Rule ID
SV-269884r1052037_rule
Version
V1R2
CCIs
CCI-001184
If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed. Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.
Review the router configuration. Document the date when routing protocol keys were changed and manually change them at least every 180 days. If the routing authentication keys have not been changed in more than 180 days, this is a finding.
Manually change the routing protocol authentication keys. Example: OS10(config)# interface vlan 400 OS10(conf-if-vl-400)# ipv6 ospf 10 area 0.0.0.1 OS10(conf-if-vl-400)# ipv6 ospf authentication ipsec spi 4017 sha1 1234567890123456789012345678901234567890 OS10(conf-if-vl-400)# OS10(conf-if-vl-400)# ip ospf 1 area 0.0.0.1 OS10(conf-if-vl-400)# ip ospf message-digest-key 1 md5 1234567812345678 OS10(conf-if-vl-400)# exit