STIGQter: STIG Summary: Cisco NX-OS Switch RTR Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

DISA Rule

SV-221120r622190_rule

Vulnerability Number

V-221120

Group Title

SRG-NET-000343-RTR-000001

Rule Version

CISC-RT-000660

Severity

CAT II

CCI(s)

• CCI-001958 - The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

Weight

10

Fix Recommendation

The severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the example below:

Step 1: Configure a key chain for LDP sessions.

SW1(config)# key chain LDP_KEY
SW1(config-keychain)# key 1
SW1(config-keychain-key)# key-string xxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Oct 1 2019 23:59:59 Dec 31 2019
SW1(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2019 01:05:00 Jan 1 2020
SW1(config-keychain-key)# exit
SW1(config-keychain)# exit

Step 2: Configure a prefix lists to identify LDP neighbors.

SW1(config)# ip prefix-list LDP_NBR1 permit 10.1.22.2/32
SW1(config)# ip prefix-list LDP_NBR2 permit 10.1.12.4/32

Step 3: Apply the key chain to the LDP neighbors.

SW1 (config)# mpls ldp configurations
SW1 (config-ldp)# password required for LDP_NBR1
SW1 (config-ldp)# password option 1 for LDP_NBR1 key-chain LDP_KEY
SW1 (config-ldp)# password required for LDP_NBR2
SW1 (config-ldp)# password option 1 for LDP_NBR2 key-chain LDP_KEY
SW1 (config-ldp)# end

Check Contents

The Cisco switch is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below:

Step 1: Verify that LDP neighbors are authenticating session, advertisement, and notification messages as shown in the example below:

mpls ldp configurations
password required for LDP_NBR1
password option 1 for LDP_NBR1 key-chain LDP_KEY
password required for LDP_NBR2
password option 1 for LDP_NBR2 key-chain LDP_KEY

Step 2: Verify that the neighbors identified in step 1 have the correct prefix.

ip prefix-list LDP_NBR1 permit 10.1.22.2/32
ip prefix-list LDP_NBR2 permit 10.1.12.4/32

If the switch is not configured to authenticate targeted LDP sessions using MD5, this is a finding. The finding will remain as a CAT II.

Vulnerability Number

V-221120

Documentable

False

Rule Version

CISC-RT-000660

Severity Override Guidance

The Cisco switch is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below:

Step 1: Verify that LDP neighbors are authenticating session, advertisement, and notification messages as shown in the example below:

mpls ldp configurations
password required for LDP_NBR1
password option 1 for LDP_NBR1 key-chain LDP_KEY
password required for LDP_NBR2
password option 1 for LDP_NBR2 key-chain LDP_KEY

Step 2: Verify that the neighbors identified in step 1 have the correct prefix.

ip prefix-list LDP_NBR1 permit 10.1.22.2/32
ip prefix-list LDP_NBR2 permit 10.1.12.4/32

If the switch is not configured to authenticate targeted LDP sessions using MD5, this is a finding. The finding will remain as a CAT II.

Check Content Reference

M

Target Key

4075

Comments