Rule ID
SV-273621r1110930_rule
Version
V1R1
CCIs
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. This requirement applies to all IPv4 and IPv6 protocols used to exchange routing or packet forwarding information. This includes BGP, RIP, OSPF, EIGRP, IS-IS, and LDP.
Review the router configuration. Verify neighbor router authentication is enabled for all routing protocols. The configuration examples below depicts OSPF and BGP authentication. OSPF: keychain mykeychain key-id 1 password 2 $b2I9LT0tQGk2Mg== authentication-algorithm hmac-sha-256 send-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00 accept-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00 ! interface ethernet 1/1/1 ip address x.x.x.x x.x.x.x ip ospf area 0 ip ospf authentication keychain mykeychain ! BGP: keychain mykeychain tcp key-id 1 password 2 $Nlx9UyEtLVNiVSEtbn0ic24tfWJuVW4= authentication-algorithm aes-128-cmac send-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00 accept-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00 no accept-ao-mismatch send-id 1 recv-id 1 ! ! router bgp local-as 1001 neighbor x.0.0.1 remote-as 10 neighbor x.0.0.1 ao mykeychain If authentication is not enabled on all routing protocols, this is a finding.
Configure authentication for routing protocols: OSPF: ICX(config)# keychain mykeychain ICX(config-keychain-mykeychain)# key 1 ICX(config-keychain-mykeychain-key-1)# authentication-algorithm hmac-sha-256 ICX(config-keychain-mykeychain-key-1)# password pw_for_mykeychain ICX(config-keychain-mykeychain-key-1)# send-id 1 ICX(config-keychain-mykeychain-key-1)# recv-id 1 ICX(config-keychain-mykeychain-key-1)# accept-lifetime start 03-05-24 10:10:10 end 15552000 ICX(config-keychain-mykeychain-key-1)# send-lifetime start 03-05-24 10:10:10 end 09-01-24 10:10:10 ICX(config)#router ospf ICX(config-ospf-router)#area 0 ICX(config-ospf-router)#interface ethernet 1/1/1 ICX(config-if-e1000-1/1/1)#ip ospf area 0 ICX(config-if-e1000-1/1/1)#ip ospf authentication keychain mykeychain BGP: ICX(config)# keychain mykeychain ICX(config-keychain-tcp-mykeychain)# key 1 ICX(config-keychain-tcp-mykeychain-key-1)# authentication-algorithm aes-128-cmac ICX(config-keychain-tcp-mykeychain-key-1)# password pw_for_mykeychain1 ICX(config-keychain-tcp-mykeychain-key-1)# no accept-ao-mismatch ICX(config-keychain-tcp-mykeychain-key-1)# include-tcp-options ICX(config-keychain-tcp-mykeychain-key-1)# send-id 1 ICX(config-keychain-tcp-mykeychain-key-1)# recv-id 1 ICX(config-keychain-tcp-mykeychain-key-1)# accept-lifetime start 03-05-24 10:10:10 end 15552000 ! above for 180 days (in sec) ICX(config-keychain-tcp-mykeychain-key-1)# send-lifetime start 03-05-24 10:10:10 end 09-01-24 10:10:10 ICX(config)# router bgp ICX(config-bgp-router)# local-as 1001 ICX(config-bgp-router)# neighbor x.0.0.1 remote-as 10 ICX(config-bgp-router)#neighbor x.0.0.1 ao mykeychain