Cisco IOS XE Router RTR STIG SCAP Benchmark
- Version/Release: V3R2
- Published: 2024-08-22
- Severity:
-
Sort:
View
Select any old version/release of this SCAP to view the previous requirements
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The Cisco MPLS router must be configured to have TTL Propagation disabled.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- CISC-RT-000620
- Vuln IDs
- V-216700
- Rule IDs
- SV-216700r531086_rule
The head end of the label-switched path (LSP), the label edge router (LER) will decrement the IP packet's time-to-live (TTL) value by one and then copy the value to the MPLS TTL field. At each label-switched router (LSR) hop, the MPLS TTL value is decremented by one. The MPLS router that pops the label (either the penultimate LSR or the egress LER) will copy the packet's MPLS TTL value to the IP TTL field and decrement it by one.
This TTL propagation is the default behavior. Because the MPLS TTL is propagated from the IP TTL, a traceroute will list every hop in the path, be it routed or label switched, thereby exposing core nodes. With TTL propagation disabled, LER decrements the IP packet's TTL value by one and then places a value of 255 in the packet's MPLS TTL field, which is then decremented by one as the packet passes through each LSR in the MPLS core. Because the MPLS TTL never drops to zero, none of the LSP hops triggers an ICMP TTL exceeded message, and consequently, these hops are not recorded in a traceroute. Hence, nodes within the MPLS core cannot be discovered by an attacker.
Fix: F-17931r288046_fix
Configure the MPLS router to disable TTL propagation as shown in the example below: R5(config)#no mpls ip propagate-ttl
b
The Cisco multicast Designated Router (DR) must be configured to set the shortest-path tree (SPT) threshold to infinity to minimalize source-group (S, G) state within the multicast topology where Any Source Multicast (ASM) is deployed.
- RMF Control
- SC-5
- Severity
- Medium
- CCI
- CCI-002385
- Version
- CISC-RT-000890
- Vuln IDs
- V-216727
- Rule IDs
- SV-216727r945856_rule
ASM can have many sources for the same groups (many-to-many). For many receivers, the path via the RP may not be ideal compared with the shortest path from the source to the receiver. By default, the last-hop router will initiate a switch from the shared tree to a source-specific SPT to obtain lower latencies. This is accomplished by the last-hop router sending an (S, G) Protocol Independent Multicast (PIM) Join toward S (the source).
When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message toward the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.
Fix: F-17958r288124_fix
Configure the DR to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed. R3(config)#ip pim spt-threshold infinity
a
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to use a loopback address as the source address when originating MSDP traffic.
- RMF Control
- Severity
- Low
- CCI
- CCI-004931
- Version
- CISC-RT-000950
- Vuln IDs
- V-216733
- Rule IDs
- SV-216733r991901_rule
Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of MSDP routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router’s loopback address instead of the numerous physical interface addresses.
Fix: F-17964r288142_fix
Configure the router to use its loopback address is used as the source address when sending MSDP packets. R2(config)#ip msdp peer x.44.2.34 connect-source lo12 remote-as nn
b
The Cisco PE router must be configured to ignore or drop all packets with any IP options.
- RMF Control
- SC-7
- Severity
- Medium
- CCI
- CCI-002403
- Version
- CISC-RT-000750
- Vuln IDs
- V-217001
- Rule IDs
- SV-217001r945860_rule
Packets with IP options are not fast-switched and therefore must be punted to the router processor. Hackers who initiate denial of service (DoS) attacks on routers commonly send large streams of packets with IP options. Dropping the packets with IP options reduces the load of IP options packets on the router. The end result is a reduction in the effects of the DoS attack on the router and on downstream routers.
Fix: F-18229r288166_fix
Configure the router to ignore or drop all packets with IP options as shown in the examples below: R4(config)#ip options ignore or R4(config)#ip options drop
a
The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- CISC-RT-000236
- Vuln IDs
- V-230039
- Rule IDs
- SV-230039r647454_rule
The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.
Fix: F-32329r647424_fix
Configure the router to advertise a hop limit of at least 32 in Router Advertisement messages. R1(config)#ipv6 hop-limit 128
b
The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- CISC-RT-000237
- Vuln IDs
- V-230042
- Rule IDs
- SV-230042r647455_rule
As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.
Fix: F-32330r569546_fix
Configure the router using only authorized IPv6 addresses.