STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco router must be configured to use encryption for routing protocol authentication.

DISA Rule

SV-216738r531087_rule

Vulnerability Number

V-216738

Group Title

SRG-NET-000168-RTR-000077

Rule Version

CISC-RT-000040

Severity

CAT II

CCI(s)

CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Weight

Fix Recommendation

Configure the key chains used by the routing protocols to have the keys encrypted as shown in the example below.

RP/0/0/CPU0:R2(config)#key chain OSPF_KEY_CHAIN
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN)#key 1
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#accept-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key-string password xxxxxxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#send-lifetime 01:00:00 jan 01 2019 01:00:00 april 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#cryptographic-algorithm hmac-md5
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-1)#key 2
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#key-string password xxxxxxxxxxxxxxx
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#cryptographic-algorithm hmac-md5
RP/0/0/CPU0:R2(config-OSPF_KEY_CHAIN-2)#end

Check Contents

Review the router configuration. For every routing protocol that affects the routing or forwarding tables, verify that neighbor router authentication is encrypting the authentication key as shown in the examples below.

Step 1: Verify that the routing protocols are configured to use a key chain for authentication as shown in the examples below.

BGP Example

router bgp nn
address-family ipv4 unicast
!
neighbor x.1.23.2
remote-as nn
keychain BGP_KEY_CHAIN
address-family ipv4 unicaast

EIGRP Example

router eigrp 1
address-family ipv4
interface GigabitEthernet0/0/0/2
authentication keychain EIGRP_KEY_CHAIN

IS-IS Example

router isis 1
net 49.0001.0001.0001.0002.00
lsp-password keychain ISIS_KEY_CHAIN
interface GigabitEthernet0/0/0/2
hello-password keychain ISIS_KEY_CHAIN

OSPF Example

router ospf 1
area 0
authentication message-digest keychain OSPF_KEY_CHAIN

RIP Example

router rip
interface GigabitEthernet0/0/0/2
authentication keychain RIP_KEY_CHAIN mode md5

Step 2: Verify that the keys use an encryption algorithm as shown in the example below.

key chain OSPF_KEY_CHAIN
key 1
accept-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
key-string password 104300150004
send-lifetime 01:00:00 january 01 2019 01:00:00 april 01 2019
cryptographic-algorithm HMAC-MD5
!
key 2
accept-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
key-string password 030654090416
send-lifetime 01:00:00 april 01 2019 01:00:00 july 01 2019
cryptographic-algorithm HMAC-MD5

If the routing protocol is not encrypting the authentication key, this is a finding.

The Cisco router must be configured to use encryption for routing protocol authentication.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments