Detections
Analytics
CISC-RT-000660 - The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.
Information
LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE switch advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE switch during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
The severity level can be downgraded to a category 3 if the switch is configured to authenticate targeted LDP sessions using MD5 as shown in the example below:Step 1: Configure a key chain for LDP sessions.
SW1(config)# key chain LDP_KEY
SW1(config-keychain)# key 1
SW1(config-keychain-key)# key-string xxxxxxxxxxxx
SW1(config-keychain-key)# send-lifetime 00:00:00 Oct 1 2019 23:59:59 Dec 31 2019
SW1(config-keychain-key)# accept-lifetime 00:00:00 Oct 1 2019 01:05:00 Jan 1 2020
SW1(config-keychain-key)# exit
SW1(config-keychain)# exit
Step 2: Configure a prefix lists to identify LDP neighbors.
SW1(config)# ip prefix-list LDP_NBR1 permit 10.1.22.2/32
SW1(config)# ip prefix-list LDP_NBR2 permit 10.1.12.4/32
Step 3: Apply the key chain to the LDP neighbors.
SW1 (config)# mpls ldp configurations
SW1 (config-ldp)# password required for LDP_NBR1
SW1 (config-ldp)# password option 1 for LDP_NBR1 key-chain LDP_KEY
SW1 (config-ldp)# password required for LDP_NBR2
SW1 (config-ldp)# password option 1 for LDP_NBR2 key-chain LDP_KEY
SW1 (config-ldp)# end
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y26M04_STIG.zip
Item Details
Audit Name: DISA Cisco NX OS Switch RTR STIG v3r4
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-3, CAT|II, CCI|CCI-001958, Rule-ID|SV-221120r999729_rule, STIG-ID|CISC-RT-000660, STIG-Legacy|SV-111059, STIG-Legacy|V-101955, Vuln-ID|V-221120
Plugin: Cisco
Control ID: 8350f69ce72443375ff598b9551a3387f701a36de78c0a3e22bc6f4de683bccf