An error occurred:

Check: CACI-RT-000023

Cisco ACI Router STIG: CACI-RT-000023 (in version v1 r0.1)

Title

The BGP Cisco ACI must be configured to use a unique key for each autonomous system (AS) it peers with. (Cat II impact)

Discussion

If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.

Check Content

Review the configuration. Verify the neighbor authentication keys on ACI border leaf switches use a different authentication key for each AS peer. Route maps can also show this view. ip tcp authentication key chain AS100 key 1 send-id 10 recv-id 10 key 2 send-id 20 recv-id 20 ip tcp authentication key chain AS200 key 1 send-id 30 recv-id 30 key 2 send-id 40 recv-id 40 router bgp 100 neighbor 10.0.0.1 ao AS100 router bgp 200 neighbor 10.0.1.1 ao AS200 If unique keys are not being used, this is a finding.

Fix Text

Configure unique keys for each AS peered by a Cisco ACI device using TCP-AO by creating separate key chains for each AS, ensuring each key chain contains unique "send-id" and "recv-id" values for the keys within it, and then associating the appropriate key chain with the BGP neighbor configuration for that specific AS. The following is an example: Step 1: Create key chain for AS100. apic1(config)# ip tcp authentication key chain AS100 apic1(config)# key 1 send-id 10 recv-id 10 apic1(config)# key 2 send-id 20 recv-id 20 Step 2: Create key chain for AS 200. apic1(config)#ip tcp authentication key chain AS200 apic1(config)# key 1 send-id 30 recv-id 30 apic1(config)# key 2 send-id 40 recv-id 40 Step 3: Configure BGP neighbor with AS100 using key chain AS100. apic1(config)# router bgp 100 apic1(config-router)# neighbor 10.0.0.1 ao AS100 Step 4: Configure BGP neighbor with AS 200 using key chain AS200. apic1(config)# router bgp 200 apic1(config-router)# neighbor 10.0.1.1 ao AS200

Additional Identifiers

Rule ID: SV-272083r1064486_rule

Vulnerability ID: V-272083

Group Title: SRG-NET-000230-RTR-000002

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001184

Protect the authenticity of communications sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-23

Session Authenticity