Title

The RUCKUS ICX router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages. (Cat II impact)

Discussion

If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed. Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.

Check Content

This requirement is not applicable for the DODIN Backbone. Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below: keychain OSPF_KEY_CHAIN key-id 1 password xxxxxxx send-lifetime start 03-05-24 00:00:00 end 09-01-24 00:00:00 accept-lifetime start 03-05-24 00:00:00 end 09-01-24 00:00:00 interface ethernet 1/1/1 ip ospf area 0 ip ospf authentication keychain OSPF_KEY_CHAIN Note: Keychains must be configured to authenticate routing protocol messages as it is the only way to set an expiration. If any key has a lifetime of more than 180 days, this is a finding.

Fix Text

This requirement is not applicable for the DODIN Backbone. For each authenticated routing protocol session, configure each key to have a lifetime of no more than 180 days. ICX(config)# keychain mykeychain ICX(config-keychain-mykeychain)# key 1 ICX(config-keychain-mykeychain-key-1)# authentication-algorithm hmac-sha-256 ICX(config-keychain-mykeychain-key-1)# password pw_for_mykeychain ICX(config-keychain-mykeychain-key-1)# send-id 1 ICX(config-keychain-mykeychain-key-1)# recv-id 1 ICX(config-keychain-mykeychain-key-1)# accept-lifetime start 03-05-24 10:10:10 end 15552000 !!! 15552000 seconds = 180 days ICX(config-keychain-mykeychain-key-1)# send-lifetime start 03-05-24 10:10:10 end 09-01-24 10:10:10 ICX(config-ospf-router)#interface ethernet 1/1/1 ICX(config-vif-12)#ip ospf area 0 ICX(config-vif-12)#ip ospf authentication keychain mykeychain

Additional Identifiers

Rule ID: SV-273623r1110932_rule

Vulnerability ID: V-273623

Group Title: SRG-NET-000230-RTR-000003

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.