The BGP Cisco ACI must be configured to use a unique key for each autonomous system (AS) it peers with.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-272083 | CACI-RT-000023 | SV-272083r1114278_rule | Medium |
| Description |
| If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors. |
| STIG | Date |
| Cisco ACI Router Security Technical Implementation Guide | 2025-06-18 |
Details
| Check Text (C-76133r1063644_chk) |
| Review the configuration. Verify the neighbor authentication keys on ACI border leaf switches use a different authentication key for each AS peer. Route maps can also show this view. ip tcp authentication key chain AS100 key 1 send-id 10 recv-id 10 key 2 send-id 20 recv-id 20 ip tcp authentication key chain AS200 key 1 send-id 30 recv-id 30 key 2 send-id 40 recv-id 40 router bgp 100 neighbor 10.0.0.1 ao AS100 router bgp 200 neighbor 10.0.1.1 ao AS200 If unique keys are not being used, this is a finding. |
| Fix Text (F-76040r1114277_fix) |
| Configure unique keys for each AS peered by a Cisco ACI device using TCP-AO by creating separate key chains for each AS, ensuring each key chain contains unique "send-id" and "recv-id" values for the keys within it, and then associating the appropriate key chain with the BGP neighbor configuration for that specific AS. The following is an example: 1. Create key chain for AS100. apic1(config)# ip tcp authentication key chain AS100 apic1(config)# key 1 send-id 10 recv-id 10 apic1(config)# key 2 send-id 20 recv-id 20 2. Create key chain for AS 200. apic1(config)#ip tcp authentication key chain AS200 apic1(config)# key 1 send-id 30 recv-id 30 apic1(config)# key 2 send-id 40 recv-id 40 3. Configure BGP neighbor with AS100 using key chain AS100. apic1(config)# router bgp 100 apic1(config-router)# neighbor 10.0.0.1 ao AS100 4. Configure BGP neighbor with AS 200 using key chain AS200. apic1(config)# router bgp 200 apic1(config-router)# neighbor 10.0.1.1 ao AS200 |