Detections
Analytics

NET0966 - Control plan protection is not enabled - 'Steps 1 - 3'

Information

The router must have control plane protection enabled.

 The Route Processor (RP) is critical to all network operations as it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Hence, any disruption to the RP or the control and management planes can result in mission critical network outages.

 In addition to control plane and management plane traffic that is in the router's receive path, the RP must also handle other traffic that must be punted to the RP-that is, the traffic must be fast or process switched. This is the result of packets that must be fragmented, require an ICMP response (TTL expiration, unreachable, etc.) have IP options, etc. A DoS attack targeting the RP can be perpetrated either inadvertently or maliciously involving high rates of punted traffic resulting in excessive RP CPU and memory utilization. To maintain network stability, the router must be able to securely handle specific control plane and management plane traffic that is destined to it, as well as other punted traffic.

 Using the ingress filter on forwarding interfaces is a method that has been used in the past to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grow. Control plane policing can be used to increase security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

 NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
 NOTE: Nessus did not perform this check as it requires manual verification of multiple steps to ensure CoPP is enabled and configured accordingly.

Step 1: Verify that traffic types have been classified based on importance levels.
Step 2: Review the ACLs referenced by the match access-group commands to determine if the traffic is being classified appropriately.
Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification.

Solution

Implement control plane protection by classifying traffic types based on importance levels and configure filters to restrict and rate limit the traffic punted to the route processor as according to each class.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Infrastructure_Router_L3_Switch_V8R29_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-21167r2_rule, STIG-ID|NET0966, Vuln-ID|V-19188

Plugin: Cisco

Control ID: f4f5ea6f5b58e56a4e28b142fa570b4b12678ede55f731af7af415733f6e1e2b