4.7.1 Ensure authentication is set to MD5

Information

LDP peers should be authenticated.

Rationale:

Where it is deployed, LDP is vital for normal operation of an MPLS network. LDP is used to determine Label mapping and populate the routers Forwarding Information Base (FIB). An attacker posing as one of the target routers LDP peers may attempt to inject incorrect label information or exploit a vulnerability in the routers LDP implementation to cause an information disclosure or denial of service.

On Juniper routers (as well as routers from other manufacturers such as Cisco or Brocade) it is possible to authenticate LDP sessions using an MD5 digest of elements in LDP messages.

LDP Session Authentication may be configured on a per session or per session-group basis. The Audit Procedure checks for both, however, the remediation procedure is only given for a session-group; as configuration at the session level is deprecated in current versions of JUNOS.

Solution

If you have deployed LDP in your network you should use MD5 authentication for all neighbors.
To configure authentication for a session-group enter the following command from the [edit protocols ldp] hierarchy:

[edit protocols ldp]
user@host#set session-group <Destination IP Address or IP/Mask> authentication-key <key>

Default Value:

LDP is not configured by default.

When LDP sessions are configured, MD5 is the default authentication method when an authentication-key is specified.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: f6dd9d8e414caf0bd07e8ae8b68c791d9040c78a2b3ebf84ba9c225407931668