4.7.2 Ensure authentication is set to AES-CMAC

Information

LDP peers should be strongly authenticated.

Rationale:

Where it is deployed, LDP is vital for normal operation of an MPLS network. LDP is used to determine Label mapping and populate the routers Forwarding Information Base (FIB). An attacker posing as one of the target routers LDP peers may attempt to inject incorrect label information or exploit a vulnerability in the routers LDP implementation to cause an information disclosure or denial of service.

On Juniper routers (as well as routers from some other vendors) it is possible to authenticate LDP sessions using a Cipher-based Message Authentication Code method with the AES encryption algorithm.

AES-128-CMAC-96 is significantly more robust than the MD5-HMAC method, which has traditionally been used for LDP session authentication, and should be used wherever both LSRs support it (such as in an all Juniper deployment).

Where support for AES-128-CMAC-96 is not available; SHA1-HMAC, while not as strong as the AES method, should be strongly preferred over MD5-HMAC which is considerably weaker.

Strong LDP Session Authentication is configured on a per session-group basis, allowing you to easily support different algorithms with different groups if necessary.

Solution

If you have deployed LDP in your network you should use strong authentication for all neighbors.
Both AES-CMAC and SHA1-HMAC authentication require a keychain to be configured on the device under the [edit security authentication-key-chains] hierarchy with at least one key which has a start time in the past.

[edit security authentication-key-chains]
user@host#set key-chain <name> key <key number> start-time <YYYY-MM-DD.HH:MM>
user@host#set key-chain <name> key <key number> secret <secret key>

The chosen algorithm and keychain should then be configured for all session groups from the [edit protocols ldp] hierarchy:

[edit protocols ldp]
user@host#set session-group <Destination IP Address or IP/Mask> authentication-algorithm aes-128-cmac-96
user@host#set session-group <Destination IP Address or IP/Mask> authentication-key-chain <name>

or for SHA1 :

[edit protocols ldp]
user@host#set session-group <Destination IP Address or IP/Mask> authentication-algorithm hmac-sha-1-96
user@host#set session-group <Destination IP Address or IP/Mask> authentication-key-chain <name>

Default Value:

LDP is not configured by default.

When LDP is configured with an authentication-key, MD5 is the default authentication-algorithm.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 30b543bcada843ebbf133b911545dc2af977ff6da029daf5a306c68964b587ca