Cisco IOS XE Router RTR V1R0 (SCAP)

View

Open a previous version of this SCAP benchmark.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Sort by

The Cisco MPLS router must be configured to have TTL Propagation disabled.

RMF Control: CM-6
Severity: M
CCI: CCI-000366
Version: CISC-RT-000620
Vuln IDs: V-216700
Rule IDs: SV-216700r531086_rule

The head end of the label-switched path (LSP), the label edge router (LER) will decrement the IP packet's time-to-live (TTL) value by one and then copy the value to the MPLS TTL field. At each label-switched router (LSR) hop, the MPLS TTL value is decremented by one. The MPLS router that pops the label (either the penultimate LSR or the egress LER) will copy the packet's MPLS TTL value to the IP TTL field and decrement it by one. This TTL propagation is the default behavior. Because the MPLS TTL is propagated from the IP TTL, a traceroute will list every hop in the path, be it routed or label switched, thereby exposing core nodes. With TTL propagation disabled, LER decrements the IP packet's TTL value by one and then places a value of 255 in the packet's MPLS TTL field, which is then decremented by one as the packet passes through each LSR in the MPLS core. Because the MPLS TTL never drops to zero, none of the LSP hops triggers an ICMP TTL exceeded message, and consequently, these hops are not recorded in a traceroute. Hence, nodes within the MPLS core cannot be discovered by an attacker.

Fix: F-17931r288046_fix

Configure the MPLS router to disable TTL propagation as shown in the example below: R5(config)#no mpls ip propagate-ttl

The Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.

RMF Control: SC-5
Severity: M
CCI: CCI-002385
Version: CISC-RT-000890
Vuln IDs: V-216727
Rule IDs: SV-216727r531086_rule

ASM can have many sources for the same groups (many-to-many). For many receivers, the path via the RP may not be ideal compared with the shortest path from the source to the receiver. By default, the last-hop router will initiate a switch from the shared tree to a source-specific SPT to obtain lower latencies. This is accomplished by the last-hop router sending an (S, G) Protocol Independent Multicast (PIM) Join toward S (the source). When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message toward the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.

Fix: F-17958r288124_fix

Configure the DR to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed. R3(config)#ip pim spt-threshold infinity

The Cisco router must not be configured to have any feature enabled that calls home to the vendor.

RMF Control: SC-7
Severity: M
CCI: CCI-002403
Version: CISC-RT-000080
Vuln IDs: V-216996
Rule IDs: SV-216996r663924_rule

Call home services will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. There is a risk that transmission of sensitive data sent to unauthorized persons could result in data loss or downtime due to an attack.

Fix: F-18224r663923_fix

Disable the call home feature as shown below: R5(config)#no service call-home

The Cisco PE router must be configured to ignore or drop all packets with any IP options.

RMF Control: SC-7
Severity: M
CCI: CCI-002403
Version: CISC-RT-000750
Vuln IDs: V-217001
Rule IDs: SV-217001r531086_rule

Packets with IP options are not fast-switched and therefore must be punted to the router processor. Hackers who initiate denial of service (DoS) attacks on routers commonly send large streams of packets with IP options. Dropping the packets with IP options reduces the load of IP options packets on the router. The end result is a reduction in the effects of the DoS attack on the router and on downstream routers.

Fix: F-18229r288166_fix

Configure the router to ignore or drop all packets with IP options as shown in the examples below: R4(config)#ip options ignore or R4(config)#ip options drop

The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.

RMF Control: CM-6
Severity: L
CCI: CCI-000366
Version: CISC-RT-000236
Vuln IDs: V-230039
Rule IDs: SV-230039r647454_rule

The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.

Fix: F-32329r647424_fix

Configure the router to advertise a hop limit of at least 32 in Router Advertisement messages. R1(config)#ipv6 hop-limit 128