An Infinite Lifetime key must be set to never expire. The lifetime of the key will be configured as infinite for route authentication, if supported by the current approved router software version.

From Infrastructure L3 Switch Secure Technical Implementation Guide - Cisco

Part of An Infinite Lifetime key has not been implemented

SV-7363r3_rule An Infinite Lifetime key must be set to never expire. The lifetime of the key will be configured as infinite for route authentication, if supported by the current approved router software version.

Vulnerability discussion

Only Interior Gateway Protocols (IGPs) use key chains. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates--both with a 180-day or less lifetime. A third key must also be defined with an infinite lifetime. Both of these steps ensure there will always be a key that can be placed into service by all peers. If a time period occurs during which no key is activated, authentication cannot occur; hence, route updates will not occur. The lifetime key should be changed 7 days after successful key rotation and synchronization has occurred with all peers.

Check content

Review the running configuration to determine if key authentication has been defined with an infinite lifetime. If an infinite key has not been configured, this is a finding. OSPFv2 Example interface GigabitEthernet0/1 ip address 10.1.12.2 255.255.255.0 ip ospf authentication key-chain OSPF_KEY key chain OSPF_KEY key 1 key-string WWWWW send-lifetime 16:00:00 Feb 22 2017 16:00:00 Aug 22 2017 accept-lifetime 16:00:00 Feb 22 2017 16:00:00 Aug 22 2017 cryptographic-algorithm hmac-sha-256 key 2 key-string XXXXX send-lifetime 16:00:00 Aug 21 2017 16:00:00 Feb 20 2018 accept-lifetime 16:00:00 Aug 21 2017 16:00:00 Feb 20 2018 cryptographic-algorithm hmac-sha-256 key 99999 key-string YYYYY send-lifetime 15:59:00 Feb 20 2018 infinite accept-lifetime 15:59:00 Feb 20 2018 infinite cryptographic-algorithm hmac-sha-256 Notes: Note: Only Interior Gateway Protocols (IGPs) use key chains. Notes: When using authentication keys, it is imperative the site is in compliance with the NTP policies. The router has to know the time! Notes: Must make this a high number to ensure you have plenty of room to put keys in before it. All subsequent keys will be decremented by one (9998, 9997...).

Fix text

This check is in place to ensure keys do not expire creating a DOS due to adjacencies being dropped and routes being aged out. The recommendation is to use two rotating six month keys with a third key set as infinite lifetime. The lifetime key should be changed 7 days after the rotating keys have expired and redefined.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer