime 23:55:00 Mar 31 2018 01:05:00 Jul 1 2018

Note: Key chains must be configured to authenticate routing protocol messages, as it is the only way to set an expiration.

If any key has a lifetime of more than 180 days, this is a finding.

Vulnerability Number

V-216995

Documentable

False

Rule Version

CISC-RT-000030

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below:

key chain OSPF_KEY_CHAIN
key 1
key-string xxxxxxx
send-lifetime 00:00:00 Jan 1 2018 23:59:59 Mar 31 2018
accept-lifetime 00:00:00 Jan 1 2018 01:05:00 Apr 1 2018
key 2
key-string yyyyyyy
send-lifetime 00:00:00 Apr 1 2018 23:59:59 Jun 30 2018
accept-lifetime 23:55:00 Mar 31 2018 01:05:00 Jul 1 2018

Note: Key chains must be configured to authenticate routing protocol messages, as it is the only way to set an expiration.

If any key has a lifetime of more than 180 days, this is a finding.

Check Content Reference

M

Target Key

4028

Comments