An error occurred:

Check: CACI-RT-000017

Cisco ACI Router STIG: CACI-RT-000017 (in version v1 r0.1)

Title

The Cisco ACI must be configured to use encryption for routing protocol authentication. (Cat II impact)

Discussion

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack. This requirement applies to all IPv4 and IPv6 protocols used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and multicast-related protocols. To configure a Cisco ACI to use encryption for routing protocol authentication, set up a "pre-shared key" (PSK) on the APIC, which will then be used to generate encryption keys for the routing protocol authentication process, essentially encrypting the authentication messages exchanged between switches within the fabric. This feature is typically referred to as "CloudSec Encryption" within the ACI platform.

Check Content

Verify PSKs are configured: apic1(config-cloudsec)# show cloudsec summary If PSKs are not configured to use encryption for routing protocol authentication, this is a finding.

Fix Text

Configure one or more PSKs used to generate encryption keys for the routing protocol authentication process: apic1(config)# template cloudsec default apic1(config-cloudsec)# sakexpirytime__<duration>__ apic1(config-cloudsec)# pskindex__<psk-index>__ apic1(config-cloudsec)# pskstring__<psk-string>__

Additional Identifiers

Rule ID: SV-272077r1064584_rule

Vulnerability ID: V-272077

Group Title: SRG-NET-000168-RTR-000077

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000803

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-7

Cryptographic Module Authentication