4.11.1 Ensure authentication is set to MD5

Information

RSVP Peers should be authenticated.

Rationale:

RSVP messages may be abused by an attacker to interfere with QoS and Traffic Engineering services, resulting in poor performance or Denial of Service, or seek to attack the target router directly using weaknesses in the RSVP implementation.

To protect against these types of attacks RSVP messages may be Authenticated using an MD5 hash of certain packet elements combined with a secret key (MD5 HMAC). RSVP authentication is supported in the two major variants described in the IETF Draft 'RSVP Cryptographic Authentication draft-ietf-rsvp-md5-03' and in RFC 2747. JUNOS automatically detects which variant to use on a neighbor by neighbor basis and not interaction is required from the administrator for multi-vendor support.

RSVP Authentication is set on an interface by interface basis and should be configured for all interfaces where RSVP is used.

Solution

If you have configured RSVP you can add authentication by issuing the following command from the [edit protocols rsvp] hierarchy:

[edit protocols rsvp]
user@host#set interface <interface name> authentication-key <key>

Default Value:

RSVP is not configured by default

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 7b27ee9804f36cac5b1bb5da2252035fc9a7be4918afd93f2351e0957490af64