Protecting the Router Control Plane
RFC 6192
Internet Engineering Task Force (IETF) D. Dugal
Request for Comments: 6192 Juniper Networks
Category: Informational C. Pignataro
ISSN: 2070-1721 R. Dunn
Cisco Systems
March 2011
Protecting the Router Control Plane
Abstract
This memo provides a method for protecting a router's control plane
from undesired or malicious traffic. In this approach, all
legitimate router control plane traffic is identified. Once
legitimate traffic has been identified, a filter is deployed in the
router's forwarding plane. That filter prevents traffic not
specifically identified as legitimate from reaching the router's
control plane, or rate-limits such traffic to an acceptable level.
Note that the filters described in this memo are applied only to
traffic that is destined for the router, and not to all traffic that
is passing through the router.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6192.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Dugal, et al. Informational [Page 1]
RFC 6192 Protect Router Control Plane March 2011
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................2
2. Applicability Statement .........................................4
3. Method ..........................................................4
3.1. Legitimate Traffic .........................................5
3.2. Filter Design ..............................................6
3.3. Design Trade-Offs ..........................................7
3.4. Additional Protection Considerations ......................10
4. Security Considerations ........................................10
5. Acknowledgements ...............................................11
6. Informative References .........................................12
Appendix A. Configuration Examples ................................13
A.1. Cisco Configuration .......................................13
A.2. Juniper Configuration .....................................17
1. Introduction
Modern router architecture design maintains a strict separation of
forwarding and router control plane hardware and software. The
router control plane supports routing and management functions. It
is generally described as the router architecture hardware and
software components for handling packets destined to the device
itself as well as building and sending packets originated locally on
the device. The forwarding plane is typically described as the
router architecture hardware and software components responsible for
receiving a packet on an incoming interface, performing a lookup to
identify the packet's IP next hop and determine the best outgoing
interface towards the destination, and forwarding the packet out
through the appropriate outgoing interface.
Visually, this architecture can be represented as the router's
control plane hardware sitting on top of, and interfacing with, the
forwarding plane hardware with interfaces connecting to other network
devices. See Figure 1.
Dugal, et al. Informational [Page 2]
Show full document text