UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The administrator will enable CEF to improve router stability during a SYN flood attack in an IPv6 enclave.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14705 NET-IPV6-033 SV-15425r1_rule ECSC-1 Medium
Description
The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably when presented with large volumes of traffic addressed to many destinations—such as a SYN flood attacks that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache. Note: Juniper’s FPC (Flexible PIC Concentrator) architecture with the integrated Packet Forwarding Engine provides similar functionality and capabilities and is far superior than the traditional routing cache that is vulnerable to a DoS attack described above. The forwarding plane on all Juniper M and T Series platforms are built around this architecture and therefore is not configurable. The forwarding plane on all Juniper M and T Series platforms are built around the FPC (Flexible PIC Concentrator) architecture that has similar capabilities as CEF. FPC is not configurable and is totally integrated with the Packet Forwarding Engine; hence, this will always be not a finding.
STIG Date
Infrastructure Router Security Technical Implementation Guide Cisco 2018-03-06

Details

Check Text ( C-12892r1_chk )
IOS Procedure: Review all Cisco routers to ensure that CEF has been enabled. The configuration should look similar to the following: ipv6 cef
Fix Text (F-14170r1_fix)
The IAO will ensure that the ipv6 cef command has been configured on Cisco routers.