NET0425 - An Infinite Lifetime key has not been implemented - 'Ensure rotating keys are not set to send-lifetime infinite'

Information

Only Interior Gateway Protocols (IGPs) use key chains. When configuring authentication for routing protocols that provide key chains, configure two rotating keys with overlapping expiration dates--both with a 180-day or less lifetime. A third key must also be defined with an infinite lifetime. Both of these steps ensure there will always be a key that can be placed into service by all peers. If a time period occurs during which no key is activated, authentication cannot occur; hence, route updates will not occur. The lifetime key should be changed 7 days after successful key rotation and synchronization has occurred with all peers.

Notes: Note: Only Interior Gateway Protocols (IGPs) use key chains.
Notes: When using authentication keys, it is imperative the site is in compliance with the NTP policies. The router has to know the time!
Notes: Must make this key number a high number to ensure you have plenty of room to put keys in before it. All subsequent keys will be decremented by one (9998, 9997, etc.)

NOTE: Change 'KEY_CHAIN_NAME' to the key chain name for your organization's routing protocol.

Solution

This check is in place to ensure keys do not expire creating a DOS due to adjacencies being dropped and routes being aged out. The recommendation is to use two rotating six month keys with a third key set as infinite lifetime. The lifetime key should be changed 7 days after the rotating keys have expired and redefined.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, CAT|I, Rule-ID|SV-7363r3_rule, STIG-ID|NET0425, Vuln-ID|V-7009

Plugin: Cisco

Control ID: e06e1b1e990d2762c5e831b7eb1ce5989e4cb905fa57d5c7f33c283327d2062e