Protecting the router’s control plane

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

The control plane in a router runs numerous mission-critical processes, including routing protocols and network management services (SNMP, telnet or SSH access to the router, web access to the router). The results of control plane CPU overload due to a denial-of-service attack could be disastrous: without adequate share of CPU and memory resources, the routing protocols cannot maintain sessions with adjacent routers, resulting in routing and packet forwarding disruptions. Likewise, the active attacks on individual services could result in compromised network devices, impersonation attacks or denial-of-service attacks due to wrong routing information or routing instabilities.

With the introduction of high-speed switching platforms that cannot be easily congested, the denial-of-service attacks frequently focus on the control-plane infrastructure that can be effectively swamped even through a lower-bandwidth connection. The denial of service can target router-based processes (for example, Telnet server or OSPF routing protocol) or the shortcomings of data plane implementation that forces the control plane to handle parts of the switching load. For example, all IP datagrams with IP options are forwarded to the control plane unless you’ve the ip options drop global configuration option has been used.

Cisco IOS router protection mechanisms

Cisco IOS gives you four categories of tools you can use to protect your router:

  • Inbound access lists control the traffic flow in the data plane. The access lists are commonly used to protect resources behind the router, but they are also very effective to protect the router itself.
You can use access lists to drop all traffic sent to the router’s IP addresses from untrusted interfaces.
  • Control Plane Policing (CoPP, available in IOS releases 12.2S, 12.3T and 12.4) and Control Plane Protection (CPPr, introduced in IOS release 12.4(4)T) limit the amount of traffic sent to the control plane, ensuring that the control plane CPU cannot be overloaded through a denial-of-service attack.
  • Management plane protection (introduced in IOS release 12.4(6)T) limits access to network management services.
  • Several IOS applications use per-application access lists to further limit their usage.

Figure 1 is a graphical overview of the mechanisms offered by Cisco IOS:

Figure 1: Control plane protection mechanisms in Cisco IOS

Protection granularity and filter features

The inbound access lists offer you the greatest granularity, as you can apply them in individual interfaces (separating trusted and untrusted interfaces). They can inspect numerous fields in the IP, TCP or UDP packets, including source/destination addresses, IP protocols (TCP, UDP, ICMP, OSPF, EIGRP), port numbers TTL field and DSCP value.

Control plane policies can match source/destination addresses, but not on specific IP protocols (therefore you cannot rate-limit inbound OSPF or EIGRP traffic). They can match TCP and UDP ports, but not the TTL field.

Per-application access lists (for example, access-class configured on VTY line or globally-configured ip http-server access-class) are used to check the incoming application-level sessions. They can check the source address and source/destination port numbers, but not the destination address or any other values in the IP header.

Related reading

Personal tools


Main menu