Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DoDIN Technical Profile.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-90939 | JUNI-RT-000740 | SV-101149r1_rule | Low |
| Description |
|---|
| Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy. Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. It is imperative that end-to-end QoS is implemented within the IP core network to provide preferred treatment for mission-critical applications. |
| STIG | Date |
|---|---|
| Juniper Router RTR Security Technical Implementation Guide | 2018-11-15 |
Details
| Check Text ( C-90203r2_chk ) |
|---|
| Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DoDIN Technical Profile. PE routers are responsible for classifying customer traffic and setting the forwarding class. Verify that a Multifield (MF) classifier has been configured to classify traffic based on protocol and ports as shown in the example below. firewall { family inet { … … … } filter CLASSIFY_TRAFFIC { term SIP { from { protocol tcp; port 5060; } then { forwarding-class expedited-forwarding; accept; } } term RTP { from { protocol udp; port 16384-32767; } then { forwarding-class expedited-forwarding; accept; } } term H.323 { from { protocol tcp; port 1720; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term VIDEO_GK { from { protocol udp; port 1718-1719; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term VIDEO_BEARER { from { protocol udp; port 3230-3235; } then { loss-priority low; forwarding-class assured-forwarding; accept; } } term SSH { from { protocol tcp; port ssh; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term TACACS { from { protocol tcp; port tacacs; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term SNMP { from { protocol tcp; port snmp; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term ICMP { from { protocol icmp; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term OSPF { from { protocol ospf; } then { forwarding-class network-control; accept; } } term PIM { from { protocol pim; } then { forwarding-class network-control; accept; } } term ACCEPT_OTHER { then { forwarding-class best-effort; accept; } } } } Verify that the classifier filter is bound to all CE-facing interfaces as shown in the example below. interfaces { ge-0/0/0 { description "Customer 1"; unit 0 { family inet { filter { CLASSIFY_TRAFFIC } address x.x.x.x/30; } } } Verify that drop profiles and schedulers have been configured that define how queued egress packets are prioritized. class-of-service { drop-profiles { LOW_DROP { fill-level 95 drop-probability 0; fill-level 100 drop-probability 100; } HIGH_DROP { fill-level 50 drop-probability 10; fill-level 95 drop-probability 100; } } schedulers { VOIP_SCHED { transmit-rate percent 10; buffer-size percent 10; priority high; } CONTROL_PLANE_SCHED { transmit-rate percent 10; buffer-size percent 10; priority medium-high; } VIDEO_SCHED { transmit-rate percent 20; buffer-size percent 20; priority medium-high; drop-profile-map loss-priority low protocol any drop-profile LOW_DROP; } MGMT_SCHED { transmit-rate percent 10; buffer-size percent 10; priority medium-low; drop-profile-map loss-priority high protocol any drop-profile HIGH_DROP; } BEST_EFFORT_SCHED { transmit-rate percent 50; buffer-size percent 50; priority low; } } } Verify that scheduler maps have been configured to link the forwarding classes to schedulers as shown in the example below. class-of-service { … … … } scheduler-maps { QOS_SCHED_MAP { forwarding-class expedited-forwarding scheduler VOIP_SCHED; forwarding-class network-control scheduler CONTROL_PLANE_SCHED; forwarding-class assured-forwarding scheduler MGMT_SCHED; forwarding-class best-effort scheduler BEST_EFFORT_SCHED; } } Verify that the configured QoS scheduler map has been applied to all interfaces and that the rewrite rules have been applied to all core-facing interfaces as shown in the example below. class-of-service { … … … } interfaces { ge-0/0/1 { scheduler-map QOS_SCHED_MAP; unit 0 { rewrite-rules { dscp default; } } } ge-0/1/1 { scheduler-map QOS_SCHED_MAP; unit 0 { rewrite-rules { dscp default; } } } ge-1/0/0 { scheduler-map QOS_SCHED_MAP; } ge-1/0/1 { scheduler-map QOS_SCHED_MAP; } } If the router is not configured to enforce a QoS policy in accordance with the QoS DoDIN Technical Profile, this is a finding. |
| Fix Text (F-97247r2_fix) |
|---|
| Configure a QoS policy on each router in accordance with the QoS DoDIN Technical Profile. The PE router must classify ingress traffic entering the backbone. Configure a Multifield (MF) classifier to classify traffic based on protocol and ports as shown in the example below. [edit firewall family inet filter CLASSIFY_TRAFFIC] set term SIP from protocol tcp set term SIP from port 5060 set term SIP then forwarding-class expedited-forwarding set term SIP then accept set term RTP from protocol tcp set term RTP from port 16384-32767 set term RTP then forwarding-class expedited-forwarding set term RTP then accept set term H.323 from protocol tcp set term H.323 from port 1720 set term H.323 then forwarding-class assured-forwarding loss-priority low set term H.323 then accept set term VIDEO_GK from protocol udp set term VIDEO_GK from port 1718-1719 set term VIDEO_GK then forwarding-class assured-forwarding loss-priority low set term VIDEO_GK then accept set term VIDEO_BEARER from protocol udp set term VIDEO_BEARER from port 3230-3235 set term VIDEO_BEARER then forwarding-class assured-forwarding loss-priority low set term VIDEO_BEARER then accept set term SSH from protocol tcp set term SSH from port ssh set term SSH then forwarding-class assured-forwarding loss-priority high set term SSH then accept set term TACACS from protocol tcp set term TACACS from port tacacs set term TACACS then forwarding-class assured-forwarding loss-priority high set term TACACS then accept set term SNMP from protocol tcp set term SNMP from port snmp set term SNMP then forwarding-class assured-forwarding loss-priority high set term SNMP then accept set term ICMP from protocol icmp set term ICMP then forwarding-class assured-forwarding loss-priority high set term ICMP then accept set term OSPF from protocol ospf set term OSPF then forwarding-class network-control set term OSPF then accept set term PIM from protocol pim set term PIM then forwarding-class network-control set term PIM then accept set term ACCEPT_OTHER then forwarding-class best-effort set term ACCEPT_OTHER then accept Configure drop profiles. [edit class-of-service] set drop-profiles LOW_DROP fill-level 95 drop-probability 0 set drop-profiles LOW_DROP fill-level 100 drop-probability 100 set drop-profiles HIGH_DROP fill-level 50 drop-probability 10 set drop-profiles HIGH_DROP fill-level 95 drop-probability 100 Configure QoS schedulers to define how queued egress packets are prioritized. [edit class-of-service schedulers] set VOIP_SCHED transmit-rate percent 10 set VOIP_SCHED buffer-size percent 10 set VOIP_SCHED priority high set VIDEO_SCHED transmit-rate percent 20 set VIDEO_SCHED buffer-size percent 20 set VIDEO_SCHED priority medium-high set VIDEO_SCHED drop-profile-map protocol any loss-priority low drop-profile LOW_DROP set MGMT_SCHED transmit-rate percent 10 set MGMT_SCHED buffer-size percent 10 set MGMT_SCHED priority medium-low set MGMT_SCHED drop-profile-map protocol any loss-priority high drop-profile HIGH_DROP set CONTROL_PLANE_SCHED transmit-rate percent 10 set CONTROL_PLANE_SCHED buffer-size percent 10 set CONTROL_PLANE_SCHED priority medium-high set BEST_EFFORT_SCHED transmit-rate percent 50 set BEST_EFFORT_SCHED buffer-size percent 50 set BEST_EFFORT_SCHED priority low Configure scheduler maps to link the forwarding classes to schedulers. [edit class-of-service scheduler-maps QOS_SCHED_MAP] set forwarding-class expedited-forwarding scheduler VOIP_SCHED set forwarding-class network-control scheduler CONTROL_PLANE_SCHED set forwarding-class assured-forwarding scheduler VIDEO_SCHED set forwarding-class assured-forwarding scheduler MGMT_SCHED set forwarding-class best-effort scheduler BEST_EFFORT_SCHED Apply the filter that classifies traffic inbound on all CE-facing interfaces. [edit interfaces ge-0/1/0 unit 0] set family inet filter input CLASSIFY_TRAFFIC Apply the scheduler map to all interfaces as shown in the example. [edit class-of-service interfaces] set ge-0/0/1 scheduler-map QOS_SCHED_MAP set ge-0/1/1 scheduler-map QOS_SCHED_MAP set ge-1/0/0 scheduler-map QOS_SCHED_MAP set ge-1/0/1 scheduler-map QOS_SCHED_MAP Apply the rewrite rules to mark egress packets on all core-facing interfaces as shown in the example. [edit class-of-service interfaces] set ge-0/0/1 unit 0 rewrite-rules dscp default set ge-0/1/1 unit 0 rewrite-rules dscp default |