Check: CISC-RT-000660
Cisco IOS XR Router RTR STIG:
CISC-RT-000660
(in versions v2 r4 through v1 r1)
Title
The Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm. (Cat II impact)
Discussion
LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE router advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE router during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.
Check Content
The Cisco router is not compliant with this requirement; hence, it is a finding. However, the severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the configuration example below. mpls ldp router-id 10.1.1.2 neighbor 10.1.1.1 password encrypted xxxxxxxxxxxxxxx neighbor 10.1.2.1 password encrypted xxxxxxxxxxxxxxx If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.
Fix Text
The severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the example below. RP/0/0/CPU0:R3(config)#mpls ldp RP/0/0/CPU0:R3(config-ldp)#neighbor 10.1.1.1 RP/0/0/CPU0:R3(config-ldp)#neighbor password clear xxxxxxxx RP/0/0/CPU0:R3(config-ldp)#neighbor 10.1.2.1 RP/0/0/CPU0:R3(config-ldp)#neighbor password clear xxxxxxxx RP/0/0/CPU0:R3(config-ldp)#commit
Additional Identifiers
Rule ID: SV-216794r878124_rule
Vulnerability ID: V-216794
Group Title: SRG-NET-000343-RTR-000001
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001958 |
The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |
Controls
Number | Title |
---|---|
IA-3 |
Device Identification And Authentication |