STIGQter: STIG Summary: Network Infrastructure Policy Security Technical Implementation Guide Version: 9 Release: 10 Benchmark Date: 24 Jan 2020:

Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.

DISA Rule

SV-80843r1_rule

Vulnerability Number

V-66353

Group Title

NET2000

Rule Version

NET2000

Severity

CAT II

CCI(s)

• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Weight

10

Fix Recommendation

Implement neighbor authentication using a secured hashing algorithm for all signaling protocols deployed to build LSP tunnels.

Check Contents

Review the router configuration to determine if LDP and RSVP messages are being authenticated as shown in the examples below.

If authentication is not being used for these protocols using a secured hashing algorithm for message authentication, this is a finding.

An LDP session is secured by configuring a password for each LDP peer as shown in the example below:

mpls ip
mpls label protocol ldp
mpls ldp neighbor 10.1.1.1 password xzxxxxxxxxxxx
mpls ldp neighbor 10.3.3.3 password xxxxxzzzzxxxz

The IP address 10.1.1.1 and 10.3.3.3 in this example are the router IDs of the neighbors for which this router has an LDP session requiring MD5 authentication. To specify that the router ID 10.1.1.1 is to be found in VPN routing/forwarding instance (VRF) named VPN1 instead of the global route table, the "vrf" keyword is used in the command as shown in the following example:

mpls ldp neighbor vrf VPN1 10.1.1.1 password xxxxxxxxxxxxxxxxx

A group of peers using the same MD5 password can be configured as shown in the example below:

mpls ldp password for 10 xxxxxxxxxxxxxxx
mpls ldp password required for 10
!
access-list 10 permit 10.1.1.1
access-list 10 permit 10.3.3.3
access-list 10 permit 10.4.4.4

The access list specifies a password is mandatory for LDP sessions with neighbors whose LDP router IDs are permitted by the access list.

To configure MD5 or SHA-1 authentication for RSVP, both ip rsvp authentication key and ip rsvp authentication commands must be configured as shown in the example below. The latter command simply enables authentication.

interface Ethernet0/0
ip address 192.168.101.2 255.255.255.0
ip rsvp bandwidth 7500 7500
ip rsvp authentication type sha-1
ip rsvp authentication key xxxxxxxx ip rsvp authentication

Note: If SHA-1 is not specified using the ip rsvp authentication type command, MD5 will be utilized.

Vulnerability Number

V-66353

Documentable

False

Rule Version

NET2000

Severity Override Guidance

Review the router configuration to determine if LDP and RSVP messages are being authenticated as shown in the examples below.

If authentication is not being used for these protocols using a secured hashing algorithm for message authentication, this is a finding.

An LDP session is secured by configuring a password for each LDP peer as shown in the example below:

mpls ip
mpls label protocol ldp
mpls ldp neighbor 10.1.1.1 password xzxxxxxxxxxxx
mpls ldp neighbor 10.3.3.3 password xxxxxzzzzxxxz

The IP address 10.1.1.1 and 10.3.3.3 in this example are the router IDs of the neighbors for which this router has an LDP session requiring MD5 authentication. To specify that the router ID 10.1.1.1 is to be found in VPN routing/forwarding instance (VRF) named VPN1 instead of the global route table, the "vrf" keyword is used in the command as shown in the following example:

mpls ldp neighbor vrf VPN1 10.1.1.1 password xxxxxxxxxxxxxxxxx

A group of peers using the same MD5 password can be configured as shown in the example below:

mpls ldp password for 10 xxxxxxxxxxxxxxx
mpls ldp password required for 10
!
access-list 10 permit 10.1.1.1
access-list 10 permit 10.3.3.3
access-list 10 permit 10.4.4.4

The access list specifies a password is mandatory for LDP sessions with neighbors whose LDP router IDs are permitted by the access list.

To configure MD5 or SHA-1 authentication for RSVP, both ip rsvp authentication key and ip rsvp authentication commands must be configured as shown in the example below. The latter command simply enables authentication.

interface Ethernet0/0
ip address 192.168.101.2 255.255.255.0
ip rsvp bandwidth 7500 7500
ip rsvp authentication type sha-1
ip rsvp authentication key xxxxxxxx ip rsvp authentication

Note: If SHA-1 is not specified using the ip rsvp authentication type command, MD5 will be utilized.

Check Content Reference

M

Target Key

838

Comments