CISC-RT-000620 - The Cisco MPLS switch must be configured to have TTL Propagation disabled.

Information

The head end of the label-switched path (LSP), the label edge switch (LER) will decrement the IP packet's time-to-live (TTL) value by one and then copy the value to the MPLS TTL field. At each label-switched switch (LSR) hop, the MPLS TTL value is decremented by one. The MPLS switch that pops the label (either the penultimate LSR or the egress LER) will copy the packet's MPLS TTL value to the IP TTL field and decrement it by one.

This TTL propagation is the default behavior. Because the MPLS TTL is propagated from the IP TTL, a traceroute will list every hop in the path, be it routed or label switched, thereby exposing core nodes. With TTL propagation disabled, LER decrements the IP packet's TTL value by one and then places a value of 255 in the packet's MPLS TTL field, which is then decremented by one as the packet passes through each LSR in the MPLS core. Because the MPLS TTL never drops to zero, none of the LSP hops triggers an ICMP TTL exceeded message, and consequently, these hops are not recorded in a traceroute. Hence, nodes within the MPLS core cannot be discovered by an attacker.

Solution

Configure the MPLS switch to disable TTL propagation as shown in the example below:

SW1(config)# no mpls ip propagate-ttl

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y24M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-221116r999725_rule, STIG-ID|CISC-RT-000620, STIG-Legacy|SV-111051, STIG-Legacy|V-101947, Vuln-ID|V-221116

Plugin: Cisco

Control ID: f06c08d961013185e2dc6f2fb5014bcf2a72bd2ee976f21cab2ac586a9e1a399