4.6.2 Ensure BFD Authentication is Not Set to Loose-Check

Information

BFD Peers should be authenticated.

Rationale:

Bidirectional Forwarding Detection (BFD) is a Forwarding Plane feature which allows more rapid detection of a failed neighbor then can be achieved through a routing protocols' normal detection mechanisms, providing faster reconvergence.

If no authentication was used an attacker may replay or spoof BFD messages to destabilize a network and/or prevent proper reconvergence resulting in a Denial of Service.

JUNOS supports a Loose Authentication Check mechanism, which is intended for use when transitioning from unauthenticated BFD to authenticated BFD implementations or when changing Shared Secret Keys.

When Loose Authentication Checking is enabled, the JUNOS Device will produce authenticated BFD packets, but will not check the authentication of packets it receives from its peer. When enabled the JUNOS Device is effectively as unprotected as when authentication is not configured at all.

BFD Sessions should never be configured with the authentication loose-check option in a production network, with the exception of short transition periods while updating/replacing keys.

Impact:

BFD Authentication must be configured to use the same Key and Algorithm on all neighbors/peers with which the session will be used. A mismatch will result in the BFD session failing and related routes being declared unreachable.

BFD Authentication with meticulous-keyed-sha-1 and meticulous-keyed-md5 algorithms should not be used in conjunction with NSR and GRES. Fail over between Routing Engines will cause Authentication to fail.

NOTE: BFD does not appear to be configured on the target. This check is not applicable.

Solution

If you have deployed BFD with Loose Authentication Checking, it can be disabled by issuing the appropriate [.* bfd-liveness-detection] hierarchy, in this example we are configuring BFD Authentication for BGP:

[edit protocols bgp bfd-liveness-detection]
user@host# delete authentication loose-check

BFD may be configured at a wide variety of configuration hierarchies, for different Protocols, Routing Instances or even for Static Routes. The bfd-liveness-detection hierarchy is the same at each level it is used, so the Remediation Process is the same and should be applied at each hierarchy indicated in the Audit Procedure.

Default Value:

No BFD is configured by default

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: 3b0b804fdad482e365b7f566052a429e240351d04198eff4e9ce5f5e0a0e6a94