The RUCKUS ICX router must be configured to implement message authentication for all control plane protocols.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273621 | RCKS-RTR-000540 | SV-273621r1110930_rule | CCI-001184 | medium |
| Description | ||||
| A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a "traffic attraction attack" and is prevented by configuring neighbor router authentication for routing updates. This requirement applies to all IPv4 and IPv6 protocols used to exchange routing or packet forwarding information. This includes BGP, RIP, OSPF, EIGRP, IS-IS, and LDP. | ||||
| STIG | Date | |||
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 | |||
Details
Check Text (C-273621r1110930_chk)
Review the router configuration. Verify neighbor router authentication is enabled for all routing protocols. The configuration examples below depicts OSPF and BGP authentication.
OSPF:
keychain mykeychain
key-id 1
password 2 $b2I9LT0tQGk2Mg==
authentication-algorithm hmac-sha-256
send-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00
accept-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00
!
interface ethernet 1/1/1
ip address x.x.x.x x.x.x.x
ip ospf area 0
ip ospf authentication keychain mykeychain
!
BGP:
keychain mykeychain tcp
key-id 1
password 2 $Nlx9UyEtLVNiVSEtbn0ic24tfWJuVW4=
authentication-algorithm aes-128-cmac
send-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00
accept-lifetime start 03-05-2024 00:00:00 end 09-01-2024 00:00:00
no accept-ao-mismatch
send-id 1
recv-id 1
!
!
router bgp
local-as 1001
neighbor x.0.0.1 remote-as 10
neighbor x.0.0.1 ao mykeychain
If authentication is not enabled on all routing protocols, this is a finding.
Fix Text (F-77617r1109884_fix)
Configure authentication for routing protocols:
OSPF:
ICX(config)# keychain mykeychain
ICX(config-keychain-mykeychain)# key 1
ICX(config-keychain-mykeychain-key-1)# authentication-algorithm hmac-sha-256
ICX(config-keychain-mykeychain-key-1)# password pw_for_mykeychain
ICX(config-keychain-mykeychain-key-1)# send-id 1
ICX(config-keychain-mykeychain-key-1)# recv-id 1
ICX(config-keychain-mykeychain-key-1)# accept-lifetime start 03-05-24 10:10:10 end 15552000
ICX(config-keychain-mykeychain-key-1)# send-lifetime start 03-05-24 10:10:10 end 09-01-24 10:10:10
ICX(config)#router ospf
ICX(config-ospf-router)#area 0
ICX(config-ospf-router)#interface ethernet 1/1/1
ICX(config-if-e1000-1/1/1)#ip ospf area 0
ICX(config-if-e1000-1/1/1)#ip ospf authentication keychain mykeychain
BGP:
ICX(config)# keychain mykeychain
ICX(config-keychain-tcp-mykeychain)# key 1
ICX(config-keychain-tcp-mykeychain-key-1)# authentication-algorithm aes-128-cmac
ICX(config-keychain-tcp-mykeychain-key-1)# password pw_for_mykeychain1
ICX(config-keychain-tcp-mykeychain-key-1)# no accept-ao-mismatch
ICX(config-keychain-tcp-mykeychain-key-1)# include-tcp-options
ICX(config-keychain-tcp-mykeychain-key-1)# send-id 1
ICX(config-keychain-tcp-mykeychain-key-1)# recv-id 1
ICX(config-keychain-tcp-mykeychain-key-1)# accept-lifetime start 03-05-24 10:10:10 end 15552000
! above for 180 days (in sec)
ICX(config-keychain-tcp-mykeychain-key-1)# send-lifetime start 03-05-24 10:10:10 end 09-01-24 10:10:10
ICX(config)# router bgp
ICX(config-bgp-router)# local-as 1001
ICX(config-bgp-router)# neighbor x.0.0.1 remote-as 10
ICX(config-bgp-router)#neighbor x.0.0.1 ao mykeychain