From Cisco IOS XE Release 3 RTR Security Technical Implementation Guide
Part of SRG-NET-000025-RTR-000020
Associated with: CCI-000366 CCI-002205
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network, or merely used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates.
Review the Cisco IOS XE router configuration and verify that neighbor router authentication is configured for all control plane protocols.
The configuration should look similar to the examples below:
OSPF Example:
router ospf 1
area 1 authentication message-digest
interface GigabitEthernet0/0
ip ospf message-digest-key 1 md5
Configure neighbor router authentication for all control plane protocols. The configuration will look similar to the example below:
OSPF Example:
router ospf 1
area 1 authentication message-digest
interface GigabitEthernet0/0
ip ospf message-digest-key 1 md5
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer