The Customer Edge Router (CER) must expedite forwarding of VVoIP packets based on Differential Service Code Point (DSCP) packet marking.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19662	VVoIP 6205	SV-21803r2_rule	ECSC-1	Medium

Description
The typical perimeter or premise router may not be capable of supporting the needs of VVoIP and UC when entering the DISN WAN. Modern routers are capable of dealing with service classes and expedited forwarding. This why the DISN IPVS PMO specifies the specific additional capabilities required of the perimeter or premise router to support the needs of the Assures Service network. The router designated by the DISN IPVS PMO needed to support the service is the CER. The CER provides the following functionality: - Provides minimally four forwarding cues (eight preferred) - Places traffic within expedited forwarding cues based on the DSCP markings carried by the traffic. - Routes inbound AS-SIP-TLS packets and SRTP/SRTCP packets to the Session Border Controller (SBC). - Routes all other inbound traffic to the data firewall. - Provides all of the filtering required of a perimeter or premise router as required by the Router STIG. Proper DSCP marking of VVoIP packets is required to provide appropriate QoS for Command and Control (C2) priority calls in support of Assured Service.

Description

The typical perimeter or premise router may not be capable of supporting the needs of VVoIP and UC when entering the DISN WAN. Modern routers are capable of dealing with service classes and expedited forwarding. This why the DISN IPVS PMO specifies the specific additional capabilities required of the perimeter or premise router to support the needs of the Assures Service network. The router designated by the DISN IPVS PMO needed to support the service is the CER. The CER provides the following functionality: - Provides minimally four forwarding cues (eight preferred) - Places traffic within expedited forwarding cues based on the DSCP markings carried by the traffic. - Routes inbound AS-SIP-TLS packets and SRTP/SRTCP packets to the Session Border Controller (SBC). - Routes all other inbound traffic to the data firewall. - Provides all of the filtering required of a perimeter or premise router as required by the Router STIG. Proper DSCP marking of VVoIP packets is required to provide appropriate QoS for Command and Control (C2) priority calls in support of Assured Service.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2015-07-01

Details

Check Text ( C-24030r2_chk )
Review site documentation to confirm the CER expedites forwarding of VVoIP packets based on DSCP packet marking. When the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves and the system provides Assured Services to any C2 user (Special-C2, C2, or C2-R), the required CER must expedite forwarding of VVoIP packets based on DSCP packet marking in accordance with the DISN IPVS DSCP marking plan. Proper DSCP marking provides appropriate QoS for C2 priority calls in support of Assured Service. If the CER does not expedite forwarding of VVoIP packets based on DSCP packet marking, this is a finding.

Check Text ( C-24030r2_chk )

Review site documentation to confirm the CER expedites forwarding of VVoIP packets based on DSCP packet marking. When the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves and the system provides Assured Services to any C2 user (Special-C2, C2, or C2-R), the required CER must expedite forwarding of VVoIP packets based on DSCP packet marking in accordance with the DISN IPVS DSCP marking plan. Proper DSCP marking provides appropriate QoS for C2 priority calls in support of Assured Service. If the CER does not expedite forwarding of VVoIP packets based on DSCP packet marking, this is a finding.

Fix Text (F-20367r2_fix)
Implement the CER to expedite forwarding of VVoIP packets based on DSCP packet marking.