The HP FlexFabric Switch must enable neighbor authentication for all control plane protocols.

From HP FlexFabric Switch RTR Security Technical Implementation Guide

Part of SRG-NET-000025-RTR-000020

Associated with: CCI-000366 CCI-002205

SV-80599r1_rule The HP FlexFabric Switch must enable neighbor authentication for all control plane protocols.

Vulnerability discussion

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network, or merely used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates.This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and Multicast-related protocols.

Check content

Review the HP FlexFabric Switch configuration; for every protocol that affects the routing or forwarding tables (where information is exchanged between neighbors), verify that neighbor HP FlexFabric Switch authentication is enabled. If neighbor authentication for all router control plane protocols is not configured, this is a finding. The information below shows OSPF and OSPFv3 authentication is enabled on interface gigabit ethernet 0/0 [HP] display current-configuration interface GigabitEthernet 0/0 # interface GigabitEthernet0/0 port link-mode route description R1 ACTIVE combo enable copper ip address 201.6.1.62 255.255.255.252 ospf authentication-mode md5 1 cipher ********** ospfv3 200 area 0.0.0.0 ospfv3 ipsec-profile jitc ipv6 address 2115:B:1::3E/126

Fix text

The following example shows how to configure the network device to authenticate OSPF and OSPFv3 packets with its peers. OSPF configuration: [HP] ospf 200 [HP-ospf-200] area 0.0.0.0 [HP-ospf-200-area-0.0.0.0] authentication-mode md5 1 cipher ************* [HP-ospf-200-area-0.0.0.0] network 201.6.1.60 0.0.0.3 OSPFv3 Configuration [HP] ospfv3 200 [HP-ospf-200] area 0.0.0.0 IPsec profile configuration for OSPFv3 [HP] ipsec profile jitc manual [HP--ipsec-profile-manual-jitc] transform-set jitcipsecprop [HP--ipsec-profile-manual-jitc] sa spi inbound esp 256 [HP--ipsec-profile-manual-jitc] sa string-key inbound esp simple 2!HPAdmin123123 [HP--ipsec-profile-manual-jitc] sa spi outbound esp 256 [HP--ipsec-profile-manual-jitc] sa string-key outbound esp simple 2!HPAdmin123123 Interface configuration interface GigabitEthernet0/0 port link-mode route description R1 ACTIVE combo enable copper ip address 201.6.1.62 255.255.255.252 ospf authentication-mode md5 1 cipher $c$3$6v1tbSQA2aWAzrgzm36LZrBbmS+jUeg= ospfv3 200 area 0.0.0.0 ospfv3 ipsec-profile jitc ipv6 address 2115:B:1::3E/126

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer