STIGQter STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco perimeter router must be configured to block all packets with any IP options.

DISA Rule

SV-217006r531087_rule

Vulnerability Number

V-217006

Group Title

SRG-NET-000205-RTR-000015

Rule Version

CISC-RT-000350

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure the router to drop all packets with IP option source routing.

RP/0/0/CPU0:R3(config)#no ipv4 source-route

Check Contents

This requirement is not applicable for the DODIN Backbone.

In Cisco IOS XR, all IPv4 packets with any header option other than the "source-route" header options are dropped. By default, ipv4 source routing is disabled. Verify that the following command is not configured: ipv4 source-route

If the router is not configured to drop all packets with IP option source routing, this is a finding.

Vulnerability Number

V-217006

Documentable

False

Rule Version

CISC-RT-000350

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

In Cisco IOS XR, all IPv4 packets with any header option other than the "source-route" header options are dropped. By default, ipv4 source routing is disabled. Verify that the following command is not configured: ipv4 source-route

If the router is not configured to drop all packets with IP option source routing, this is a finding.

Check Content Reference

M

Target Key

4029

Comments