The Nokia router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283885 | NOKI-RT-000690 | SV-283885r1203904_rule | CCI-001184 | medium |
| Description | ||||
| If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed. Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and routing updates will fail. Ensure that for a given key chain, key activation times overlap to avoid any period during which no key is activated. | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Router Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283885r1203904_chk)
This requirement is not applicable for the DODIN Backbone.
For each authenticated routing protocol session, review the configured key expiration dates.
Use the command below and verify "Begin Time" between two consecutive entries does not exceed 180 days:
- show system security keychain "test" detail
Key chain:test
Description : (Not Specified)
TCP-Option number send : tcp-ao Admin state : Up
TCP-Option number receive : tcp-ao Oper state : Up
Used by : BGP
Expired : No
Key entries for key chain: test
Id : 1 Direction : send-receive
Algorithm : aes-128-cmac-96 Option : none
Admin State : Up RX Valid : Yes
TX Active : Yes Tolerance : 300
Begin Time : 2025/12/28 00:00:00 Begin Time (UTC) : 2025/12/28 00:00:00
End Time : 2026/06/28 00:00:00 End Time (UTC) : 2026/06/28 00:00:00
NOTE: Nokia router is limited to MD5, HMAC-sha-1-96, and AES-128-CMAC-96 for BGP authentication. Configure the router with AES-128-CMAC-96, which will be FIPS compliant once SP 800-224 is finalized. Until then, this is a finding because it is not FIPS compliant but may be downgraded to a CAT III.
If any key has a lifetime of more than 180 days, this is a finding.
Fix Text (F-88355r1203903_fix)
This requirement is not applicable for the DODIN Backbone.
Configure each key to have a lifetime of no more than 180 days, as shown in the example below:
- configure system security keychain "test" tcp-option-number send tcp-ao
- configure system security keychain "test" tcp-option-number receive tcp-ao
- configure system security keychain "test" direction bi entry 1 key 12345678901 algorithm aes-128-cmac-96 begin-time 2025/12/28 UTC 00:00:00
- configure system security keychain "test" direction bi entry 2 key 12345678901 algorithm aes-128-cmac-96 begin-time 2026/06/28 UTC 00:00:00