The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Federal Information Processing Standard (FIPS) 140-2 is an U.S. and Canadian government certification standard that defines requirements that the cryptographic modules must follow. The FIPS specifies best practices for implementing cryptographic algorithms, handling key material and data buffers, and working with the operating system.
In Cisco IOS XR software, these applications are verified for FIPS compliance:
Secure Shell (SSH)
Secure Socket Layer (SSL)
Transport Layer Security (TLS)
Internet Protocol Security (IPSec) for Open Shortest Path First version 3 (OSPFv3)
Simple Network Management Protocol version 3 (SNMPv3)
AAA Password Security
 Note |
Any process that uses any of the following cryptographic algorithms is considered non-FIPS compliant:
|
The Cisco Common Cryptographic Module (C3M) provides cryptographic services to a wide range of the networking and collaboration products of Cisco. This module provides FIPS-validated cryptographic algorithms for services such as RTP, SSH, TLS, 802.1x, and so on. The C3M provides cryptographic primitives and functions for the users to develop any protocol.
By integrating with C3M, the Cisco IOS-XR software is compliant with the FIPS 140-2 standards and can operate in FIPS mode, level 1 compliance.
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command.
If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Perform these tasks to configure FIPS.
| Step 1 |
configure Example:Enters global configuration mode. |
||
| Step 2 |
crypto fips-mode Example:Enters FIPS configuration mode.
|
||
| Step 3 |
Use the commit or end command. commit —Saves the configuration changes and remains within the configuration session.
|
||
| Step 4 |
show logging Example:Displays the contents of logging buffers.
|
||
| Step 5 |
reload location all Example:Reloads a node or all nodes on a single chassis or multishelf system. |
Perform these steps to configure the FIPS-compliant keys:
Note |
The crypto keys are auto-generated at the time of router boot up. You need to perform these steps to generate the keys only if the keys are missing under some scenarios. |
Refer the configuration steps in the Enable FIPS mode section for enabling the FIPS mode.
| Step 1 |
crypto key generate rsa [usage-keys | general-keys] key label Example:Generate a RSA key pair. Ensure that all the key pairs meet the FIPS requirements. The RSA key sizes allowed under FIPS mode are 2048, 3072 and 4096. The option usage-keys generates separate RSA key pairs for signing and encryption. The option general-keys generates a general-purpose RSA key pair for signing and encryption. To delete the RSA key pair, use the crypto key zeroize rsa keypair-label command. |
| Step 2 |
crypto key generate dsa Example:Generate a DSA key pair if required. Ensure that all the key pairs meet the FIPS requirements. The DSA key size allowed under FIPS mode is 2048. To delete the DSA key pair, use the crypto key zeroize dsa keypair-label command. |
| Step 3 |
crypto key generate ecdsa Example:Generate a ECDSA key pair if required. Ensure that all the key pairs meet the FIPS requirements. The ECDSA key sizes allowed under FIPS mode are nistp256 , nistp384 and nistp512 . To delete the DSA key pair, use the crypto key zeroize ecdsa keypair-label command. |
| Step 4 |
show crypto key mypubkey rsa Example:Displays the existing RSA key pairs |
| Step 5 |
show crypto key mypubkey dsa Example:Displays the existing DSA key pairs |
Perform these steps to configure the FIPS-compliant key chain:
Refer the configuration steps in the Enable FIPS mode section for enabling the FIPS mode.
| Step 1 |
configure Example:Enters the global configuration mode. |
| Step 2 |
key chain key-chain-name Example:Creates a key chain. |
| Step 3 |
key key-id Example:Creates a key in the key chain. |
| Step 4 |
cryptographic-algorithm { HMAC-SHA1-20 | SHA-1} Example:Configures the cryptographic algorithm for the key chain. Ensure that the key chain configuration always uses SHA-1 as the hash or keyed hash message authentication code (hmac) algorithm. |
| Step 5 |
Use the commit or end command. commit —Saves the configuration changes and remains within the configuration session.
|
Perform these steps to configure the FIPS-compliant certificates:
Refer the configuration steps in the Enable FIPS mode section for enabling the FIPS mode.
| Step 1 |
configure Example:Enters global configuration mode. |
||
| Step 2 |
crypto ca trustpoint ca-name key label Example:Configures the trustpoint by utilizing the desired RSA keys. Ensure that the certificates meet the FIPS requirements for key length and signature hash or encryption type.
|
||
| Step 3 |
Use the commit or end command. commit —Saves the configuration changes and remains within the configuration session.
|
||
| Step 4 |
show crypto ca certificates Example:Displays the information about the certificate |
Perform these steps to configure the FIPS-compliant OSPFv3:
Refer the configuration steps in the Enable FIPS mode section for enabling the FIPS mode.
| Step 1 |
configure Example:Enters global configuration mode. |
||
| Step 2 |
router ospfv3 process name Example:Configures the OSPFv3 process. |
||
| Step 3 |
area id Example:Configures the OSPFv3 area ID. The ID can either be a decimal value or an IP address. |
||
| Step 4 |
authentication{ disable | ipsec spi spi-value sha1 [ clear | password] password} Example:Enables authentication for OSPFv3. Note that the OSPFv3 configuration supports only SHA-1 for authentication.
|
||
| Step 5 |
exit Example:Exits OSPFv3 area configuration and enters the OSPFv3 configuration mode. |
||
| Step 6 |
encryption{ disable | { ipsec spi spi-value esp { 3des | aes [ 192 | 256] [ clear | password] encrypt-password} [ authentication sha1[ clear | password] auth-password] } } Example:
Ensure that SHA1 is chosen if the authentication option is specified. |
||
| Step 7 |
Use the commit or end command. commit —Saves the configuration changes and remains within the configuration session.
|
Perform these steps to configure the FIPS-compliant SNMPv3 server:
Refer the configuration steps in the Enable FIPS mode section for enabling the FIPS mode.
| Step 1 |
configure Example:Enters the global configuration mode. |
| Step 2 |
snmp-server user username groupname { v3 [ auth sha { clear | encrypted} auth-password [ priv { 3des | aes { 128 | 192 | 256} } { clear | encrypted } priv-password] ] } [ SDROwner | SystemOwner] access-list-name Example:Configures the SNMPv3 server. |
| Step 3 |
Use the commit or end command. commit —Saves the configuration changes and remains within the configuration session.
|
Perform these steps to configure the FIPS-compliant SSH Client and the Server:
Refer the configuration steps in the Enable FIPS mode section for enabling the FIPS mode.
| Step 1 |
ssh { ipv4-address | ipv6-address} cipher aes { 128-CTR | 192-CTR | 256-CTR} username username Example:Starts an SSH session to the server using the FIPS-approved ciphers. Ensure that the SSH client is configured only with the FIPS-approved ciphers. AES(Advanced Encryption Standard)-CTR (Counter mode) is the FIPS-compliant cipher algorithm with key lengths of 128, 192 and 256 bits. |
| Step 2 |
configure Example:Enters global configuration mode. |
| Step 3 |
ssh server v2 Example:Configures the SSH server. The supported key exchange algorithms are:
The supported cipher algorithms are:
The supported HMAC algorithms are:
|
| Step 4 |
Use the commit or end command. commit —Saves the configuration changes and remains within the configuration session.
|
Feedback