UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DoDIN Technical Profile.


Overview

Finding ID Version Rule ID IA Controls Severity
V-90939 JUNI-RT-000740 SV-101149r1_rule Low
Description
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy. Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. It is imperative that end-to-end QoS is implemented within the IP core network to provide preferred treatment for mission-critical applications.
STIG Date
Juniper Router RTR Security Technical Implementation Guide 2018-11-15

Details

Check Text ( C-90203r2_chk )
Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DoDIN Technical Profile. PE routers are responsible for classifying customer traffic and setting the forwarding class.

Verify that a Multifield (MF) classifier has been configured to classify traffic based on protocol and ports as shown in the example below.

firewall {
family inet {



}
filter CLASSIFY_TRAFFIC {
term SIP {
from {
protocol tcp;
port 5060;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
term RTP {
from {
protocol udp;
port 16384-32767;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
term H.323 {
from {
protocol tcp;
port 1720;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term VIDEO_GK {
from {
protocol udp;
port 1718-1719;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term VIDEO_BEARER {
from {
protocol udp;
port 3230-3235;
}
then {
loss-priority low;
forwarding-class assured-forwarding;
accept;
}
}
term SSH {
from {
protocol tcp;
port ssh;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term TACACS {
from {
protocol tcp;
port tacacs;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term SNMP {
from {
protocol tcp;
port snmp;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term ICMP {
from {
protocol icmp;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term OSPF {
from {
protocol ospf;
}
then {
forwarding-class network-control;
accept;
}
}
term PIM {
from {
protocol pim;
}
then {
forwarding-class network-control;
accept;
}
}
term ACCEPT_OTHER {
then {
forwarding-class best-effort;
accept;
}
}
}
}

Verify that the classifier filter is bound to all CE-facing interfaces as shown in the example below.

interfaces {
ge-0/0/0 {
description "Customer 1";
unit 0 {
family inet {
filter {
CLASSIFY_TRAFFIC
}
address x.x.x.x/30;
}
}
}

Verify that drop profiles and schedulers have been configured that define how queued egress packets are prioritized.

class-of-service {
drop-profiles {
LOW_DROP {
fill-level 95 drop-probability 0;
fill-level 100 drop-probability 100;
}
HIGH_DROP {
fill-level 50 drop-probability 10;
fill-level 95 drop-probability 100;
}
}
schedulers {
VOIP_SCHED {
transmit-rate percent 10;
buffer-size percent 10;
priority high;
}
CONTROL_PLANE_SCHED {
transmit-rate percent 10;
buffer-size percent 10;
priority medium-high;
}
VIDEO_SCHED {
transmit-rate percent 20;
buffer-size percent 20;
priority medium-high;
drop-profile-map loss-priority low protocol any drop-profile LOW_DROP;
}
MGMT_SCHED {
transmit-rate percent 10;
buffer-size percent 10;
priority medium-low;
drop-profile-map loss-priority high protocol any drop-profile HIGH_DROP;
}
BEST_EFFORT_SCHED {
transmit-rate percent 50;
buffer-size percent 50;
priority low;
}
}
}

Verify that scheduler maps have been configured to link the forwarding classes to schedulers as shown in the example below.

class-of-service {



}
scheduler-maps {
QOS_SCHED_MAP {
forwarding-class expedited-forwarding scheduler VOIP_SCHED;
forwarding-class network-control scheduler CONTROL_PLANE_SCHED;
forwarding-class assured-forwarding scheduler MGMT_SCHED;
forwarding-class best-effort scheduler BEST_EFFORT_SCHED;
}
}

Verify that the configured QoS scheduler map has been applied to all interfaces and that the rewrite rules have been applied to all core-facing interfaces as shown in the example below.

class-of-service {



}
interfaces {
ge-0/0/1 {
scheduler-map QOS_SCHED_MAP;
unit 0 {
rewrite-rules {
dscp default;
}
}
}
ge-0/1/1 {
scheduler-map QOS_SCHED_MAP;
unit 0 {
rewrite-rules {
dscp default;
}
}
}
ge-1/0/0 {
scheduler-map QOS_SCHED_MAP;
}
ge-1/0/1 {
scheduler-map QOS_SCHED_MAP;
}
}

If the router is not configured to enforce a QoS policy in accordance with the QoS DoDIN Technical Profile, this is a finding.
Fix Text (F-97247r2_fix)
Configure a QoS policy on each router in accordance with the QoS DoDIN Technical Profile.

The PE router must classify ingress traffic entering the backbone. Configure a Multifield (MF) classifier to classify traffic based on protocol and ports as shown in the example below.

[edit firewall family inet filter CLASSIFY_TRAFFIC]
set term SIP from protocol tcp
set term SIP from port 5060
set term SIP then forwarding-class expedited-forwarding
set term SIP then accept
set term RTP from protocol tcp
set term RTP from port 16384-32767
set term RTP then forwarding-class expedited-forwarding
set term RTP then accept
set term H.323 from protocol tcp
set term H.323 from port 1720
set term H.323 then forwarding-class assured-forwarding loss-priority low
set term H.323 then accept
set term VIDEO_GK from protocol udp
set term VIDEO_GK from port 1718-1719
set term VIDEO_GK then forwarding-class assured-forwarding loss-priority low
set term VIDEO_GK then accept
set term VIDEO_BEARER from protocol udp
set term VIDEO_BEARER from port 3230-3235
set term VIDEO_BEARER then forwarding-class assured-forwarding loss-priority low
set term VIDEO_BEARER then accept
set term SSH from protocol tcp
set term SSH from port ssh
set term SSH then forwarding-class assured-forwarding loss-priority high
set term SSH then accept
set term TACACS from protocol tcp
set term TACACS from port tacacs
set term TACACS then forwarding-class assured-forwarding loss-priority high
set term TACACS then accept
set term SNMP from protocol tcp
set term SNMP from port snmp
set term SNMP then forwarding-class assured-forwarding loss-priority high
set term SNMP then accept
set term ICMP from protocol icmp
set term ICMP then forwarding-class assured-forwarding loss-priority high
set term ICMP then accept
set term OSPF from protocol ospf
set term OSPF then forwarding-class network-control
set term OSPF then accept
set term PIM from protocol pim
set term PIM then forwarding-class network-control
set term PIM then accept
set term ACCEPT_OTHER then forwarding-class best-effort
set term ACCEPT_OTHER then accept

Configure drop profiles.

[edit class-of-service]
set drop-profiles LOW_DROP fill-level 95 drop-probability 0
set drop-profiles LOW_DROP fill-level 100 drop-probability 100
set drop-profiles HIGH_DROP fill-level 50 drop-probability 10
set drop-profiles HIGH_DROP fill-level 95 drop-probability 100

Configure QoS schedulers to define how queued egress packets are prioritized.

[edit class-of-service schedulers]
set VOIP_SCHED transmit-rate percent 10
set VOIP_SCHED buffer-size percent 10
set VOIP_SCHED priority high
set VIDEO_SCHED transmit-rate percent 20
set VIDEO_SCHED buffer-size percent 20
set VIDEO_SCHED priority medium-high
set VIDEO_SCHED drop-profile-map protocol any loss-priority low drop-profile LOW_DROP
set MGMT_SCHED transmit-rate percent 10
set MGMT_SCHED buffer-size percent 10
set MGMT_SCHED priority medium-low
set MGMT_SCHED drop-profile-map protocol any loss-priority high drop-profile HIGH_DROP
set CONTROL_PLANE_SCHED transmit-rate percent 10
set CONTROL_PLANE_SCHED buffer-size percent 10
set CONTROL_PLANE_SCHED priority medium-high
set BEST_EFFORT_SCHED transmit-rate percent 50
set BEST_EFFORT_SCHED buffer-size percent 50
set BEST_EFFORT_SCHED priority low

Configure scheduler maps to link the forwarding classes to schedulers.

[edit class-of-service scheduler-maps QOS_SCHED_MAP]
set forwarding-class expedited-forwarding scheduler VOIP_SCHED
set forwarding-class network-control scheduler CONTROL_PLANE_SCHED
set forwarding-class assured-forwarding scheduler VIDEO_SCHED
set forwarding-class assured-forwarding scheduler MGMT_SCHED
set forwarding-class best-effort scheduler BEST_EFFORT_SCHED

Apply the filter that classifies traffic inbound on all CE-facing interfaces.

[edit interfaces ge-0/1/0 unit 0]
set family inet filter input CLASSIFY_TRAFFIC

Apply the scheduler map to all interfaces as shown in the example.

[edit class-of-service interfaces]
set ge-0/0/1 scheduler-map QOS_SCHED_MAP
set ge-0/1/1 scheduler-map QOS_SCHED_MAP
set ge-1/0/0 scheduler-map QOS_SCHED_MAP
set ge-1/0/1 scheduler-map QOS_SCHED_MAP

Apply the rewrite rules to mark egress packets on all core-facing interfaces as shown in the example.

[edit class-of-service interfaces]
set ge-0/0/1 unit 0 rewrite-rules dscp default
set ge-0/1/1 unit 0 rewrite-rules dscp default