STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

DISA Rule

SV-217003r531087_rule

Vulnerability Number

V-217003

Group Title

SRG-NET-000230-RTR-000003

Rule Version

CISC-RT-000030

Severity

CAT II

CCI(s)

• CCI-002205 - The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure each key used for routing protocol authentication to have a lifetime of no more than 180 days as shown in the example below.

RP/0/0/CPU0:R2(config)#key chain OSPF_KEY_CHAIN
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN)#key 1
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#accept-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key-string password xxxxxxxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#send-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#cryptographic-algorithm hmac-md5
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key 2
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#key-string password xxxxxxxxxxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#cryptographic-algorithm hmac-md5
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#end

Check Contents

This requirement is not applicable for the DODIN Backbone.

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below.

key chain BGP_KEY_CHAIN
key 1
accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
key-string password 104300150004
send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
cryptographic-algorithm HMAC-SHA1-12
!
key 2
accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
key-string password 030654090416
send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
cryptographic-algorithm HMAC-SHA1-12

Note: Key chains must be configured to authenticate routing protocol messages as it is the only way to set an expiration.

If any key has a lifetime of more than 180 days, this is a finding.

Vulnerability Number

V-217003

Documentable

False

Rule Version

CISC-RT-000030

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below.

key chain BGP_KEY_CHAIN
key 1
accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
key-string password 104300150004
send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
cryptographic-algorithm HMAC-SHA1-12
!
key 2
accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
key-string password 030654090416
send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
cryptographic-algorithm HMAC-SHA1-12

Note: Key chains must be configured to authenticate routing protocol messages as it is the only way to set an expiration.

If any key has a lifetime of more than 180 days, this is a finding.

Check Content Reference

M

Target Key

4029

Comments