Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14705 | NET-IPV6-033 | SV-15425r1_rule | ECSC-1 | Medium |
Description |
---|
The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably when presented with large volumes of traffic addressed to many destinations—such as a SYN flood attacks that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache. Note: Juniper’s FPC (Flexible PIC Concentrator) architecture with the integrated Packet Forwarding Engine provides similar functionality and capabilities and is far superior than the traditional routing cache that is vulnerable to a DoS attack described above. The forwarding plane on all Juniper M and T Series platforms are built around this architecture and therefore is not configurable. The forwarding plane on all Juniper M and T Series platforms are built around the FPC (Flexible PIC Concentrator) architecture that has similar capabilities as CEF. FPC is not configurable and is totally integrated with the Packet Forwarding Engine; hence, this will always be not a finding. |
STIG | Date |
---|---|
Infrastructure Router Security Technical Implementation Guide Cisco | 2018-03-06 |
Check Text ( C-12892r1_chk ) |
---|
IOS Procedure: Review all Cisco routers to ensure that CEF has been enabled. The configuration should look similar to the following: ipv6 cef |
Fix Text (F-14170r1_fix) |
---|
The IAO will ensure that the ipv6 cef command has been configured on Cisco routers. |