STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Router Security Technical Implementation Guide

V-283878

CAT II (Medium)

The Nokia Provider Edge (PE) router providing Multiprotocol Label Switching (MPLS) layer 2 virtual private network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit information using a Federal Information Processing Standards (FIPS)-approved message authentication code algorithm.

Rule ID

SV-283878r1203883_rule

STIG

Nokia Service Router OS 25.x Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001958

Discussion

LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE router advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE router during packet forwarding. Authentication provides protection against spoofed Transmission Control Protocol (TCP) segments that can be introduced into the LDP sessions.

Check Content

Review the router configuration to determine if LDP messages are being authenticated for the targeted LDP sessions.

Verify "Authentication Key" is enabled using the command below: 

- show router ldp tcp-session-parameters | match "Authentication Key"

Authentication Key : Enabled

If authentication is not being used for the LDP sessions using a FIPS-approved message authentication code algorithm, this is a finding.

Fix Text

Configure all targeted LDP sessions using a FIPS-approved message authentication code algorithm, as shown in the example below:

- configure router ldp tcp-session-parameters authentication-key pass123