Title

The RUCKUS ICX router must be configured to implement message authentication for all control plane protocols. (Cat II impact)

Discussion

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. This requirement applies to all IPv4 and IPv6 protocols used to exchange routing or packet forwarding information. This includes BGP, RIP, OSPF, EIGRP, IS-IS, and LDP.

Check Content

Review the router configuration. Verify neighbor router authentication is enabled for all routing protocols. The configuration examples below depicts OSPF and BGP authentication. OSPF: keychain mykeychain key-id 1 password 2 $b2I9LT0tQGk2Mg== authentication-algorithm hmac-sha-256 send-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00 accept-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00 ! interface ethernet 1/1/1 ip address x.x.x.x x.x.x.x ip ospf area 0 ip ospf authentication keychain mykeychain ! BGP: keychain mykeychain tcp key-id 1 password 2 $Nlx9UyEtLVNiVSEtbn0ic24tfWJuVW4= authentication-algorithm aes-128-cmac send-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00 accept-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00 no accept-ao-mismatch send-id 1 recv-id 1 ! ! router bgp local-as 1001 neighbor x.0.0.1 remote-as 10 neighbor x.0.0.1 ao mykeychain If authentication is not enabled on all routing protocols, this is a finding.

Fix Text

Configure authentication for routing protocols: OSPF: ICX(config)# keychain mykeychain ICX(config-keychain-mykeychain)# key 1 ICX(config-keychain-mykeychain-key-1)# authentication-algorithm hmac-sha-256 ICX(config-keychain-mykeychain-key-1)# password pw_for_mykeychain ICX(config-keychain-mykeychain-key-1)# send-id 1 ICX(config-keychain-mykeychain-key-1)# recv-id 1 ICX(config-keychain-mykeychain-key-1)# accept-lifetime start 03-05-24 10:10:10 end 15552000 ICX(config-keychain-mykeychain-key-1)# send-lifetime start 03-05-24 10:10:10 end 09-01-24 10:10:10 ICX(config)#router ospf ICX(config-ospf-router)#area 0 ICX(config-ospf-router)#interface ethernet 1/1/1 ICX(config-if-e1000-1/1/1)#ip ospf area 0 ICX(config-if-e1000-1/1/1)#ip ospf authentication keychain mykeychain BGP: ICX(config)# keychain mykeychain ICX(config-keychain-tcp-mykeychain)# key 1 ICX(config-keychain-tcp-mykeychain-key-1)# authentication-algorithm aes-128-cmac ICX(config-keychain-tcp-mykeychain-key-1)# password pw_for_mykeychain1 ICX(config-keychain-tcp-mykeychain-key-1)# no accept-ao-mismatch ICX(config-keychain-tcp-mykeychain-key-1)# include-tcp-options ICX(config-keychain-tcp-mykeychain-key-1)# send-id 1 ICX(config-keychain-tcp-mykeychain-key-1)# recv-id 1 ICX(config-keychain-tcp-mykeychain-key-1)# accept-lifetime start 03-05-24 10:10:10 end 15552000 ! above for 180 days (in sec) ICX(config-keychain-tcp-mykeychain-key-1)# send-lifetime start 03-05-24 10:10:10 end 09-01-24 10:10:10 ICX(config)# router bgp ICX(config-bgp-router)# local-as 1001 ICX(config-bgp-router)# neighbor x.0.0.1 remote-as 10 ICX(config-bgp-router)#neighbor x.0.0.1 ao mykeychain

Additional Identifiers

Rule ID: SV-273621r1110930_rule

Vulnerability ID: V-273621

Group Title: SRG-NET-000230-RTR-000001

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.