Cisco ASR 1000 Series Routers With MACsec
Cisco ASR 1000 Series Routers with MACsecFirmware version:Cisco IOS-XE 16.12Hardware versions:ASR1001-HX, ASR1002-HX, ASR1006-X, and ASR1009-XEmbedded Services Processor (ESP) Hardware versions:ASR1000-ESP40, ASR1000-ESP100 and ASR1000-ESP200;Route Processor (RP) Hardware versions:ASR-1000-RP2, and ASR-1000-RP3Modular Interface Processor Hardware versions:ASR1000-MIP100Line Card Hardware versions:EPA-10X10GE, and EPA-1X40GE QSFP FIPS-140 Non-Proprietary Security Policy - Security Level1Cisco Systems, Inc.Version 1.2 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Table of Contents12Introduction . 11.1References . 11.2FIPS 140-2 Submission Package. 1Module Description . 22.1Cisco ASR (1001-HX, 1002-HX, 1006-X, and 1009-X) . 22.2Embedded Services Processor (40, 100 and 200 Gbps) . 62.3Router Processor (RP2, RP3) . 72.4ASR 1000 Series Modular Interface Processor (ASR1000-MIP100) . 82.5Validated and Vendor Affirmed Hardware . 92.6FIPS and non-FIPS modes of operation . 102.7Module Validation Level . 103Cryptographic Boundary . 104Cryptographic Module Ports and Interfaces . 115Roles, Services, and Authentication . 156785.1User Services . 155.2Cryptographic Officer Services . 165.3Unauthenticated User Services. 17Cryptographic Key/CSP Management . 186.1User Services and CSP Access. 266.2Crypto Officer Services and CSP Access . 27Cryptographic Algorithms . 297.1Approved Cryptographic Algorithms . 297.2Non-Approved Algorithms allowed for use in FIPS-mode . 317.3Non-Approved Algorithms . 317.4Self-Tests . 32Physical Security . 34i
9Secure Operation . 359.1System Initialization and Configuration . 359.2IPsec Requirements and Cryptographic Algorithms . 369.3Protocols . 379.4Remote Access . 379.5Key Strength . 3710 Related Documentation . 3711 Definitions List . 38ii
1 IntroductionThis is a non-proprietary Cryptographic Module Security Policy for Cisco ASR 1Knetwork router modules. This security policy describes how modules meet the securityrequirements of FIPS 140-2 and how to run the modules in a FIPS 140-2 mode ofoperation.FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — SecurityRequirements for Cryptographic Modules) details the U.S. Government requirements forcryptographic modules. More information about the FIPS 140-2 standard and validationprogram is available on the NIST website 1.1 ReferencesThis document deals only with operations and capabilities of the module in the technicalterms of a FIPS 140-2 cryptographic module security policy. More information isavailable on the module from the following sources: The Cisco Systems website (http://www.cisco.com) contains information on thefull line of products from Cisco Systems. The NIST Cryptographic Module Validation Program .html) contains contact informationfor answers to technical or sales-related questions for the module.1.2 FIPS 140-2 Submission PackageThe security policy document is one document in a FIPS 140-2 Submission Package. Inaddition to this document, the submission package includes: Vendor Evidence Finite State Machine Other supporting documentation as additional referencesWith the exception of this non-proprietary security policy, the FIPS 140-2 validationdocumentation is proprietary to Cisco Systems, Inc. and is releasable only underappropriate non-disclosure agreements. For access to these documents, please contactCisco Systems, Inc. See “Obtaining Technical Assistance” section for more information.Page 1 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
2 Module Description2.1 Cisco ASR (1001-HX, 1002-HX, 1006-X, and 1009-X)The Cisco ASR 1000 Series Routers (1001-HX, 1002-HX, 1006-X, and 1009-X) arehighly scalable WAN and Internet Edge router platforms that deliver embedded hardwareacceleration for multiple Cisco IOS Software services without the need for separateservice blades. In addition, the Cisco ASR 1000 Series Router is designed for businessclass resiliency, featuring redundant Route and Embedded Services Processors, as well assoftware-based redundancy.With routing performance and IPsec Virtual Private Network (VPN) acceleration aroundten-fold that of previous midrange aggregation routers with services enabled, the CiscoASR 1000 Series Routers provides a cost-effective approach to meet the latest servicesaggregation requirement. This is accomplished while still leveraging existing networkdesigns and operational best practices.Figure 1: ASR 1001-HXFigure 2: ASR 1002-HXThe EPA-18X1GE was not part of the tested configuration.Page 2 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Figure 3: ASR 1002-HX Overall Chassis ViewPage 3 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Figure 4: ASR 1006-XFigure 5: ASR 1006-X Overall Chassis ViewPage 4 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Figure 6: ASR 1009-XFigure 7: ASR 1009-X Overall Chassis ViewPage 5 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
2.2 Embedded Services Processor (40, 100 and 200 Gbps)The Cisco ASR 1000 Series Embedded Service Processors (ESPs) are based on theinnovative, industry-leading Cisco QuantumFlow Processor for next-generationforwarding and queuing in silicon. These components use the first generation of thehardware and software architecture known as Cisco QuantumFlow Processor.The 40-, 100-, and 200-Gbps Cisco ASR 1000 Series ESPs provide centralizedforwarding-engine options for the Cisco ASR 1000 Series Aggregation Services Routers.ESP40ESP100ESP200Figure 8: ESPsThe Cisco ASR 1000 Series ESPs are responsible for the data-plane processing tasks, andall network traffic flows through them. The modules perform all baseline packet routingoperations, including MAC classification, Layer 2 and Layer 3 forwarding, quality-ofservice (QoS) classification, policing and shaping, security access control lists (ACLs),VPN, load balancing, and NetFlow.Page 6 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
*It should be noted that the ASR1001-HX and ASR1002-HX uses an integrated ESP.They do not have a distinct part number but is referred to as the, ESP2.5.2.3 Router Processor (RP2, RP3)The Cisco ASR 1000 Series Route Processors running Cisco IOS-XE 16.12 address theroute-processing requirements of carrier-grade IP and Multiprotocol Label Switching(MPLS) packet infrastructures. Not only do they provide advanced routing capabilities,but they also monitor and manage the other components in the Cisco ASR 1000 SeriesAggregation Services Router.*It should be noted that ASR1001-HX and ASR1002-HX employs an integrated RP.Figure 9: (a) RP2 and (b) RP3Figure 10: RP LEDs and USBsFigure 11: RP ConnectionsPage 7 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
2.4 ASR 1000 Series Modular Interface Processor (ASR1000MIP100)The Cisco ASR 1000 Series Modular Interface Processor (ASR1000-MIP100) (Figure 7)is a full-duplex 100-Gbps modular Ethernet line card that is capable of hosting up to twoCisco ASR 1000 Series Ethernet Port Adapters (EPAs) (Figures 8 and 9). The EPAs arenew interface cards that introduce 40 Gigabit Ethernet and 100 Gigabit Ethernetconnectivity to the Cisco ASR 1000 Series.Figure 12: ASR1000-MIP100Figure 13: EPA-10X10GEFigure 14: EPA-1X40GE QSFP Page 8 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
2.5 Validated and Vendor Affirmed HardwareThe validated configurations are comprised of the following components:Chassis:1. ASR1001-HX2. ASR1002-HX3. ASR1006-X4. ASR1009-XEmbedded Service Processors (ESP):1. ASR1000-ESP402. ASR1000-ESP1003. ASR1000-ESP200Line Cards (LC):1. EPA-10X10GE2. EPA-1X40GE QSFP Route Processors (RP):1. ASR-1000-RP22. ASR-1000-RP3RouteProcessorChassisASR 1001-HXASR 1002-HXASR 1006-XASR 1009-XHardware ConfigurationsEmbeddedService ProviderLine CardFixed configurationFixed configurationDual ESP40Dual RP2Dual ESP100Dual ESP40Dual RP3Dual ESP100Dual ESP40Dual RP2Dual ESP100Dual ESP200Dual ESP40Dual RP3Dual ESP100Dual ESP200Not ApplicableNot ApplicableEPA-10X10GE, EPA-1X40GE QSFP EPA-10X10GE, EPA-1X40GE QSFP Table 1: Module Hardware Configurations running Cisco IOS-XE 16.12ChassisASR 1001-XASR 1013RouteProcessorVendor Affirmed Hardware ConfigurationsEmbeddedService ProviderLine CardFixed configurationDual ESP40Dual RP2Dual ESP100Dual ESP200Dual ESP40Dual RP3Dual ESP100Dual ESP200Not ApplicableEPA-18X1GE, EPA-1X100GE,EPA-CPAK-2X40GE,EPA-1X100GE QSFP ,EPA-2X40GE QSFP Table 2: Vendor Affirmed Models11Vendor affirmed devices use the same firmware image (Cisco IOS-XE 16.12) as the modules tested. Noclaim to conformance can be made as these models were not tested by a CSTL or reviewed by CMVP.Page 9 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
2.6 FIPS and non-FIPS modes of operationThe ASR 1000 Series Routers supports a FIPS and non-FIPS mode of operation. Thenon-FIPS mode of operation is not a recommended operational mode but because themodule allows for non-approved algorithms and non-approved key sizes, a non-approvedmode of operation exists. The following services are available in both a FIPS and a nonFIPS mode of operation: SSH TLS IPSec SNMPv3 MACsecWhen the services are used in non-FIPS mode they are considered to be non-compliant.If the device is in the non-FIPS mode of operation, the Cryptographic Officer mustfollow the instructions in section 9.1 of this security policy to transfer into a FIPSapproved mode of operation.2.7 Module Validation LevelThe following table lists the level of validation for each area in the FIPS PUB 140-2.No.1234567891011OverallArea TitleCryptographic Module SpecificationCryptographic Module Ports and InterfacesRoles, Services, and AuthenticationFinite State ModelPhysical SecurityOperational EnvironmentCryptographic Key managementElectromagnetic Interface/Electromagnetic CompatibilitySelf-TestsDesign AssuranceMitigation of Other AttacksOverall module validation levelLevel11311N/A1113N/A1Table 3: Module Validation Level3 Cryptographic BoundaryThe cryptographic boundary for the Cisco ASR 1001-HX, ASR 1002-HX, ASR 1006-X,and ASR 1009-X are defined as encompassing the “top,” “bottom,” “front,” “back,”“left” and “right” surfaces of the case; all portions of the "backplane" of the case.Page 10 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
4 Cryptographic Module Ports and InterfacesEach module provides a number of physical and logical interfaces to the device, and thephysical interfaces provided by the module are mapped to four FIPS 140-2 definedlogical interfaces: data input, data output, control input, and status output. The logicalinterfaces and their mapping are described in the following tables:Physical InterfacesEthernet Ports (16)Console Port (1)Auxiliary Port (1)10/100 Management Ethernet Port (1)Backplane (1)Ethernet Ports (16)Console Port (1)Auxiliary Port (1)10/100 Management Ethernet Port (1)Backplane (1)Ethernet Ports (16)Console Port (1)USB Ports (2)Auxiliary Port (1)10/100 BITS RJ-48 Port (2)10/100 Management Ethernet Port (1)Power Switch (1)Backplane (1)Ethernet Ports (16)LEDsUSB Ports (2)Console Port (1)Auxiliary Port (1)10/100 Management Ethernet Port (1)Backplane (1)FIPS 140-2 Logical InterfacesData Input InterfaceData Output InterfaceControl Input InterfaceStatus Output InterfacePage 11 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Physical InterfacesPower Plug(s)FIPS 140-2 Logical InterfacesPower interfaceTable 4: ASR 1001-HXPhysical InterfacesPort Adapter Interface (2)Console Port (1)Auxiliary Port (1)10/100 Management Ethernet Port (1)GigE port (16)Backplane (1)Port Adapter Interface (2)Console Port (1)Auxiliary Port (1)10/100 Management Ethernet Port (1)GigE port (16)Backplane (1)Port Adapter Interface (2)Console Port (1)Auxiliary Port (1)10/100 BITS Ethernet Port (1)10/100 Management Ethernet Port (1)USB Ports (2)GigE port (16)Power Switch (1)Backplane (1)Port Adapter Interface (2)Console Port (1)Auxiliary Port (1)10/100 Management Ethernet Port (1)LEDs (2)USB Ports (2)GigE port (16)Backplane (1)FIPS 140-2 Logical InterfacesData Input InterfacePower Plug(s)Power interfaceData Output InterfaceControl Input InterfaceStatus Output InterfaceTable 5: ASR 1002-HXPage 12 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Physical InterfacesPort Adapter Interface (6)Console Port (1)Auxiliary Port (1 per RP)10/100 Management Ethernet Port (1 per RP)GigE port (10)Backplane (1)Port Adapter Interface (6)Console Port (1)Auxiliary Port (1 per RP)10/100 Management Ethernet Port (1 per RP)GigE port (10)Backplane (1)Port Adapter Interface (6)Console Port (1)USB Ports (2 per RP)Auxiliary Port (1 per RP)10/100 BITS Ethernet Port (1 per RP)10/100 Management Ethernet Port (1 per RP)Backplane (1)Power SwitchPort Adapter Interface (6)LEDsUSB Ports (2 per RP)Console Port (1)Auxiliary Port (1 per RP)Backplane (1)10/100 Management Ethernet Port (1 per RP)Power Plug(s)FIPS 140-2 Logical InterfacesData Input InterfaceData Output InterfaceControl Input InterfaceStatus Output InterfacePower interfaceTable 6: ASR 1006-X with dual RP 2 or RP 3 and dual ESP40 or ESP100Page 13 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Physical InterfacesPort Adapter Interface (7)Console Port (1 per RP)Auxiliary Port (1 per RP)10/100 Management Ethernet Port (1 per RP)GigE port (10)QSFP (1)Port Adapter Interface (7)Console Port (1 per RP)Auxiliary Port (1 per RP)10/100 Management Ethernet Port (1 per RP)GigE port (10)QSFP (1)Port Adapter Interface (7)Console Port (1 per RP)USB Ports (2 per RP)Auxiliary Port (1 per RP)10/100 BITS Ethernet Port (1 per RP)10/100 Management Ethernet Port (1 per RP)Power SwitchPort Adapter Interface (7)LEDsUSB Ports (2 per RP)Console Port (1 per RP)Auxiliary Port (1 per RP)10/100 Management Ethernet Port (1 per RP)Power Plug(s)FIPS 140-2 Logical InterfacesData Input InterfaceData Output InterfaceControl Input InterfaceStatus Output InterfacePower interfaceTable 7: ASR 1009-X with dual RP 2 or RP 3 and dual ESP40 or ESP 100 or ESP 200Page 14 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
5 Roles, Services, and AuthenticationAuthentication is identity-based. Each user is authenticated upon initial access to themodule. There are two main roles in the router that operators may assume: the CryptoOfficer role and the User role. The administrator of the router assumes the Crypto Officerrole in order to configure and maintain the router using Crypto Officer services, while theUsers exercise only the basic User services. The module supports RADIUS andTACACS for authentication. A complete description of all the management andconfiguration capabilities of the modules can be found in the Cisco ASR 1000 SeriesAggregation Services Routers Software Configuration Guide Manual2 and in the onlinehelp for the modules.The User and Crypto Officer passwords and all shared secrets must each be at least eight(8) characters long, including at least one letter and at least one number character, inlength (enforced procedurally). See the Secure Operation section for more information. Ifsix (6) integers, one (1) special character and one (1) alphabet are used without repetitionfor an eight (8) digit PIN, the probability of randomly guessing the correct sequence isone (1) in 251,596,800 (this calculation is based on the assumption that the typicalstandard American QWERTY computer keyboard has 10 Integer digits, 52 alphabeticcharacters, and 32 special characters providing 94 characters to choose from in total.Since it is claimed to be for 8 characters with no repetition, then the calculation shouldbe, 10x9x8x7x6x5x32x52. In order to successfully guess the sequence in one minutewould require the ability to make over 4,193,280 guesses per second, which far exceedsthe operational capabilities of the module.Additionally, when using RSA-based authentication, RSA key pair has a modulus size ofeither 2048 or 3072 bits, thus providing at least 112 bits of strength. Assuming the lowend of that range (2048 bits), an attacker would have a 1 in 2112 chance of randomlyobtaining the key, which is much stronger than the one-in-a-million chance required byFIPS 140-2. To exceed a one in 100,000 probability of a successful random key guess inone minute, an attacker would have to be capable of approximately 8.6 x 1031 (5.2 x 1033/60 8.6 x 1031) attempts per second, which far exceeds the operational capabilities ofthe modules to support.It should be noted that the same services are available to both Users and Cryptographicofficers, regardless of whether or not they are in a non-FIPS approved mode of operationor a FIPS approved mode of operation.5.1 User ServicesA User enters the system by accessing the console/auxiliary port with a terminal programor SSH v2 session to a LAN port or the 10/100 management Ethernet port. The moduleprompts the User for their username/password combination. If the username/password2Link located in Section 10.Page 15 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
combination is correct, the User is allowed entry to the module managementfunctionality. The services available to the User role consist of the following: Status Functions - View state of interfaces and protocols, firmware version Terminal Functions - Adjust the terminal session (e.g., lock the terminal, adjustflow control) Directory Services - Display directory of files kept in memory Perform Self-Tests – Perform the FIPS 140 start-up tests on demand Perform Cryptography – Use the cryptography provided by the module:o SSHo TLSo IPSeco SNMPv3o MACsec5.2 Cryptographic Officer ServicesA Crypto Officer enters the system by accessing the console/auxiliary port with aterminal program or SSH v2 session to a LAN port or the 10/100 management Ethernetport. The Crypto Officer authenticates in the same manner as a User. The Crypto Officeris identified by accounts that have a privilege level 15 (versus the privilege level 1 forusers). A Crypto Officer may assign permission to access the Crypto Officer role toadditional accounts, thereby creating additional Crypto Officers.The Crypto Officer role is responsible for the configuration and maintenance of therouter. The Crypto Officer services consist of the following: Configure the module - Define network interfaces and settings, create commandaliases, set the protocols the router will support, enable interfaces and networkservices, set system date and time, and load authentication information. Define Rules and Filters - Create packet Filters that are applied to User datastreams on each interface. Each Filter consists of a set of Rules, which define a setof packets to permit or deny based characteristics such as protocol ID, addresses,ports, TCP connection establishment, or packet direction. Status Functions - View the module configuration, routing tables, active sessions,use get commands to view SNMP MIB statistics, health, temperature, memorystatus, voltage, packet statistics, review accounting logs, and view physicalinterface status. Manage the module - Log off users, shutdown or reload the router, manually backup router configurations, view complete configurations, manage user rights,initiate power-on self-tests on demand and restore router configurations. Set Encryption - Set up the configuration tables for IP tunneling. Set keys andalgorithms to be used for each IP range or allow plaintext packets to be set fromspecified IP address.Page 16 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Perform Self-Tests – Perform the FIPS 140 start-up tests on demand. Zeroization – Erasing electronically stored data, cryptographic keys, and CSPs byaltering or deleting the contents of the data storage to prevent recovery of thedata.5.3 Unauthenticated User ServicesThe services for someone without an authorized role are to view the status output fromthe module’s LED pins and cycle power.Page 17 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
6 Cryptographic Key/CSP ManagementThe module securely administers both cryptographic keys and other critical securityparameters such as passwords. All keys and CSPs are protected by the passwordprotection of the Crypto Officer role login and can be zeroized by the Crypto Officer.Zeroization consists of overwriting the memory that stored the key or refreshing thevolatile memory. Keys are exchanged and entered electronically or via Internet KeyExchange (IKE), TLS or SSH.The module supports the following critical security parameters (CSPs):Key/CSPNameKey ationGeneral Keys/CSPsDRBG entropyinputCTR (using AES- This is the256)entropy for SP256-bit800-90 RNG.DRAM(plaintext)GeneratedNever outputinternally via from thea call to the moduleDRBG.Power cyclethe deviceDRBG Seed(IOS XE)CTR (using AES- This DRBG seed DRAM256)is collected from (plaintext)384-bitsthe onboardCaviumcryptographicprocessor.GeneratedNever outputinternally via from thea call to the moduleDRBG.Automaticallyevery 400bytes or turnoff the router.DRBG VCTR (using AES- Internal V value256)used as part of256-bitSP800-90CTR DRBGDRAM(plaintext)GeneratedNever outputinternally via from thea call to the moduleDRBG.Power cyclethe deviceDRBG KeyCTR (using AES- Internal Key256)value used as256-bitpart of SP800-90CTR DRBGDRAM(plaintext)GeneratedNever outputinternally via from thea call to the moduleDRBG.Power cyclethe deviceDiffie-HellmanShared SecretDH 2048 – 4096bitsThe sharedDRAMexponent used in (plaintext)Diffie-Hellman(DH) exchange.Created per theDiffie-Hellmanprotocol.GeneratedNever outputinternally via from thea call to the moduleDRBG.Zeroizedupon deletion.Page 18 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Key/CSPNameKey ationDiffie Hellmanprivate keyDH 224-379 bitsThe privateDRAMexponent used in (plaintext)Diffie-Hellman(DH) exchange.This CSP iscreated using theSP800-90CTR DRBG.GeneratedNever outputinternally via from thea call to the moduleDRBG.Zeroizedupon deletion.Diffie Hellmanpublic keyDH 2048 – 4096bitsThe p used inDRAMDiffie-Hellman (plaintext)(DH) exchange.This CSP iscreated using theSP800-90CTR DRBG.GeneratedNever outputinternally via from thea call to the moduleDRBG.Zeroizedupon deletion.EC DiffieECDH (Curves:Hellman private P-256, P-384)keyUsed for keyagreementDRAM(plaintext)GeneratedNever outputinternally via from thea call to the moduleDRBG.Power cyclethe deviceEC DiffieHellman publickeyECDH (Curves:P-256, P-384)Used for keyagreementDRAM(plaintext)GeneratedNever outputinternally via from thea call to the moduleDRBG.Power cyclethe deviceEC DiffieECDH (Curves:Hellman shared P-256, P-384)secretUsed for keyagreementDRAM(plaintext)GeneratedNever outputinternally via from thea call to the moduleDRBG.Power cyclethe deviceOperatorpasswordPassword, at least The password of NVRAMeight charactersthe operator.(plaintext)This CSP isentered by theCryptographicOfficer.ExternallyNever outputgeneratedfrom theand entered moduleby the Userand/or COwhen logginginOverwritewith newpasswordEnablepasswordPassword, at least The plaintexteight characters password of theCO role. ThisCSP is enteredby theCryptographicOfficer.Externallygeneratedand enteredby the CO.Overwritewith newpasswordNVRAM(plaintext)Never outputfrom themodulePage 19 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Key/CSPNameKey ationEnable secretPassword, at least The obfuscated NVRAMeight characters password of the (plaintext)CO role.However, thealgorithm used toobfuscate thispassword is notFIPS approved.Therefore, thispassword isconsideredplaintext forFIPS purposes.This password iszeroized byoverwriting itwith a newpassword. TheCryptographicOperatoroptionallyconfigures themodule toobfuscate theEnablepassword.This CSP isentered by theCryptographicOfficer.Externallygeneratedand enteredby the CO.Never outputfrom themoduleOverwritewith newpasswordRADIUS secretShared Secret, 16 The RADIUScharactersshared secret.This CSP isentered by ntext)Externallygeneratedand enteredby the CO.Never outputfrom themodule# no radiusserver keyNVRAM(plaintext),DRAM(plaintext)GeneratedNever outputinternally via from thea call to the moduleDRBG.RADIUSOverIP AES-CBC,SecEncryptionK AES-GCMeyAES-128/AES256encryption/decryption key, usedin IPSec tunnelbetween moduleand RADIUS toencrypt/decryptEAP keys.Power CyclePage 20 of 39 Copyright 2021 Cisco Systems, Inc.This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Key/CSPNameKey TypeRADIUSOverIP HMACSecIntegrityKeyTACACS StorageIntegrity/authentication key, usedin IPSec tunnelbetween moduleand er outputinternally via from thea call to the moduleDRBG.Power eratedand enteredby the CO.# no tacacsserver keyShared Secret, 16 The TACACS charactersshared secret.This CSP isentered by theCryptographicOfficer.Never outputfrom themoduleIKE/IPSecskeyidHMAC SHA-1160-bitsValue derivedper the IKEprotocol basedon the peerauthenticationSSHmethod chosen.DRAM(plaintext)GeneratedNever outputinternally via from thea call to the moduleDRBG.Automaticallyafter IKEsessionterminated.skeyid aHMAC SHA-1160-bitsThe IKE keyDRAMderivation key(plaintext)for non ISAKMPsecurityassociations.GeneratedNever outputinternally via from th
Route Processor (RP) Hardware versions: ASR-1000-RP2, and ASR-1000-RP3 Modular Interface Processor Hardware versions: ASR1000-MIP100 Line Card Hardware versions: EPA-10X10GE, and EPA-1X40GE QSFP FIPS-140 Non-Proprietary Security
(1 rack unit [1RU] for the Cisco ASR 1001 and 2RUs for the Cisco ASR 1002 Fixed, ASR 1002, and ASR 1002-X Routers), including software modularity and ISSU. Note: ISSU is not supported on Cisco ASR 1001, ASR 1002-F, ASR 1002, ASR 1002-X, or ASR 1004. Managed CPE offers accessibility even when the Cisco IOS Software is down.
Cisco ASR 1001-X Router Overview 1-1 Hardware Features of the Cisco ASR 1001-X Router 1-1 Cisco ASR 1001-X Overall Chassis Front View 1-2 Cisco ASR 1001-X Router LEDs 1-3 Cisco ASR 1001-X Management Storage Connections 1-3 Cisco ASR 1001-X Chassis Rear View 1-4 Cisco ASR 1001-X SPA GE and TE Ports 1-5 Field-Replaceable Units for the Cisco ASR .
The Cisco ASR 1000 Series Route Processor 3 is the newest addition to the modular control plane engines in the Cisco ASR 1000 Series. The Route Processor 3 adds more options for higher performance, memory, and storage to the ASR 1000 Series. The Cisco ASR 1000 Series supports Cisco IOS XE Software, a modular operating system with modularFile Size: 949KB
The Cisco ASR 1000 Series Route Processor 3 is the newest addition to the modular control plane engines in the Cisco ASR 1000 Series. The Route Processor 3 adds more options for higher performance, memory, and storage to the ASR 1000 Series. The Cisco ASR 1000 Series supports Cisco
(Figure 1): the Cisco ASR 9010 Router, the Cisco ASR 9006 Router, and the Cisco ASR 9922 Router, and the Cisco ASR 9000v Router (not shown). Cisco ASR 9000 Series routers are designed to provide true carrier-class reliability using the Cisco IOS XR operating system, comprehensive system re
ASR 1000 Series are honor-based, meaning that the licenses are not enforced through a product activation or license key. For Cisco ASR 1000 Routers, one of the following five packages is required: Cisco ASR 1000 IOS XE UNIVERSAL - NO PAYLOAD ENCRYPTION Cisco ASR 1000 IOS XE UNIVERSAL
The Cisco ASR 1002-F (Fixed) Router is one of the Cisco ASR 1000 Series Aggregation Services Rout ers. It is the smallest router that supports all the general-purpose routing and security features of the Cisco ASR 1002 Routers. It uses the same internal control and data-plane architecture as the Cisco ASR 1002 Router. For detailed information about the Cisco ASR 1002-F
The Cisco ASR 9000 Series is being introduced in two form factors (Figure 1): the Cisco ASR 9010 Router and the Cisco ASR 9006 Router. Cisco ASR 9000 Series Routers are designed to provide true carrier-class reliability using the Cisco IOS XR operating system, comprehensive system redunda
