JUEX-RT-000550 - The Juniper router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.

Information

If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed.

Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This requirement is not applicable for the DODIN Backbone.

For each authenticated routing protocol session, configure each key to have a lifetime of no more than 180 days.

set security authentication-key-chains key-chain <name> key <number-1> secret <key value>
set security authentication-key-chains key-chain <name> key <number-1> start-time <YYYY-MM-DD.HH:MM>
set security authentication-key-chains key-chain <name> key <number-1> algorithm md5
set security authentication-key-chains key-chain <name> key <number-2> secret <key value>
set security authentication-key-chains key-chain <name> key <number-2> start-time <YYYY-MM-DD.HH:MM>
set security authentication-key-chains key-chain <name> key <number-2> algorithm md5

set protocols bgp group <name> authentication-key-chain <name>
set protocols bgp group <name> neighbor <neighbor address> authentication-key-chain <name>
set protocols bgp authentication-key-chain <name>

set protocols ospf area <area number> interface <interface name>.<logical unit> authentication md5 <number> key <key value>
set protocols ospf area <area number> interface <interface name>.<logical unit> authentication md5 <number> start-time <YYYY-MM-DD.HH:MM>
set protocols ospf area <area number> interface <interface name>.<logical unit> authentication md5 <number> key <key value>
set protocols ospf area <area number> interface <interface name>.<logical unit> authentication md5 <number> start-time <YYYY-MM-DD.HH:MM>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-4(17), 800-53|CM-6b., CAT|II, CCI|CCI-000366, CCI|CCI-002205, Rule-ID|SV-254027r945863_rule, STIG-ID|JUEX-RT-000550, Vuln-ID|V-254027

Plugin: Juniper

Control ID: ce59c9aa4fd6c5bf8d64568b9b22f8545f5711e5a17008b65d0415baece9e266