Technical Summary
This memo provides a method for protecting a router's control plane from
undesired or malicious traffic. In this approach, all legitimate router
control plane traffic is identified and then a filter is deployed in the
router's forwarding plane. This filter prevents traffic not specifically
identified as legitimate from reaching the router's control plane or rate
limiting it to an acceptable level.
Working Group Summary
The document was accepted as a working group item on the mailing list on
4/30/2010. Working Group last call was performed for two weeks, ending on
9/15/2010, with no objections.
Document Quality
This document covers well understood and widely deployed methods for
protecting the control plane of network devices from attack. It contains
example configuration snippets for two vendors implementations.
It is part of a set of work undertaken by the WG to provide guidelines to
operators on how to secure their infrastructure from attack.
Personnel
Warren Kumari is document shepherd.
RFC Editor Note
OLD TEXT:
This memo provides a method for protecting a router's control plane
from undesired or malicious traffic. In this approach, all
legitimate router control plane traffic is identified. Once
legitimate traffic has been identified, a filter is deployed in the
router's forwarding plane. That filter prevents traffic not
specifically identified as legitimate from reaching the router's
control plane, or rate limits such traffic to an acceptable level.
NEW TEXT:
This memo provides a method for protecting a router's control plane
from undesired or malicious traffic. In this approach, all
legitimate router control plane traffic is identified. Once
legitimate traffic has been identified, a filter is deployed in the
router's forwarding plane. That filter prevents traffic not
specifically identified as legitimate from reaching the router's
control plane, or rate limits such traffic to an acceptable level.
Note that the filters described in this memo are applied only to traffic that is
destined for the router, and not to all traffic that is passing through the router.
OLD TEXT>
It is advisable to protect the router control plane by implementing
mechanisms to filter completely or rate limit traffic not required at
the control plane level (i.e., unwanted traffic). Router Control
Plane Protection is the concept of filtering or rate limiting
unwanted traffic which would be diverted from the forwarding plane up
to the router control plane. The closer to the forwarding plane and
line-rate hardware the filters and rate-limiters are, the more
effective the protection is and the more resistant the system is to
DoS attacks. This memo demonstrates one example of how to deploy a
policy filter that satisfies a set of sample traffic matching,
filtering and rate limiting criteria.
New Text>
It is advisable to protect the router control plane by implementing
mechanisms to filter completely or rate limit traffic not required at
the control plane level (i.e., unwanted traffic). Router Control
Plane Protection is the concept of filtering or rate limiting
unwanted traffic which would be diverted from the forwarding plane up
to the router control plane. The closer to the forwarding plane and
line-rate hardware the filters and rate-limiters are, the more
effective the protection is and the more resistant the system is to
DoS attacks. This memo demonstrates one example of how to deploy a
policy filter that satisfies a set of sample traffic matching,
filtering and rate limiting criteria.
Note that the filters described in this memo are applied only to traffic that is
destined for the router, and not to all traffic that is passing through the router.
Old Text>
For network deployments where the protocols used do not rely on IP options
New Text>
For network deployments where the protocols do not use IP options