The Juniper PE router must be configured to enforce a Quality-of-Service (QoS) policy so that all customer traffic receives forwarding treatment as specified in the service level agreement (SLA).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-90943	JUNI-RT-000760	SV-101153r1_rule		Medium

Description
QoS enables DISA to offer value-added IP services in accordance with SLAs, ensuring that customer requirements can be met while providing a method to provision the edge and core to accommodate those requirements. The IP core will recognize and provide forwarding treatment of customer traffic according to the Differentiated Services Code Points (DSCP). Customers marking traffic within their DiffServ domain will be required to comply with the DSCP classification that has been approved by the DOD QoS Working Group. Non-compliance could enable a customer or even an attacker to rob bandwidth from other customers or mission-critical services.

Description

QoS enables DISA to offer value-added IP services in accordance with SLAs, ensuring that customer requirements can be met while providing a method to provision the edge and core to accommodate those requirements. The IP core will recognize and provide forwarding treatment of customer traffic according to the Differentiated Services Code Points (DSCP). Customers marking traffic within their DiffServ domain will be required to comply with the DSCP classification that has been approved by the DOD QoS Working Group. Non-compliance could enable a customer or even an attacker to rob bandwidth from other customers or mission-critical services.

STIG	Date
Juniper Router RTR Security Technical Implementation Guide	2018-11-15

Details

Check Text ( C-90207r1_chk )
Verify that a filter has been configured to classify customer's traffic based on protocol and ports as shown in the example below. firewall { family inet { … … … } filter CLASSIFY_CUST1_TRAFFIC { term SIP { from { protocol tcp; port 5060; } then { forwarding-class expedited-forwarding; accept; } } term RTP { from { protocol udp; port 16384-32767; } then { forwarding-class expedited-forwarding; accept; } } term APP1 { from { protocol tcp; port nnnn; } then { loss-priority low; forwarding-class assured-forwarding; accept; } } term APP2 { from { protocol tcp; port nnnn; } then { loss-priority high; forwarding-class assured-forwarding; accept; } } term ACCEPT_OTHER { then { forwarding-class best-effort; accept; } } } } Verify that the classifier filter is bound to all CE-facing interfaces as shown in the example below. interfaces { ge-0/0/0 { description "Customer 1"; unit 0 { family inet { filter { CLASSIFY_CUST1_TRAFFIC } address x.x.x.x/30; } } } Verify that drop profiles and schedulers have been configured that define how queued egress packets are prioritized. class-of-service { drop-profiles { LOW_DROP { fill-level 95 drop-probability 0; fill-level 100 drop-probability 100; } HIGH_DROP { fill-level 50 drop-probability 10; fill-level 95 drop-probability 100; } } schedulers { VOIP_SCHED { transmit-rate percent 10; buffer-size percent 10; priority high; } APP1_SCHED { transmit-rate percent 20; buffer-size percent 20; priority medium-high; drop-profile-map loss-priority low protocol any drop-profile LOW_DROP; } APP2_SCHED { transmit-rate percent 10; buffer-size percent 10; priority medium-low; drop-profile-map loss-priority high protocol any drop-profile HIGH_DROP; } BEST_EFFORT_SCHED { transmit-rate percent 60; buffer-size percent 60; priority low; } } } Verify that scheduler maps have been configured to link the forwarding classes to schedulers as shown in the example below. class-of-service { … … … } scheduler-maps { QOS_SCHED_MAP { forwarding-class expedited-forwarding scheduler VOIP_SCHED; forwarding-class network-control scheduler APP1_SCHED; forwarding-class assured-forwarding scheduler APP2_SCHED; forwarding-class best-effort scheduler BEST_EFFORT_SCHED; } } Verify that the configured QoS scheduler map and the rewrite rules have been applied to all core-facing interfaces as shown in the example below. class-of-service { … … … } interfaces { ge-0/0/1 { scheduler-map QOS_SCHED_MAP; unit 0 { rewrite-rules { dscp default; } } } ge-0/1/1 { scheduler-map QOS_SCHED_MAP; unit 0 { rewrite-rules { dscp default; } } } If the PE router does not enforce a QoS policy to ensure that all customer traffic receives forwarding treatment as specified in the SLA, this is a finding.

Check Text ( C-90207r1_chk )

Verify that a filter has been configured to classify customer's traffic based on protocol and ports as shown in the example below.

firewall {
family inet {
…
…
…
}
filter CLASSIFY_CUST1_TRAFFIC {
term SIP {
from {
protocol tcp;
port 5060;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
term RTP {
from {
protocol udp;
port 16384-32767;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
term APP1 {
from {
protocol tcp;
port nnnn;
}
then {
loss-priority low;
forwarding-class assured-forwarding;
accept;
}
}
term APP2 {
from {
protocol tcp;
port nnnn;
}
then {
loss-priority high;
forwarding-class assured-forwarding;
accept;
}
}
term ACCEPT_OTHER {
then {
forwarding-class best-effort;
accept;
}
}
}
}

Verify that the classifier filter is bound to all CE-facing interfaces as shown in the example below.

interfaces {
ge-0/0/0 {
description "Customer 1";
unit 0 {
family inet {
filter {
CLASSIFY_CUST1_TRAFFIC
}
address x.x.x.x/30;
}
}
}

Verify that drop profiles and schedulers have been configured that define how queued egress packets are prioritized.

class-of-service {
drop-profiles {
LOW_DROP {
fill-level 95 drop-probability 0;
fill-level 100 drop-probability 100;
}
HIGH_DROP {
fill-level 50 drop-probability 10;
fill-level 95 drop-probability 100;
}
}
schedulers {
VOIP_SCHED {
transmit-rate percent 10;
buffer-size percent 10;
priority high;
}
APP1_SCHED {
transmit-rate percent 20;
buffer-size percent 20;
priority medium-high;
drop-profile-map loss-priority low protocol any drop-profile LOW_DROP;
}
APP2_SCHED {
transmit-rate percent 10;
buffer-size percent 10;
priority medium-low;
drop-profile-map loss-priority high protocol any drop-profile HIGH_DROP;
}
BEST_EFFORT_SCHED {
transmit-rate percent 60;
buffer-size percent 60;
priority low;
}
}
}

Verify that scheduler maps have been configured to link the forwarding classes to schedulers as shown in the example below.

class-of-service {
…
…
…
}
scheduler-maps {
QOS_SCHED_MAP {
forwarding-class expedited-forwarding scheduler VOIP_SCHED;
forwarding-class network-control scheduler APP1_SCHED;
forwarding-class assured-forwarding scheduler APP2_SCHED;
forwarding-class best-effort scheduler BEST_EFFORT_SCHED;
}
}

Verify that the configured QoS scheduler map and the rewrite rules have been applied to all core-facing interfaces as shown in the example below.

class-of-service {
…
…
…
}
interfaces {
ge-0/0/1 {
scheduler-map QOS_SCHED_MAP;
unit 0 {
rewrite-rules {
dscp default;
}
}
}
ge-0/1/1 {
scheduler-map QOS_SCHED_MAP;
unit 0 {
rewrite-rules {
dscp default;
}
}
}

If the PE router does not enforce a QoS policy to ensure that all customer traffic receives forwarding treatment as specified in the SLA, this is a finding.

Fix Text (F-97251r1_fix)
Configure a QoS policy to provide traffic forwarding treatment as specified in the SLA. The PE router must classify ingress traffic entering the backbone. Configure a filter to classify traffic based on protocol and ports as shown in the example below. [edit firewall family inet filter CLASSIFY_CUST1_TRAFFIC] set term SIP from protocol tcp set term SIP from port 5060 set term SIP then forwarding-class expedited-forwarding set term SIP then accept set term RTP from protocol udp set term RTP from port 16384-32767 set term RTP then forwarding-class expedited-forwarding set term RTP then accept set term APP1 from protocol tcp set term APP1 from port nnnn set term APP1then forwarding-class assured-forwarding loss-priority low set term APP1 then accept set term APP2 from protocol tcp set term APP2 from port nnnn set term APP2 then forwarding-class assured-forwarding loss-priority high set term APP2 then accept set term ACCEPT_OTHER then forwarding-class best-effort set term ACCEPT_OTHER then accept Configure drop profiles. [edit class-of-service] set drop-profiles LOW_DROP fill-level 95 drop-probability 0 set drop-profiles LOW_DROP fill-level 100 drop-probability 100 set drop-profiles HIGH_DROP fill-level 50 drop-probability 10 set drop-profiles HIGH_DROP fill-level 95 drop-probability 100 Configure QoS schedulers to define how queued egress packets are prioritized. [edit class-of-service schedulers] set VOIP_SCHED transmit-rate percent 10 set VOIP_SCHED buffer-size percent 10 set VOIP_SCHED priority high set APP1_SCHED transmit-rate percent 20 set APP1_SCHED buffer-size percent 20 set APP1_SCHED priority medium-low set APP1_SCHED drop-profile-map protocol any loss-priority low drop-profile LOW_DROP set APP2_SCHED transmit-rate percent 10 set APP2_SCHED buffer-size percent 10 set APP2_SCHED priority medium-low set APP2_SCHED drop-profile-map protocol any loss-priority high drop-profile HIGH_DROP set BEST_EFFORT_SCHED transmit-rate percent 60 set BEST_EFFORT_SCHED buffer-size percent 60 set BEST_EFFORT_SCHED priority low Configure scheduler maps to link the forwarding classes to schedulers. [edit class-of-service scheduler-maps QOS_SCHED_MAP] set forwarding-class expedited-forwarding scheduler VOIP_SCHED set forwarding-class assured-forwarding scheduler APP1_SCHED set forwarding-class assured-forwarding scheduler APP2_SCHED set forwarding-class best-effort scheduler BEST_EFFORT_SCHED Apply the filter that classifies traffic inbound on all CE-facing interfaces. [edit interfaces ge-0/1/0 unit 0] set family inet filter input CLASSIFY_CUST1_TRAFFIC Apply the scheduler map to all core-facing interfaces as shown in the example. [edit class-of-service interfaces] set ge-0/0/1 scheduler-map QOS_SCHED_MAP set ge-0/1/1 scheduler-map QOS_SCHED_MAP Apply the rewrite rules to mark egress packets on all core-facing interfaces as shown in the example. [edit class-of-service interfaces] set ge-0/0/1 unit 0 rewrite-rules dscp default set ge-0/1/1 unit 0 rewrite-rules dscp default

Fix Text (F-97251r1_fix)

Configure a QoS policy to provide traffic forwarding treatment as specified in the SLA.

The PE router must classify ingress traffic entering the backbone. Configure a filter to classify traffic based on protocol and ports as shown in the example below.

[edit firewall family inet filter CLASSIFY_CUST1_TRAFFIC]
set term SIP from protocol tcp
set term SIP from port 5060
set term SIP then forwarding-class expedited-forwarding
set term SIP then accept
set term RTP from protocol udp
set term RTP from port 16384-32767
set term RTP then forwarding-class expedited-forwarding
set term RTP then accept
set term APP1 from protocol tcp
set term APP1 from port nnnn
set term APP1then forwarding-class assured-forwarding loss-priority low
set term APP1 then accept
set term APP2 from protocol tcp
set term APP2 from port nnnn
set term APP2 then forwarding-class assured-forwarding loss-priority high
set term APP2 then accept
set term ACCEPT_OTHER then forwarding-class best-effort
set term ACCEPT_OTHER then accept

Configure drop profiles.

[edit class-of-service]
set drop-profiles LOW_DROP fill-level 95 drop-probability 0
set drop-profiles LOW_DROP fill-level 100 drop-probability 100
set drop-profiles HIGH_DROP fill-level 50 drop-probability 10
set drop-profiles HIGH_DROP fill-level 95 drop-probability 100

Configure QoS schedulers to define how queued egress packets are prioritized.

[edit class-of-service schedulers]
set VOIP_SCHED transmit-rate percent 10
set VOIP_SCHED buffer-size percent 10
set VOIP_SCHED priority high
set APP1_SCHED transmit-rate percent 20
set APP1_SCHED buffer-size percent 20
set APP1_SCHED priority medium-low
set APP1_SCHED drop-profile-map protocol any loss-priority low drop-profile LOW_DROP
set APP2_SCHED transmit-rate percent 10
set APP2_SCHED buffer-size percent 10
set APP2_SCHED priority medium-low
set APP2_SCHED drop-profile-map protocol any loss-priority high drop-profile HIGH_DROP
set BEST_EFFORT_SCHED transmit-rate percent 60
set BEST_EFFORT_SCHED buffer-size percent 60
set BEST_EFFORT_SCHED priority low

Configure scheduler maps to link the forwarding classes to schedulers.

[edit class-of-service scheduler-maps QOS_SCHED_MAP]
set forwarding-class expedited-forwarding scheduler VOIP_SCHED
set forwarding-class assured-forwarding scheduler APP1_SCHED
set forwarding-class assured-forwarding scheduler APP2_SCHED
set forwarding-class best-effort scheduler BEST_EFFORT_SCHED

Apply the filter that classifies traffic inbound on all CE-facing interfaces.

[edit interfaces ge-0/1/0 unit 0]
set family inet filter input CLASSIFY_CUST1_TRAFFIC

Apply the scheduler map to all core-facing interfaces as shown in the example.

[edit class-of-service interfaces]
set ge-0/0/1 scheduler-map QOS_SCHED_MAP
set ge-0/1/1 scheduler-map QOS_SCHED_MAP

Apply the rewrite rules to mark egress packets on all core-facing interfaces as shown in the example.

[edit class-of-service interfaces]
set ge-0/0/1 unit 0 rewrite-rules dscp default
set ge-0/1/1 unit 0 rewrite-rules dscp default