STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HP FlexFabric Switch RTR Security Technical Implementation Guide

V-66109

CAT II (Medium)

The HP FlexFabric Switch must enable neighbor authentication for all control plane protocols.

Rule ID

SV-80599r1_rule

STIG

HP FlexFabric Switch RTR Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366, CCI-002205

Discussion

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network, or merely used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and Multicast-related protocols.

Check Content

Review the HP FlexFabric Switch configuration; for every protocol that affects the routing or forwarding tables (where information is exchanged between neighbors), verify that neighbor HP FlexFabric Switch authentication is enabled.

If neighbor authentication for all router control plane protocols is not configured, this is a finding.

The information below shows OSPF and OSPFv3 authentication is enabled on interface gigabit ethernet 0/0

[HP] display current-configuration interface GigabitEthernet 0/0
#
interface GigabitEthernet0/0
 port link-mode route
 description R1 ACTIVE
 combo enable copper
 ip address 201.6.1.62 255.255.255.252
 ospf authentication-mode md5 1 cipher **********
 ospfv3 200 area 0.0.0.0
 ospfv3 ipsec-profile jitc
 ipv6 address 2115:B:1::3E/126

Fix Text

The following example shows how to configure the network device to authenticate OSPF and OSPFv3 packets with its peers.

OSPF configuration:
[HP] ospf 200
[HP-ospf-200] area 0.0.0.0
[HP-ospf-200-area-0.0.0.0] authentication-mode md5 1 cipher *************
[HP-ospf-200-area-0.0.0.0] network 201.6.1.60 0.0.0.3

OSPFv3 Configuration
[HP] ospfv3 200
[HP-ospf-200] area 0.0.0.0

IPsec profile configuration for OSPFv3
[HP] ipsec profile jitc manual
[HP--ipsec-profile-manual-jitc] transform-set jitcipsecprop
[HP--ipsec-profile-manual-jitc] sa spi inbound esp 256
[HP--ipsec-profile-manual-jitc] sa string-key inbound esp simple 2!HPAdmin123123
[HP--ipsec-profile-manual-jitc] sa spi outbound esp 256
[HP--ipsec-profile-manual-jitc] sa string-key outbound esp simple 2!HPAdmin123123

Interface configuration

interface GigabitEthernet0/0
 port link-mode route
 description R1 ACTIVE
 combo enable copper
 ip address 201.6.1.62 255.255.255.252
 ospf authentication-mode md5 1 cipher $c$3$6v1tbSQA2aWAzrgzm36LZrBbmS+jUeg=
 ospfv3 200 area 0.0.0.0
 ospfv3 ipsec-profile jitc
 ipv6 address 2115:B:1::3E/126