STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco perimeter router must be configured to block all packets with any IP options.

DISA Rule

SV-217006r531087_rule

Vulnerability Number

V-217006

Group Title

SRG-NET-000205-RTR-000015

Rule Version

CISC-RT-000350

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

This requirement is not applicable for the DODIN Backbone.

Configure the router to drop all packets with IP option source routing.

RP/0/0/CPU0:R3(config)#no ipv4 source-route

Check Contents

This requirement is not applicable for the DODIN Backbone.

In Cisco IOS XR, all IPv4 packets with any header option other than the "source-route" header options are dropped. By default, ipv4 source routing is disabled. Verify that the following command is not configured: ipv4 source-route

If the router is not configured to drop all packets with IP option source routing, this is a finding.

Vulnerability Number

V-217006

Documentable

False

Rule Version

CISC-RT-000350

Severity Override Guidance

This requirement is not applicable for the DODIN Backbone.

In Cisco IOS XR, all IPv4 packets with any header option other than the "source-route" header options are dropped. By default, ipv4 source routing is disabled. Verify that the following command is not configured: ipv4 source-route

If the router is not configured to drop all packets with IP option source routing, this is a finding.

Check Content Reference

M

Target Key

4029

Comments