3.1.4.3 Use Unicast Routing Protocols Only

Information

Unicast routing protocols describe the destination routing peers by IP address. Multicast and Broadcast based routing protocols will discover routing neighbors dynamically. Because of this discovery process, a malicious actor can much more easily establish a peering relationship and hijack the routing protocol.

Rationale:

While most routing protocols can be configured with authentication, multicast and broadcast routing protocols have an inherent weakness in their 'trust' of any neighbor that advertises or will answer an advertisment.

Impact:

In multicast and broadcast routing protocols, the router (in this case the NX-OS device) will advertise its presence to all devices on a subnet, soliciting other routers using that same protocol. In that situation, an attacker can simply reply to those advertisements and establish a peering relationship. At that point the attacker can inject any route desired, so that traffic for that destination will route through the malicious router, putting the attacker in a 'monkey in the middle' position, able to eavesdrop on or change any traffic to or from that destination, then forward it on. Tools such as scapy have well-established attack scripts for most broadcast or multicast routing protocols.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure unicast routing only, for instance BGP.

See Also

https://workbench.cisecurity.org/benchmarks/6524