Cisco IOS XE Router RTR Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).
As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevente...Rule Low Severity -
The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.
As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-lo...Rule Medium Severity -
The Cisco perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.
These options are intended to be for the Hop-by-Hop header only. The optional and extensible natures of the IPv6 extension headers require higher scrutiny since many implementations do not always d...Rule Medium Severity -
The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3–255.
The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules