The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy in accordance with the QoS DoDIN Technical Profile.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-90939	JUNI-RT-000740	SV-101149r1_rule		Low

Description
Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy. Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. It is imperative that end-to-end QoS is implemented within the IP core network to provide preferred treatment for mission-critical applications.

Description

Different applications have unique requirements and toleration levels for delay, jitter, bandwidth, packet loss, and availability. To manage the multitude of applications and services, a network requires a QoS framework to differentiate traffic and provide a method to manage network congestion. The Differentiated Services Model (DiffServ) is based on per-hop behavior by categorizing traffic into different classes and enabling each node to enforce a forwarding treatment to each packet as dictated by a policy. Packet markings such as IP Precedence and its successor, Differentiated Services Code Points (DSCP), were defined along with specific per-hop behaviors for key traffic types to enable a scalable QoS solution. DiffServ QoS categorizes network traffic, prioritizes it according to its relative importance, and provides priority treatment based on the classification. It is imperative that end-to-end QoS is implemented within the IP core network to provide preferred treatment for mission-critical applications.

STIG	Date
Juniper Router RTR Security Technical Implementation Guide	2018-11-15

Details

Check Text ( C-90203r2_chk )
Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DoDIN Technical Profile. PE routers are responsible for classifying customer traffic and setting the forwarding class. Verify that a Multifield (MF) classifier has been configured to classify traffic based on protocol and ports as shown in the example below. firewall { family inet { … … … } filter CLASSIFY_TRAFFIC { term SIP { from { protocol tcp; port 5060; } then { forwarding-class expedited-forwarding; accept; } } term RTP { from { protocol udp; port 16384-32767; } then { forwarding-class expedited-forwarding; accept; } } term H.323 { from { protocol tcp; port 1720; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term VIDEO_GK { from { protocol udp; port 1718-1719; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term VIDEO_BEARER { from { protocol udp; port 3230-3235; } then { loss-priority low; forwarding-class assured-forwarding; accept; } } term SSH { from { protocol tcp; port ssh; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term TACACS { from { protocol tcp; port tacacs; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term SNMP { from { protocol tcp; port snmp; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term ICMP { from { protocol icmp; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term OSPF { from { protocol ospf; } then { forwarding-class network-control; accept; } } term PIM { from { protocol pim; } then { forwarding-class network-control; accept; } } term ACCEPT_OTHER { then { forwarding-class best-effort; accept; } } } } Verify that the classifier filter is bound to all CE-facing interfaces as shown in the example below. interfaces { ge-0/0/0 { description "Customer 1"; unit 0 { family inet { filter { CLASSIFY_TRAFFIC } address x.x.x.x/30; } } } Verify that drop profiles and schedulers have been configured that define how queued egress packets are prioritized. class-of-service { drop-profiles { LOW_DROP { fill-level 95 drop-probability 0; fill-level 100 drop-probability 100; } HIGH_DROP { fill-level 50 drop-probability 10; fill-level 95 drop-probability 100; } } schedulers { VOIP_SCHED { transmit-rate percent 10; buffer-size percent 10; priority high; } CONTROL_PLANE_SCHED { transmit-rate percent 10; buffer-size percent 10; priority medium-high; } VIDEO_SCHED { transmit-rate percent 20; buffer-size percent 20; priority medium-high; drop-profile-map loss-priority low protocol any drop-profile LOW_DROP; } MGMT_SCHED { transmit-rate percent 10; buffer-size percent 10; priority medium-low; drop-profile-map loss-priority high protocol any drop-profile HIGH_DROP; } BEST_EFFORT_SCHED { transmit-rate percent 50; buffer-size percent 50; priority low; } } } Verify that scheduler maps have been configured to link the forwarding classes to schedulers as shown in the example below. class-of-service { … … … } scheduler-maps { QOS_SCHED_MAP { forwarding-class expedited-forwarding scheduler VOIP_SCHED; forwarding-class network-control scheduler CONTROL_PLANE_SCHED; forwarding-class assured-forwarding scheduler MGMT_SCHED; forwarding-class best-effort scheduler BEST_EFFORT_SCHED; } } Verify that the configured QoS scheduler map has been applied to all interfaces and that the rewrite rules have been applied to all core-facing interfaces as shown in the example below. class-of-service { … … … } interfaces { ge-0/0/1 { scheduler-map QOS_SCHED_MAP; unit 0 { rewrite-rules { dscp default; } } } ge-0/1/1 { scheduler-map QOS_SCHED_MAP; unit 0 { rewrite-rules { dscp default; } } } ge-1/0/0 { scheduler-map QOS_SCHED_MAP; } ge-1/0/1 { scheduler-map QOS_SCHED_MAP; } } If the router is not configured to enforce a QoS policy in accordance with the QoS DoDIN Technical Profile, this is a finding.

Check Text ( C-90203r2_chk )

Review the router configuration and verify that a QoS policy has been configured to provide preferred treatment for mission-critical applications in accordance with the QoS DoDIN Technical Profile. PE routers are responsible for classifying customer traffic and setting the forwarding class.

Verify that a Multifield (MF) classifier has been configured to classify traffic based on protocol and ports as shown in the example below.

firewall {
family inet {
…
…
…
}
filter CLASSIFY_TRAFFIC {
term SIP {
from {
protocol tcp;
port 5060;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
term RTP {
from {
protocol udp;
port 16384-32767;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
term H.323 {
from {
protocol tcp;
port 1720;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term VIDEO_GK {
from {
protocol udp;
port 1718-1719;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term VIDEO_BEARER {
from {
protocol udp;
port 3230-3235;
}
then {
loss-priority low;
forwarding-class assured-forwarding;
accept;
}
}
term SSH {
from {
protocol tcp;
port ssh;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term TACACS {
from {
protocol tcp;
port tacacs;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term SNMP {
from {
protocol tcp;
port snmp;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term ICMP {
from {
protocol icmp;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term OSPF {
from {
protocol ospf;
}
then {
forwarding-class network-control;
accept;
}
}
term PIM {
from {
protocol pim;
}
then {
forwarding-class network-control;
accept;
}
}
term ACCEPT_OTHER {
then {
forwarding-class best-effort;
accept;
}
}
}
}

Verify that the classifier filter is bound to all CE-facing interfaces as shown in the example below.

interfaces {
ge-0/0/0 {
description "Customer 1";
unit 0 {
family inet {
filter {
CLASSIFY_TRAFFIC
}
address x.x.x.x/30;
}
}
}

Verify that drop profiles and schedulers have been configured that define how queued egress packets are prioritized.

class-of-service {
drop-profiles {
LOW_DROP {
fill-level 95 drop-probability 0;
fill-level 100 drop-probability 100;
}
HIGH_DROP {
fill-level 50 drop-probability 10;
fill-level 95 drop-probability 100;
}
}
schedulers {
VOIP_SCHED {
transmit-rate percent 10;
buffer-size percent 10;
priority high;
}
CONTROL_PLANE_SCHED {
transmit-rate percent 10;
buffer-size percent 10;
priority medium-high;
}
VIDEO_SCHED {
transmit-rate percent 20;
buffer-size percent 20;
priority medium-high;
drop-profile-map loss-priority low protocol any drop-profile LOW_DROP;
}
MGMT_SCHED {
transmit-rate percent 10;
buffer-size percent 10;
priority medium-low;
drop-profile-map loss-priority high protocol any drop-profile HIGH_DROP;
}
BEST_EFFORT_SCHED {
transmit-rate percent 50;
buffer-size percent 50;
priority low;
}
}
}

Verify that scheduler maps have been configured to link the forwarding classes to schedulers as shown in the example below.

class-of-service {
…
…
…
}
scheduler-maps {
QOS_SCHED_MAP {
forwarding-class expedited-forwarding scheduler VOIP_SCHED;
forwarding-class network-control scheduler CONTROL_PLANE_SCHED;
forwarding-class assured-forwarding scheduler MGMT_SCHED;
forwarding-class best-effort scheduler BEST_EFFORT_SCHED;
}
}

Verify that the configured QoS scheduler map has been applied to all interfaces and that the rewrite rules have been applied to all core-facing interfaces as shown in the example below.

class-of-service {
…
…
…
}
interfaces {
ge-0/0/1 {
scheduler-map QOS_SCHED_MAP;
unit 0 {
rewrite-rules {
dscp default;
}
}
}
ge-0/1/1 {
scheduler-map QOS_SCHED_MAP;
unit 0 {
rewrite-rules {
dscp default;
}
}
}
ge-1/0/0 {
scheduler-map QOS_SCHED_MAP;
}
ge-1/0/1 {
scheduler-map QOS_SCHED_MAP;
}
}

If the router is not configured to enforce a QoS policy in accordance with the QoS DoDIN Technical Profile, this is a finding.

Fix Text (F-97247r2_fix)
Configure a QoS policy on each router in accordance with the QoS DoDIN Technical Profile. The PE router must classify ingress traffic entering the backbone. Configure a Multifield (MF) classifier to classify traffic based on protocol and ports as shown in the example below. [edit firewall family inet filter CLASSIFY_TRAFFIC] set term SIP from protocol tcp set term SIP from port 5060 set term SIP then forwarding-class expedited-forwarding set term SIP then accept set term RTP from protocol tcp set term RTP from port 16384-32767 set term RTP then forwarding-class expedited-forwarding set term RTP then accept set term H.323 from protocol tcp set term H.323 from port 1720 set term H.323 then forwarding-class assured-forwarding loss-priority low set term H.323 then accept set term VIDEO_GK from protocol udp set term VIDEO_GK from port 1718-1719 set term VIDEO_GK then forwarding-class assured-forwarding loss-priority low set term VIDEO_GK then accept set term VIDEO_BEARER from protocol udp set term VIDEO_BEARER from port 3230-3235 set term VIDEO_BEARER then forwarding-class assured-forwarding loss-priority low set term VIDEO_BEARER then accept set term SSH from protocol tcp set term SSH from port ssh set term SSH then forwarding-class assured-forwarding loss-priority high set term SSH then accept set term TACACS from protocol tcp set term TACACS from port tacacs set term TACACS then forwarding-class assured-forwarding loss-priority high set term TACACS then accept set term SNMP from protocol tcp set term SNMP from port snmp set term SNMP then forwarding-class assured-forwarding loss-priority high set term SNMP then accept set term ICMP from protocol icmp set term ICMP then forwarding-class assured-forwarding loss-priority high set term ICMP then accept set term OSPF from protocol ospf set term OSPF then forwarding-class network-control set term OSPF then accept set term PIM from protocol pim set term PIM then forwarding-class network-control set term PIM then accept set term ACCEPT_OTHER then forwarding-class best-effort set term ACCEPT_OTHER then accept Configure drop profiles. [edit class-of-service] set drop-profiles LOW_DROP fill-level 95 drop-probability 0 set drop-profiles LOW_DROP fill-level 100 drop-probability 100 set drop-profiles HIGH_DROP fill-level 50 drop-probability 10 set drop-profiles HIGH_DROP fill-level 95 drop-probability 100 Configure QoS schedulers to define how queued egress packets are prioritized. [edit class-of-service schedulers] set VOIP_SCHED transmit-rate percent 10 set VOIP_SCHED buffer-size percent 10 set VOIP_SCHED priority high set VIDEO_SCHED transmit-rate percent 20 set VIDEO_SCHED buffer-size percent 20 set VIDEO_SCHED priority medium-high set VIDEO_SCHED drop-profile-map protocol any loss-priority low drop-profile LOW_DROP set MGMT_SCHED transmit-rate percent 10 set MGMT_SCHED buffer-size percent 10 set MGMT_SCHED priority medium-low set MGMT_SCHED drop-profile-map protocol any loss-priority high drop-profile HIGH_DROP set CONTROL_PLANE_SCHED transmit-rate percent 10 set CONTROL_PLANE_SCHED buffer-size percent 10 set CONTROL_PLANE_SCHED priority medium-high set BEST_EFFORT_SCHED transmit-rate percent 50 set BEST_EFFORT_SCHED buffer-size percent 50 set BEST_EFFORT_SCHED priority low Configure scheduler maps to link the forwarding classes to schedulers. [edit class-of-service scheduler-maps QOS_SCHED_MAP] set forwarding-class expedited-forwarding scheduler VOIP_SCHED set forwarding-class network-control scheduler CONTROL_PLANE_SCHED set forwarding-class assured-forwarding scheduler VIDEO_SCHED set forwarding-class assured-forwarding scheduler MGMT_SCHED set forwarding-class best-effort scheduler BEST_EFFORT_SCHED Apply the filter that classifies traffic inbound on all CE-facing interfaces. [edit interfaces ge-0/1/0 unit 0] set family inet filter input CLASSIFY_TRAFFIC Apply the scheduler map to all interfaces as shown in the example. [edit class-of-service interfaces] set ge-0/0/1 scheduler-map QOS_SCHED_MAP set ge-0/1/1 scheduler-map QOS_SCHED_MAP set ge-1/0/0 scheduler-map QOS_SCHED_MAP set ge-1/0/1 scheduler-map QOS_SCHED_MAP Apply the rewrite rules to mark egress packets on all core-facing interfaces as shown in the example. [edit class-of-service interfaces] set ge-0/0/1 unit 0 rewrite-rules dscp default set ge-0/1/1 unit 0 rewrite-rules dscp default

Fix Text (F-97247r2_fix)

Configure a QoS policy on each router in accordance with the QoS DoDIN Technical Profile.

The PE router must classify ingress traffic entering the backbone. Configure a Multifield (MF) classifier to classify traffic based on protocol and ports as shown in the example below.

[edit firewall family inet filter CLASSIFY_TRAFFIC]
set term SIP from protocol tcp
set term SIP from port 5060
set term SIP then forwarding-class expedited-forwarding
set term SIP then accept
set term RTP from protocol tcp
set term RTP from port 16384-32767
set term RTP then forwarding-class expedited-forwarding
set term RTP then accept
set term H.323 from protocol tcp
set term H.323 from port 1720
set term H.323 then forwarding-class assured-forwarding loss-priority low
set term H.323 then accept
set term VIDEO_GK from protocol udp
set term VIDEO_GK from port 1718-1719
set term VIDEO_GK then forwarding-class assured-forwarding loss-priority low
set term VIDEO_GK then accept
set term VIDEO_BEARER from protocol udp
set term VIDEO_BEARER from port 3230-3235
set term VIDEO_BEARER then forwarding-class assured-forwarding loss-priority low
set term VIDEO_BEARER then accept
set term SSH from protocol tcp
set term SSH from port ssh
set term SSH then forwarding-class assured-forwarding loss-priority high
set term SSH then accept
set term TACACS from protocol tcp
set term TACACS from port tacacs
set term TACACS then forwarding-class assured-forwarding loss-priority high
set term TACACS then accept
set term SNMP from protocol tcp
set term SNMP from port snmp
set term SNMP then forwarding-class assured-forwarding loss-priority high
set term SNMP then accept
set term ICMP from protocol icmp
set term ICMP then forwarding-class assured-forwarding loss-priority high
set term ICMP then accept
set term OSPF from protocol ospf
set term OSPF then forwarding-class network-control
set term OSPF then accept
set term PIM from protocol pim
set term PIM then forwarding-class network-control
set term PIM then accept
set term ACCEPT_OTHER then forwarding-class best-effort
set term ACCEPT_OTHER then accept

Configure drop profiles.

[edit class-of-service]
set drop-profiles LOW_DROP fill-level 95 drop-probability 0
set drop-profiles LOW_DROP fill-level 100 drop-probability 100
set drop-profiles HIGH_DROP fill-level 50 drop-probability 10
set drop-profiles HIGH_DROP fill-level 95 drop-probability 100

Configure QoS schedulers to define how queued egress packets are prioritized.

[edit class-of-service schedulers]
set VOIP_SCHED transmit-rate percent 10
set VOIP_SCHED buffer-size percent 10
set VOIP_SCHED priority high
set VIDEO_SCHED transmit-rate percent 20
set VIDEO_SCHED buffer-size percent 20
set VIDEO_SCHED priority medium-high
set VIDEO_SCHED drop-profile-map protocol any loss-priority low drop-profile LOW_DROP
set MGMT_SCHED transmit-rate percent 10
set MGMT_SCHED buffer-size percent 10
set MGMT_SCHED priority medium-low
set MGMT_SCHED drop-profile-map protocol any loss-priority high drop-profile HIGH_DROP
set CONTROL_PLANE_SCHED transmit-rate percent 10
set CONTROL_PLANE_SCHED buffer-size percent 10
set CONTROL_PLANE_SCHED priority medium-high
set BEST_EFFORT_SCHED transmit-rate percent 50
set BEST_EFFORT_SCHED buffer-size percent 50
set BEST_EFFORT_SCHED priority low

Configure scheduler maps to link the forwarding classes to schedulers.

[edit class-of-service scheduler-maps QOS_SCHED_MAP]
set forwarding-class expedited-forwarding scheduler VOIP_SCHED
set forwarding-class network-control scheduler CONTROL_PLANE_SCHED
set forwarding-class assured-forwarding scheduler VIDEO_SCHED
set forwarding-class assured-forwarding scheduler MGMT_SCHED
set forwarding-class best-effort scheduler BEST_EFFORT_SCHED

Apply the filter that classifies traffic inbound on all CE-facing interfaces.

[edit interfaces ge-0/1/0 unit 0]
set family inet filter input CLASSIFY_TRAFFIC

Apply the scheduler map to all interfaces as shown in the example.

[edit class-of-service interfaces]
set ge-0/0/1 scheduler-map QOS_SCHED_MAP
set ge-0/1/1 scheduler-map QOS_SCHED_MAP
set ge-1/0/0 scheduler-map QOS_SCHED_MAP
set ge-1/0/1 scheduler-map QOS_SCHED_MAP

Apply the rewrite rules to mark egress packets on all core-facing interfaces as shown in the example.

[edit class-of-service interfaces]
set ge-0/0/1 unit 0 rewrite-rules dscp default
set ge-0/1/1 unit 0 rewrite-rules dscp default