The Nokia Border Gateway Protocol (BGP) router must be configured to use a unique key for each autonomous system (AS) that it peers with.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283884 | NOKI-RT-000670 | SV-283884r1203901_rule | CCI-001184 | medium |
| Description | ||||
| If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. A malicious user could exist in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors. | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Router Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283884r1203901_chk)
Interview the information system security manager (ISSM) and router administrator to determine if unique keys are being used.
Verify the key-chain is enabled for the BGP protocol using the command below:
- show system security keychain "test" detail
Key chain:test
Description : (Not Specified)
TCP-Option number send : tcp-ao Admin state : Up
TCP-Option number receive : tcp-ao Oper state : Up
Used by : BGP
Expired : No
Key entries for key chain: test
Id : 1 Direction : send-receive
Algorithm : aes-128-cmac-96 Option : none
Admin State : Up RX Valid : Yes
TX Active : Yes Tolerance : 300
Begin Time : 2025/12/28 00:00:00 Begin Time (UTC) : 2025/12/28 00:00:00
End Time : 2026/06/28 00:00:00 End Time (UTC) : 2026/06/28 00:00:00
NOTE: Nokia router is limited to MD5, HMAC-sha-1-96, and AES-128-CMAC-96 for BGP authentication. Configure the router with AES-128-CMAC-96, which will be FIPS compliant once SP 800-224 is finalized. Until then, this is a finding because it is not FIPS compliant but may be downgraded to a CAT III.
If the key-chain is not enabled for the BGP protocol, this is a finding.
Fix Text (F-88354r1203900_fix)
Configure all eBGP routers with unique keys for each eBGP neighbor that it peers with, as shown in the example below:
Configure a key chain:
- configure system security keychain "test" tcp-option-number send tcp-ao
- configure system security keychain "test" tcp-option-number receive tcp-ao
- configure system security keychain "test" direction bi entry 1 key 12345678901 algorithm aes-128-cmac-96 begin-time 2025/12/28 UTC 00:00:00
- configure system security keychain "test" direction bi entry 2 key 12345678901 algorithm aes-128-cmac-96 begin-time 2026/06/28 UTC 00:00:00
Apply the key chain to the BGP neighbor:
- configure router bgp group "eBGP" auth-keychain "test"