STIGQter: STIG Summary: Cisco IOS XR Router RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Cisco PE router must be configured to ignore or block all packets with any IP options.

DISA Rule

SV-217009r531087_rule

Vulnerability Number

V-217009

Group Title

SRG-NET-000205-RTR-000016

Rule Version

CISC-RT-000750

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

Configure the router to drop all packets with ipv4 source-route as shown below.

RP/0/0/CPU0:R3(config)#no ipv4 source-route

Check Contents

In Cisco IOS XR, all IPv4 packets with any header option other than the "source-route" header options are dropped. By default, ipv4 source routing is disabled.

Verify that the following command is not configured:

ipv4 source-route

If the router is not configured to drop all packets with IP options, this is a finding.

Vulnerability Number

V-217009

Documentable

False

Rule Version

CISC-RT-000750

Severity Override Guidance

In Cisco IOS XR, all IPv4 packets with any header option other than the "source-route" header options are dropped. By default, ipv4 source routing is disabled.

Verify that the following command is not configured:

ipv4 source-route

If the router is not configured to drop all packets with IP options, this is a finding.

Check Content Reference

M

Target Key

4029

Comments