3.2.5 Disable IP Source-Routing

Information

A malicious actor can influence the path that their traffic should take using source-routing. Disabling this on the NX-OS platform disables this feature for all transit traffic.

Rationale:

Impact:

Source Routing can be used to influence the path taken by attack traffic, potentially routing around devices that implement network protections that might detect or prevent the attack being 'steered' using source routing.

Solution

switch(config)# no ip source-route

Default Value:

By default source-routing is enabled (which is not the desired setting)

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, 800-53|SC-7, CSCv7|9

Plugin: Cisco

Control ID: 72a78ca3a4b5ace66ee7959c699822654117d0cbab52a947ec757f3c926038ee