The PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-207147	SRG-NET-000343	SRG-NET-000343-RTR-000001	SV-207147r856631_rule	2024-05-28	5

Description
LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE router advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE router during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.

Description

LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE router advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE router during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.

ℹ️ Check
Review the router configuration to determine if LDP messages are being authenticated for the targeted LDP sessions. If authentication is not being used for the LDP sessions using a FIPS-approved message authentication code algorithm, this is a finding.

✔️ Fix
Implement authentication for all targeted LDP sessions using a FIPS-approved message authentication code algorithm.