UCF STIG Viewer Logo

The router must have control plane protection enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19188 NET0966 SV-21167r2_rule Medium
Description
The Route Processor (RP) is critical to all network operations as it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Hence, any disruption to the RP or the control and management planes can result in mission critical network outages. In addition to control plane and management plane traffic that is in the router’s receive path, the RP must also handle other traffic that must be punted to the RP—that is, the traffic must be fast or process switched. This is the result of packets that must be fragmented, require an ICMP response (TTL expiration, unreachable, etc.) have IP options, etc. A DoS attack targeting the RP can be perpetrated either inadvertently or maliciously involving high rates of punted traffic resulting in excessive RP CPU and memory utilization. To maintain network stability, the router must be able to securely handle specific control plane and management plane traffic that is destined to it, as well as other punted traffic. Using the ingress filter on forwarding interfaces is a method that has been used in the past to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grow. Control plane policing can be used to increase security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.
STIG Date
Infrastructure Router Security Technical Implementation Guide Cisco 2018-11-27

Details

Check Text ( C-23285r3_chk )
Control Plane Policing (CoPP)

If supported by the router, CoPP should be used to increase security on Cisco routers by protecting the RP from unnecessary and malicious traffic. CoPP allows network operators to classify traffic based on importance that then enables the router to filter and rate limit the traffic according to the defined policy for each class.

Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration:

class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-any CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT

Step 2: Review the ACLs referenced by the match access-group commands to determine if the traffic is being classified appropriately. The following is an example configuration:

ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit ospf host [OSPF neighbor A] any
permit ospf host [OSPF neighbor B] any
permit pim host [PIM neighbor A] any
permit pim host [PIM neighbor B] any
permit pim host [RP addr] any
permit igmp any 224.0.0.0 15.255.255.255
permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
deny ip any any

ip access-list extended CoPP_IMPORTANT
permit tcp host [TACACS server] eq tacacs any
permit tcp [management subnet] 0.0.0.255 any eq 22
permit udp host [SNMP manager] any eq snmp
permit udp host [NTP server] eq ntp any
deny ip any any

ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any

ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit udp any any eq ntp
permit udp any any eq snmptrap
permit tcp any any eq 22
permit tcp any any eq 23
remark other control plane traffic not configured on router
permit eigrp any any
permit udp any any eq rip
deny ip any any

ip access-list extended CoPP_DEFAULT
permit ip any any


Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command.

Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration:


policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 256000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
class cp-default-in
police 64000 1000 conform-action transmit exceed-action drop


Step 4: Verify that the CoPP policy is enabled. The following is an example configuration:

control-plane
service-policy input CONTROL_PLANE_POLICY


Note: Starting with IOS release 12.4(4)T, Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category.


If CoPP is not supported, then the alternative would be the implementation of a receive path filter.

Step 1: A receive path ACL or an inbound ACL on each interface must be configured to restrict traffic destined to the router. The IOS IP Receive ACL feature provides filtering capability explicitly for traffic that is destined for the router. Verify that the global ip receive acl statement has been configured as shown in the following example:

ip receive acl 199

Note: If the platform does not support the ip receive path acl feature, an inbound ACL on each interface must be configured.

Step 2: Verify that the ACL referenced by the ip receive acl statement restricts all control plane and management plane traffic. The ACL configuration should look similar to the following:

access-list 199 deny ip any any fragments
access-list 199 remark allow specific management plane traffic
access-list 199 permit tcp [management subnet] 0.0.0.255 any eq 22
access-list 199 permit udp host [SNMP manager] any eq snmp
access-list 199 permit tcp host [TACACS server] eq tacacs any
access-list 199 permit udp host [NTP server] eq ntp any
access-list 199 permit icmp [management subnet] 0.0.0.255 any
access-list 199 remark allow specific control plane traffic
access-list 199 permit ospf host [OSPF neighbor A] any
access-list 199 permit ospf host [OSPF neighbor B] any
access-list 199 permit pim host [PIM neighbor A] any
access-list 199 permit pim host [PIM neighbor B] any
access-list 199 permit pim host [RP addr] any
access-list 199 permit igmp any 224.0.0.0 15.255.255.255
access-list 199 permit tcp host [BGP neighbor] eq bgp host [local BGP addr]
access-list 199 permit tcp host [BGP neighbor] host [local BGP addr] eq bgp
access-list 199 remark all other traffic destined to the device is dropped
access-list 199 deny ip any any


Note: If the Management Plane Protection (MPP) feature is enabled for an OOBM interface, there would be no purpose in filtering this traffic on the receive path. With MPP enabled, no interfaces except the management interface will accept network management traffic destined to the device. This feature also provides the capability to restrict which management protocols are allowed. See NET0992 for additional configuration information.
Fix Text (F-19812r1_fix)
Implement control plane protection by classifying traffic types based on importance levels and configure filters to restrict and rate limit the traffic punted to the route processor as according to each class.