| The Route Processor (RP) is critical to all network operations as it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission critical network outages.
In addition to control plane and management plane traffic handled in the routers receive path, the RP must also punt other traffic to the RP, since the traffic must be fast or process switched. This includes fragmented packets requiring an ICMP response (e.g., TTL expiration, unreachable) including IP options. A DoS attack targeting the RP can perpetrate through either inadvertent or malicious traffic involving high rates of punted traffic resulting in excessive RP CPU and memory utilization. To maintain network stability and RP security, the router must be able to handle specific control plane and management plane traffic that is destined to the RP, as well as other punted traffic.
In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grow. Control plane policing increases the security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.
|
