The Cisco ACI must be configured to use keys with a duration of 180 days or less for authenticating routing protocol messages.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-272084	CACI-RT-000024	SV-272084r1114357_rule		Medium

Description

If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing protocols allow the use of key chains for authentication. A key chain is a set of keys that is used in succession, with each having a lifetime of no more than 180 days. Changing the keys frequently reduces the risk of them eventually being guessed. Keys cannot be used during time periods for which they are not activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur, and therefore, routing updates will fail. Therefore, ensure that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated.

STIG	Date
Cisco ACI Router Security Technical Implementation Guide	2025-06-18

Details

Check Text (C-76134r1063647_chk)

If any key has a lifetime of more than 180 days (expressed in seconds), this is a finding.

Review the switch configuration using the show bgp and show ospf commands to view BGP and OSPF. The configuration will be similar to the example below.

Key-Chain bgp_keys tcp
Key 1 -- text 0 "070e234f"
send lifetime 3600
recv-lifetime 3600

If any key has a lifetime of 180 days or less, this is a finding.

Fix Text (F-76041r1114356_fix)

For each authenticated routing protocol session, configure each key to have a lifetime of no more than 180 days. The following is an example.

Add the lifetime duration value to every TCP-AO Key ID configured.

apic1(config)# ip tcp ao key chain <KEY_CHAIN_NAME>
apic1(config)# key <KEY-ID>
apic1(config-tcpkey chain-tcpkey)# send-lifetime <value in seconds>
apic1(config-tcpkey chain-tcpkey)# recv-lifetime <value in seconds>