- Preface
- New and Changed Security Features
- Configuring AAA Services
- Implementing Certification Authority Interoperability
- Implementing Keychain Management
- Implementing Lawful Intercept
- Implementing Management Plane Protection
- Configuring Software Authentication Manager
- Implementing Secure Shell
- Implementing Secure Socket Layer
- Configuring FIPS Mode
- Index
Configuring FIPS Mode
The Federal Information Processing Standard (FIPS) 140-2 is an U.S. and Canadian government certification standard that defines requirements that the cryptographic modules must follow. The FIPS specifies best practices for implementing cryptographic algorithms, handling key material and data buffers, and working with the operating system.
In Cisco IOS XR software, these applications are verified for FIPS compliance:
Secure Shell (SSH)
Secure Socket Layer (SSL)
Transport Layer Security (TLS)
Internet Protocol Security (IPSec) for Open Shortest Path First version 3 (OSPFv3)
Simple Network Management Protocol version 3 (SNMPv3)
The Cisco Common Cryptographic Module (C3M) provides cryptographic services to a wide range of the networking and collaboration products of Cisco. This module provides FIPS-validated cryptographic algorithms for services such as RTP, SSH, TLS, 802.1x, and so on. The C3M provides cryptographic primitives and functions for the users to develop any protocol.
By integrating with C3M, the Cisco IOS-XR software is compliant with the FIPS 140-2 standards and can operate in FIPS mode, level 1 compliance.
Prerequisites for Configuring FIPS
Install and activate the c12k-k9sec.pie file.
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command.
If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Installing and Activating the PIE
The Package Installation Envelope (PIE) files, are installable software files with the .pie extension. PIE files are used to copy one or more software components onto the router. A PIE may contain a single component, a group of components (called a package), or a set of packages (called a composite package).
Use the show install committed command in EXEC mode to verify the committed software packages.
You must install and activate the c12k-k9sec.pie file to configure FIPS. To install and activate the PIE, download the c12k-k9sec.pie to a TFTP server.
For more information about installing PIEs, refer to Upgrading and Managing Cisco IOS XR Software section of the Cisco IOS XR System Management Configuration Guide for the Cisco XR 12000 Series Router.
1.
admin
2.
install add tftp://<IP address of tftp server>/<location of pie on server>
3.
install activate device:package
4.
install commit
5.
exit
6.
show install committed
DETAILED STEPS
How to Configure FIPS
Perform these tasks to configure FIPS.
- Enabling FIPS mode
- Configuring FIPS-compliant Keys
- Configuring FIPS-compliant Key Chain
- Configuring FIPS-compliant Certificates
- Configuring FIPS-compliant OSPFv3
- Configuring FIPS-compliant SNMPv3 Server
- Configuring FIPS-compliant SSH Client and Server
Enabling FIPS mode
Refer to the Installing and Activating the PIE section for information on installing and activating the image on the router.
1.
configure
2.
crypto
fips-mode
3.
commit
4.
show logging
5.
admin
6.
reload location all
DETAILED STEPS
Configuring FIPS-compliant Keys
Perform these steps to configure the FIPS-compliant keys:
Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.
1.
crypto key generate rsa [usage-keys | general-keys] key label
2.
crypto key generate dsa
3.
show crypto key mypubkey rsa
4.
show crypto key mypubkey dsa
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | crypto key generate rsa [usage-keys | general-keys] key label Example: RP/0/0/CPU0:router#crypto key generate rsa general-keys rsakeypair
| Generate a RSA key pair. Ensure that all the key pairs meet the FIPS requirements. The length of the key can vary from 1024 to 2048 bits. The option usage-keys generates separate RSA key pairs for signing and encryption. The option general-keys generates a general-purpose RSA key pair for signing and encryption. To delete the RSA key pair, use the crypto key zeroize rsa keypair-label command. |
| Step 2 | crypto key generate dsa Example: RP/0/0/CPU0:router#crypto key generate dsa
| Generate a DSA key pair if required. Ensure that all the key pairs meet the FIPS requirements. The length of the key is restricted to1024 bits. To delete the DSA key pair, use the crypto key zeroize dsa keypair-label command. |
| Step 3 | show crypto key mypubkey rsa Example: RP/0/0/CPU0:router#show crypto key mypubkey rsa
| Displays the existing RSA key pairs |
| Step 4 | show crypto key mypubkey dsa Example: RP/0/0/CPU0:router#show crypto key mypubkey dsa
| Displays the existing DSA key pairs |
Configuring FIPS-compliant Key Chain
Perform these steps to configure the FIPS-compliant key chain:
Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.
1.
configure
2.
key chain key-chain-name
3.
key key-id
4.
cryptographic-algorithm {HMAC-SHA1-20 | SHA-1}
5.
commit
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | configure Example: RP/0/0/CPU0:router#configure
| Enters the global configuration mode. |
| Step 2 | key chain key-chain-name Example: RP/0/0/CPU0:router(config)#key chain mykeychain
| Creates a key chain. |
| Step 3 | key key-id Example: RP/0/0/CPU0:router(config-mykeychain)#key 1
| Creates a key in the key chain. |
| Step 4 | cryptographic-algorithm {HMAC-SHA1-20 | SHA-1} Example: RP/0/0/CPU0:router(config-mykeychain-1)#cryptographic-algorithm HMAC-SHA1-20
| Configures the cryptographic algorithm for the key chain. Ensure that the key chain configuration always uses SHA-1 as the hash or keyed hash message authentication code (hmac) algorithm. |
| Step 5 |
commit
|
Configuring FIPS-compliant Certificates
Perform these steps to configure the FIPS-compliant certificates:
Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.
1.
configure
2.
crypto ca trustpoint ca-name key label
3.
commit
4.
show crypto ca certificates
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
configure
| |||
| Step 2 | crypto ca trustpoint ca-name key label Example: RP/0/0/CPU0:router(config)#crypto ca trustpoint msiox rsakeypair
| Configures the trustpoint by utilizing the desired RSA keys. Ensure that the certificates meet the FIPS requirements for key length and signature hash or encryption type.
| ||
| Step 3 |
commit
| |||
| Step 4 | show crypto ca certificates Example: RP/0/0/CPU0:router#show crypto ca certificates
| Displays the information about the certificate |
Configuring FIPS-compliant OSPFv3
Perform these steps to configure the FIPS-compliant OSPFv3:
Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.
1.
configure
2.
router ospfv3 process name
3.
area id
4.
authentication{disable | ipsec spi spi-value sha1 [clear | password] password}
5.
exit
6.
encryption{disable | {ipsec spi spi-value esp {3des | aes [192 | 256] [clear |password] encrypt-password} [authentication sha1[clear | password] auth-password]}}
7.
commit
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
configure
| |||
| Step 2 | router ospfv3 process name Example: RP/0/0/CPU0:router(config)#router ospfv3 ospfname
| Configures the OSPFv3 process. | ||
| Step 3 | area id Example: RP/0/0/CPU0:router(config-ospfv3)#area 1
| Configures the OSPFv3 area ID. The ID can either be a decimal value or an IP address. | ||
| Step 4 | authentication{disable | ipsec spi spi-value sha1 [clear | password] password} Example: RP/0/0/CPU0:router(config-ospfv3-ar)#authentication ipsec spi 256 sha1 password pa1
| Enables authentication for OSPFv3. Note that the OSPFv3 configuration supports only SHA-1 for authentication.
| ||
| Step 5 | exit Example: RP/0/0/CPU0:router(config-ospfv3-ar)#exit
| Exits OSPFv3 area configuration and enters the OSPFv3 configuration mode. | ||
| Step 6 | encryption{disable | {ipsec spi spi-value esp {3des | aes [192 | 256] [clear |password] encrypt-password} [authentication sha1[clear | password] auth-password]}} Example: RP/0/0/CPU0:router(config-ospfv3)#encryption ipsec spi 256 esp 3des password pwd
| Ensure that SHA1 is chosen if the authentication option is specified. | ||
| Step 7 |
commit
|
Configuring FIPS-compliant SNMPv3 Server
Perform these steps to configure the FIPS-compliant SNMPv3 server:
Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.
1.
configure
2.
snmp-server user username groupname {v3 [ auth sha {clear | encrypted} auth-password [priv {3des |aes { 128 | 192 | 256} } {clear | encrypted } priv-password]] } [SDROwner | SystemOwner] access-list-name
3.
commit
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
configure Example: RP/0/0/CPU0:router#configure
|
Enters the global configuration mode. |
| Step 2 |
snmp-server user username groupname {v3 [ auth sha {clear | encrypted} auth-password [priv {3des |aes { 128 | 192 | 256} } {clear | encrypted } priv-password]] } [SDROwner | SystemOwner] access-list-name Example: RP/0/0/CPU0:router(config)#snmp-server user user1 g v3 auth sha clear pass priv aes 128 clear privp
| Configures the SNMPv3 server. |
| Step 3 |
commit
|
Configuring FIPS-compliant SSH Client and Server
Perform these steps to configure the FIPS-compliant SSH Client and the Server:
Refer the configuration steps in the Enabling FIPS mode section for enabling the FIPS mode.
1.
ssh {ipv4-address | ipv6-address} cipher aes {128-CBC | 192-CBC | 256-CBC} username username
2.
configure
3.
ssh server v2
4.
commit
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
ssh {ipv4-address | ipv6-address} cipher aes {128-CBC | 192-CBC | 256-CBC} username username Example: RP/0/0/CPU0:router#ssh 10.1.2.3 cipher aes 128-CBC username user1
|
Configures the SSH client. Ensure that SSH client is configured only with the FIPS-approved ciphers. AES(Advanced Encryption Standard)-CBC (Cipher Block Chaining) is the FIPS-compliant cipher algorithm with key lengths of 128, 192 and 256 bits. |
| Step 2 |
configure
| |
| Step 3 |
ssh server v2 Example: RP/0/0/CPU0:router(config)#ssh server v2
| Configures the SSH server. |
| Step 4 |
commit
|
Configuration Examples for Configuring FIPS
This section provides examples for configuring FIPS.
Configuring FIPS: Example
This example shows how to configure FIPS:
RP/0/3/CPU0:SSH#configure RP/0/3/CPU0:SSH(config)#crypto fips-mode RP/0/3/CPU0:SSH(config)#commit RP/0/3/CPU0:SSH(config)#end
This example shows the output of show logging command:
RP/0/3/CPU0:SSH(config)#crypto fips-mode
RP/0/3/CPU0:SSH(config)#commit
RP/0/3/CPU0:SSH(config)#end
RP/0/3/CPU0:SSH#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 60 messages logged
Monitor logging: level debugging, 0 messages logged
Trap logging: level informational, 0 messages logged
Buffer logging: level debugging, 3 messages logged
Log Buffer (9000000 bytes):
<output omitted>
Log Buffer (307200 bytes):
RP/0/RSP0/CPU0:Apr 16 12:48:17.736 : cepki[433]: The configuration setting for FIPS mode has been modified. The system must be reloaded to finalize this configuration change. Please refer to the IOS XR System Security Configuration Guide, Federal Information Process Standard(FIPS) Overview section when modifying the FIPS mode setting.
RP/0/RSP0/CPU0:Apr 16 12:48:17.951 : config[65757]: %MGBL-CONFIG-6-DB_COMMIT :
Configuration committed by user 'lab'. Use 'show configuration commit changes 1000000002' to view the changes.
RP/0/RSP0/CPU0:Apr 16 12:48:23.988 : config[65757]: %MGBL-SYS-5-CONFIG_I : Configured from console by lab
....
....
....
Feedback