STIGQter: STIG Summary: HP FlexFabric Switch RTR Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must encrypt all methods of configured authentication for routing protocols.

DISA Rule

SV-80601r1_rule

Vulnerability Number

V-66111

Group Title

SRG-NET-000168-RTR-000077

Rule Version

HFFS-RT-000011

Severity

CAT II

CCI(s)

• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to authenticate OSPFv3 packets:

[HP]ipsec transform-set jitcipsecprop
[HP-ipsec-transform-set-jitcipsecprop]
[HP-ipsec-transform-set-jitcipsecprop] ipsec transform-set jitcipsecprop
[HP-ipsec-transform-set-jitcipsecprop] encapsulation-mode transport
[HP-ipsec-transform-set-jitcipsecprop] esp encryption-algorithm aes-cbc-256
[HP-ipsec-transform-set-jitcipsecprop] esp authentication-algorithm sha1
[HP-ipsec-transform-set-jitcipsecprop] quit
[HP] ipsec profile jitc manual
[HP-ipsec-profile-manual-jitc]
[HP-ipsec-profile-manual-jitc] ipsec profile jitc manual
[HP-ipsec-profile-manual-jitc] transform-set jitcipsecprop
[HP-ipsec-profile-manual-jitc] sa spi inbound esp 256
[HP-ipsec-profile-manual-jitc] sa string-key inbound esp simple test123
[HP-ipsec-profile-manual-jitc] sa spi outbound esp 256
[HP-ipsec-profile-manual-jitc] sa string-key outbound esp simple test123
[HP-ipsec-profile-manual-jitc] quit
[HP] interface gigabitethernet 0/1
[HP--GigabitEthernet0/1] ospfv3 ipsec-profile jitc

Check Contents

Verify the HP FlexFabric Switch configuration to ensure that it is using a NIST validated FIPS 140-2 cryptography encryption mechanism by implementing OSPFv3 with IPsec.

[HP] display current-configuration interface

interface GigabitEthernet0/0
port link-mode route
description R1 ACTIVE
combo enable copper
ospfv3 200 area 0.0.0.0
ospfv3 ipsec-profile jitc
ipv6 address 2115:B:1::3E/126

If the routing protocol authentication mechanism is not a validated FIPS 140-2 cryptography, this is a finding.

Note: OSPFv3 requires IPsec to enable authentication using either the IPv6 Authentication Header (AH) or the Encapsulating Security Payload (ESP) header.

Vulnerability Number

V-66111

Documentable

False

Rule Version

HFFS-RT-000011

Severity Override Guidance

Verify the HP FlexFabric Switch configuration to ensure that it is using a NIST validated FIPS 140-2 cryptography encryption mechanism by implementing OSPFv3 with IPsec.

[HP] display current-configuration interface

interface GigabitEthernet0/0
port link-mode route
description R1 ACTIVE
combo enable copper
ospfv3 200 area 0.0.0.0
ospfv3 ipsec-profile jitc
ipv6 address 2115:B:1::3E/126

If the routing protocol authentication mechanism is not a validated FIPS 140-2 cryptography, this is a finding.

Note: OSPFv3 requires IPsec to enable authentication using either the IPv6 Authentication Header (AH) or the Encapsulating Security Payload (ESP) header.

Check Content Reference

M

Target Key

2979

Comments