V-221073

Discussion

If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed. Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.

Check Content

Review the start times for each key within the configured key chains used for routing protocol authentication as shown in the example below:

key chain OSPF_KEY
 key 1
 key-string 7 070d2e4e4c10
 accept-lifetime 00:00:00 Oct 01 2019 01:05:00 Jan 01 2020
 send-lifetime 00:00:00 Oct 01 2019 23:59:59 Dec 31 2019
 key 2
 key-string 7 0704205e4b07
 accept-lifetime 23:55:00 Dec 31 2019 01:05:00 Apr 01 2020
 send-lifetime 00:00:00 Jan 01 2020 23:59:59 Mar 31 2020

Note: Key chains must be configured to authenticate routing protocol messages as it is the only way to set an expiration.

If any key has a lifetime of more than 180 days, this is a finding.