JUNI-RT-000050 - The Juniper router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 140-2 message authentication code algorithm - IS-IS

Information

A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to learn confidential information about the site's network or used to disrupt the network's ability to communicate with other networks. This is known as a 'traffic attraction attack' and is prevented by configuring neighbor router authentication for routing updates. However, using clear-text authentication provides little benefit since an attacker can intercept traffic and view the authentication key. This would allow the attacker to use the authentication key in an attack.

Since MD5 is vulnerable to 'birthday' attacks and may be compromised, routing protocol authentication must use FIPS 140-2 validated algorithms and modules to encrypt the authentication key. This requirement applies to all IPv4 and IPv6 protocols that are used to exchange routing or packet forwarding information; this includes all Interior Gateway Protocols (such as OSPF, EIGRP, and IS-IS) and Exterior Gateway Protocols (such as BGP), MPLS-related protocols (such as LDP), and multicast-related protocols.

Solution

Configure routing protocol authentication to use a NIST-validated FIPS 140-2 message authentication code algorithm.

IS-IS Example:

[edit security authentication-key-chains]
set key-chain ISIS_KEY key 1 options isis-enhanced
set key-chain ISIS_KEY key 2 options isis-enhanced
set key-chain ISIS_KEY key 3 options isis-enhanced
set key-chain ISIS_KEY key 1 start-time 2018-05-01.12:00 algorithm hmac-sha-1 secret xxxxxxxxxxxxx
set key-chain ISIS_KEY key 2 start-time 2018-09-01.12:00 algorithm hmac-sha-1 secret xxxxxxxxxxxxx
set key-chain ISIS_KEY key 3 start-time 2019-01-01.12:00 algorithm hmac-sha-1 secret xxxxxxxxxxxxx

[edit protocols]
set isis level 1 authentication-key-chain ISIS_KEY
set isis interface ge-0/0/0 level 1 hello-authentication-key-chain ISIS_KEY
set isis interface ge-0/0/0 level 2 hello-authentication-key-chain ISIS_KEY

BGP Example:

[edit security authentication-key-chains]
set key-chain BGP_KEY key 1 start-time 2018-05-01.12:00 secret xxxxxxxxxxxxx
set key-chain BGP_KEY key 2 start-time 2018-09-01.12:00 secret xxxxxxxxxxxxx
set key-chain BGP_KEY key 3 start-time 2019-01-01.12:00 secret xxxxxxxxxxxxx

[edit protocols bgp group AS_5]
set neighbor 11.1.25.5 authentication-algorithm hmac-sha-1-96
set neighbor 11.1.25.5 authentication-key-chain BGP_KEY
set neighbor 11.1.1.1 authentication-algorithm hmac-sha-1-96
set neighbor 11.1.1.1 authentication-key-chain BGP_KEY

OSPF Example:

Configure IPsec Security Association
[edit security ipsec]
set security-association IPSEC-SA1
set security-association IPSEC-SA1 mode transport
set security-association IPSEC-SA1 manual direction bidirectional
set security-association IPSEC-SA1 manual direction bidirectional protocol ah
set security-association IPSEC-SA1 manual direction bidirectional spi 256
set security-association IPSEC-SA1 manual direction bidirectional authentication algorithm hmac-sha1-96 key ascii-text 1234567890abcdefghij

[edit protocols ospf area 0.0.0.0]
set interface ge-0/0/0 ipsec-sa IPSEC-SA1
set interface ge-0/1/0 ipsec-sa IPSEC-SA1
set interface ge-0/2/0 ipsec-sa IPSEC-SA1

[edit protocols ospf area 0.0.0.0]
set interface ge-1/2/0 ipsec-sa IPSEC-SA1

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_Router_Y20M07_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3, CAT|II, CCI|CCI-000803, Rule-ID|SV-101025r1_rule, STIG-ID|JUNI-RT-000050, Vuln-ID|V-90815

Plugin: Juniper

Control ID: 64dd2e4392bc6520e2b08070ec2f95a7bcd164236fbcbb56a623316496d0c9b1