Protecting the Router Control Plane
RFC 6192
Document Type RFC - Informational (March 2011; Errata)
Last updated 2015-10-14
Replaces draft-dugal-opsec-protect-control-plane
Stream IETF
Formats plain text pdf html bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 6192 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Ron Bonica
Send notices to (None)
Email authors Email WG IPR 1 References Referenced by Nits 
Internet Engineering Task Force (IETF)                          D. Dugal
Request for Comments: 6192                              Juniper Networks
Category: Informational                                     C. Pignataro
ISSN: 2070-1721                                                  R. Dunn
                                                           Cisco Systems
                                                              March 2011

                  Protecting the Router Control Plane

Abstract

   This memo provides a method for protecting a router's control plane
   from undesired or malicious traffic.  In this approach, all
   legitimate router control plane traffic is identified.  Once
   legitimate traffic has been identified, a filter is deployed in the
   router's forwarding plane.  That filter prevents traffic not
   specifically identified as legitimate from reaching the router's
   control plane, or rate-limits such traffic to an acceptable level.

   Note that the filters described in this memo are applied only to
   traffic that is destined for the router, and not to all traffic that
   is passing through the router.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6192.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of

Dugal, et al.                 Informational                     [Page 1]
RFC 6192              Protect Router Control Plane            March 2011

   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................2
   2. Applicability Statement .........................................4
   3. Method ..........................................................4
      3.1. Legitimate Traffic .........................................5
      3.2. Filter Design ..............................................6
      3.3. Design Trade-Offs ..........................................7
      3.4. Additional Protection Considerations ......................10
   4. Security Considerations ........................................10
   5. Acknowledgements ...............................................11
   6. Informative References .........................................12
   Appendix A. Configuration Examples ................................13
      A.1. Cisco Configuration .......................................13
      A.2. Juniper Configuration .....................................17

1.  Introduction

   Modern router architecture design maintains a strict separation of
   forwarding and router control plane hardware and software.  The
   router control plane supports routing and management functions.  It
   is generally described as the router architecture hardware and
   software components for handling packets destined to the device
   itself as well as building and sending packets originated locally on
   the device.  The forwarding plane is typically described as the
   router architecture hardware and software components responsible for
   receiving a packet on an incoming interface, performing a lookup to
   identify the packet's IP next hop and determine the best outgoing
   interface towards the destination, and forwarding the packet out
   through the appropriate outgoing interface.

   Visually, this architecture can be represented as the router's
   control plane hardware sitting on top of, and interfacing with, the
   forwarding plane hardware with interfaces connecting to other network
   devices.  See Figure 1.

Dugal, et al.                 Informational                     [Page 2]
RFC 6192              Protect Router Control Plane            March 2011

                             +----------------+
                             | Router Control |
                             |     Plane      |
Show full document text
ISOC IETF Trust RFC Editor IRTF IESG IETF IAB IASA & IAOC IETF Tools IANA