An error occurred:

Check: CACI-RT-000022

Cisco ACI Router STIG: CACI-RT-000022 (in version v1 r0.1)

Title

The Cisco ACI must be configured to implement message authentication for all control plane protocols. (Cat II impact)

Discussion

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. This requirement applies to all IPv4 and IPv6 protocols used to exchange routing or packet forwarding information. This includes BGP, RIP, OSPF, EIGRP, IS-IS and LDP.

Check Content

Review the configuration. Verify the neighbor authentication keys on ACI border leaf switches use a different authentication key for each AS peer. Route maps can also show this view. ip tcp authentication key chain AS100 key 1 send-id 10 recv-id 10 key 2 send-id 20 recv-id 20 ip tcp authentication key chain AS200 key 1 send-id 30 recv-id 30 key 2 send-id 40 recv-id 40 router bgp 100 neighbor 10.0.0.1 ao AS100 router bgp 200 neighbor 10.0.1.1 ao AS200 If unique keys are not being used, this is a finding.

Fix Text

Configure unique keys for each AS peered by a Cisco ACI device using TCP-AO by creating separate key chains for each AS, ensuring each key chain contains unique "send-id" and "recv-id" values for the keys within it, and then associating the appropriate key chain with the BGP neighbor configuration for that specific AS. The following is an example: Step 1: Create key chain for AS100. apic1(config)# ip tcp authentication key chain AS100 apic1(config)# key 1 send-id 10 recv-id 10 apic1(config)# key 2 send-id 20 recv-id 20 Step 2: Create key chain for AS 200. apic1(config)#ip tcp authentication key chain AS200 apic1(config)# key 1 send-id 30 recv-id 30 apic1(config)# key 2 send-id 40 recv-id 40 Step 3: Configure BGP neighbor with AS100 using key chain AS100. apic1(config)# router bgp 100 apic1(config-router)# neighbor 10.0.0.1 ao AS100 Step 4: Configure BGP neighbor with AS 200 using key chain AS200. apic1(config)# router bgp 200 apic1(config-router)# neighbor 10.0.1.1 ao AS200

Additional Identifiers

Rule ID: SV-272082r1064485_rule

Vulnerability ID: V-272082

Group Title: SRG-NET-000230-RTR-000001

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001184

Protect the authenticity of communications sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-23

Session Authenticity