Title

The Cisco ACI must be configured to implement message authentication and secure communications for all control plane protocols. (Cat II impact)

Discussion

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. This requirement applies to all IPv4 and IPv6 protocols used to exchange routing or packet forwarding information. This includes BGP, RIP, OSPF, EIGRP, IS-IS and LDP.

Check Content

Verify secure communications and message authentication on all control plane protocols is configured. 1. Verify Secure Communication: Navigate to Fabric >> Fabric Policies >> Pod Policies >> Policies >> Management. Verify SSH and SSL protocols are enabled for APIC management. 2. Verify Message Authentication: Navigate to Fabric >> Fabric Policies >> Pod Policies >> Policies >> Interconnect. Verify IPsec for FI communication is enabled. 3. Verify OpFlex for Southbound Communication is set to TLS. 4. Navigate to Fabric >> Fabric Policies >> Pod Policies >> Policies >> Trust Domain. Verify the Trust Domain is enabled and configured. Verify BGP neighbor authentication keys on Cisco ACI border leaf switches are configured to use a different authentication key for each AS peer. 1. Navigate to Tenants >> All Tenants >> your_tenant >> Networking >> L3Outs >> your_l3out. 2. Expand Logical Node Profiles >> node_profile. 3. Select Logical Interface Profiles >> interface_profile (where the BGP peering is configured). 4. Within the Logical Interface Profile, review each BGP Peer Connectivity profiles for each individual BGP peer. 5. In the BGP Peer Connectivity Profile settings, review the Password to verify each peer has a unique password. If message authentication and secure communications is not configured for all control plane protocols, this is a finding.

Fix Text

Configure secure communications and message authentication on all control plane protocols. 1. Enable Secure Communication: Navigate to Fabric >> Fabric Policies >> Pod Policies >> Policies >> Management. Enable SSH and SSL protocols for APIC management. Configure the ports used for SSH and SSL connections as needed. 2. Configure Message Authentication: Navigate to Fabric >> Fabric Policies >> Pod Policies >> Policies >> Interconnect. Enable IPsec for FI communication to ensure secure communication between the APIC and the switches. Configure the IPsec parameters, such as the encryption algorithm and authentication method. 3. Configure OpFlex for Southbound Communication to use TLS: Note: OpFlex is a southbound protocol designed to facilitate communications between the SDN Controller and the switches and routers. 4. Enable Trust Domain: Navigate to Fabric >> Fabric Policies >> Pod Policies >> Policies >> Trust Domain. Enable the Trust Domain to ensure that only trusted devices can communicate with the APIC. Configure the Trust Domain parameters, such as the certificate authority and the trusted devices. To configure BGP neighbor authentication keys on Cisco ACI border leaf switches, using a different authentication key for each AS peer, you need to configure the BGP Peer Connectivity Profile within the L3Out configuration. 1. In the APIC GUI, go to Tenants >> All Tenants >> your_tenant >> Networking >> L3Outs >> your_l3out. 2. Expand Logical Node Profiles >> node_profile. 3. Select Logical Interface Profiles >> interface_profile (where the BGP peering is configured). 4. Within the Logical Interface Profile, locate or create the BGP Peer Connectivity Profile associated with the peer you want to authenticate. Edit or create a profile. 5. In the BGP Peer Connectivity Profile settings: Remote Autonomous System Number: Specify the AS number of the peer. Password: Enter the authentication key/password for this specific peer. Confirm Password: Re-enter the same password. Other settings, such as peer controls, address type controls, and route control profiles, can be adjusted as needed for your BGP peering configuration. 6. Repeat the steps for each peer you need to configure. Create separate BGP Peer Connectivity profiles for each individual BGP peer, with different passwords for each. Ensure the peer devices have the matching authentication key/password configured for successful BGP peering.

Additional Identifiers

Rule ID: SV-272082r1114265_rule

Vulnerability ID: V-272082

Group Title: SRG-NET-000230-RTR-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.