Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19662 | VVoIP 6205 (DISN-IPVS) | SV-21803r1_rule | Medium |
Description |
---|
The typical perimeter or premise router (as designated by the NI and Enclave STIGs) will most likely not be capable of supporting the needs of VVoIP entering the DISN WAN. This is because only newer routers are capable of dealing with service classes and expedited forwarding. This why the DISN IPVS PMO specifies the specific additional capabilities required of the perimeter or premise router to support the needs of the Assures Service network. The router designated by the DISN IPVS PMO that is needed to support the service is called the Customer Edge Router (CER). This terminology is consistent with the terminology used by the DISN CORE PMO and other WAN service providers. The CER provides the following functionality: > Provides minimally four forwarding cues (eight preferred) > Places traffic within expedited forwarding cues based on the Differential Service Code Point (DSCP) markings carried by the traffic. > Routes inbound AS-SIP-TLS packets and SRTP/SRTCP packets to the EBC function. (VVoIP firewall) > Routes all other inbound traffic to the data firewall > Provides all of the filtering and security required of a perimeter or premise router as required by the NI STIG. NOTE: proper DSCP marking of VVoIP packets is required to provide appropriate QoS for C2 priority calls in support of Assured Service The UCR requires the CER to support Expedited Forwarding (EF) PHBs in accordance with RFC 3246 and Assured Forwarding (AF) PHB in accordance with RFC 2597. The UCR further requires the CER to minimally support four forwarding cues but prefers eight cues which will be the requirement in the future when the vendors can support eight. |
STIG | Date |
---|---|
VOICE and VIDEO over INTERNET PROTOCOL (VVoIP) POLICY SECURITY TECHNICAL IMPLEMENTATION GUIDE | 2010-08-17 |
Check Text ( C-24030r1_chk ) |
---|
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)) ensure the required CER is configured to provide expedited forwarding of VVoIP packets based on DSCP packet marking in accordance with the DISN IPVS DSCP marking plan. NOTE: proper DSCP marking of VVoIP packets is required to provide appropriate QoS for C2 priority calls in support of Assured Service Determine if the CER is configured to provide expedited forwarding based on DSCP. |
Fix Text (F-20367r1_fix) |
---|
Ensure the required CER is configured to provide expedited forwarding of VVoIP packets based on DSCP packet marking in accordance with the DISN IPVS DSCP marking plan. NOTE: proper DSCP marking of VVoIP packets is required to provide appropriate QoS for C2 priority calls in support of Assured Service. Refer to Table 5.3.3-2. 4-Queue PHB Approach or Table 5.3.3-3. 8-Queue PHB Approach from the UCR (shown in the procedures guide) to determine the proper configuration for the CER based on the number of queues provided. |