The Cisco ISR 4000 Series router must encrypt all methods of configured authentication for routing protocols.

From Cisco IOS XE Release 3 RTR Security Technical Implementation Guide

Part of SRG-NET-000168-RTR-000077

Associated with: CCI-000803

SV-88801r1_rule The Cisco ISR 4000 Series router must encrypt all methods of configured authentication for routing protocols.

Vulnerability discussion

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network, or merely used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and Multicast-related protocols.

Check content

Review the configuration of the Cisco ISR 4000 Series router and verify that an encrypted HMAC authentication is being used for all routing protocols as shown in the following configuration examples: key chain OSPF_KEY key 1 key-string OSPFKEY cryptographic-algorithm hmac-sha-1 ! interface GigabitEthernet3 ip address 1.1.35.3 255.255.255.0 ip ospf authentication key-chain OSPF_KEY ------------------------------------------- key chain EIGRP_KEY key 1 key-string EIGRPKEY ! interface GigabitEthernet3 ip address 1.1.35.3 255.255.255.0 ip authentication mode eigrp 22 md5 ip authentication key-chain eigrp 22 EIGRP_KEY ---------------------------------------- key chain ISIS_KEY key 1 key-string ISISKEY ! interface GigabitEthernet3 ip address 1.1.35.3 255.255.255.0 ip router isis isis authentication mode md5 isis authentication key-chain ISIS_KEY --------------------------------------------- router bgp 44 neighbor 1.1.1.1 remote-as 44 neighbor 1.1.1.1 password xxxxx --------------------------------------------- If not all routing protocols are configured to authenticate all routing protocol messages using an encrypted HMAC, this is a finding.

Fix text

Configure the Cisco ISR 4000 Series router to use an encrypted HMAC authentication for all routing protocols.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer