Router Security − IP Network Traffic Plane Concepts
By Gregg Schudel
Building and operating IP network infrastructures for converged services requires careful consideration to meet the carrier-class requirements that customers demand while supporting multiple, diverse services which have distinct bandwidth, jitter, and latency requirements. Legacy, single-purpose networks were designed and built with specific, tightly controlled operational characteristics to support a single service. However, carrying Internet, voice and video, cellular, and private (VPN) business traffic over a common IP backbone has significant implications for both network design and network operations. Disruptions in any one of these traffic services may potentially disrupt any of the other services, or the wider network. Thus, it is important to control all packets within IP networks to enforce desired policies. To do this first requires an understanding of how packets are carried and handled by the network devices themselves.
IP networks essentially carry two kinds of packets:data packets and infrastructure packets. Data packets belong to customers or services and represent revenue-generating traffic. These packets make up the logical groups known as the data plane and services plane respectively. Infrastructure packets on the other hand belong to the network and are used to create or operate the network. These packets make up the logical groups known as the control plane and management plane respectively. Controlling how network devices handle these four IP traffic planes is essential for ensuring network availability and security. One of the strengths of the IP protocol is that all of these packets are carried in-band. Routers and switches must therefore be able to distinguish between these different IP traffic planes as packets ingress these devices.
From the local perspective of an individual network device, four general types of packets must be handled:
- Transit packets − These include data plane and some services plane packets that are subjected to standard, destination IP address-based forwarding functions. In most networks and under normal operating conditions, transit packets are typically forwarded by Cisco Express Forwarding mechanisms, either in the interrupt process within CPU-based (software switched) platforms, or within specialized high-speed forwarding hardware on high-end platforms. The term fast path is most often used to describe this type of packet handling.
- Receive packets − These include control plane and management plane packets that are destined to the network device itself. Receive packets must be handled by the CPU within the route processor of the device itself, as they are ultimately destined to and handled by applications running at the process level within IOS. The term punt is often used to describe the action of switching a packet from the fast path to the route processor for handling.
- Exception IP packets − These include a special set of IP packets that are also transit IP packets, but that cannot be forwarded by normal fast path mechanisms. Exception IP packets include, for example, IPv4 packets containing IP header options, IP packet TTL expires, and IP packets with unreachable destinations. These packets must be punted and then handled by the software-based forwarding processes. The term slow path is most often used to describe this type of packet handling.
- Exception Non-IP packets − Layer 2 keepalives, ISIS packets, Cisco Discovery Protocol (CDP) packets, and PPP Link Control Protocol (LCP) packets are examples of non-IP packets. All of the packets in this group are punted to the route processor for handling. They are never forwarded.
The processing requirements are very different for each packet type described above. Modern routers and switches use highly specialized forwarding hardware such as Application Specific Integrated Circuits (ASICs), Floating Point Gate Arrays (FPGAs), and Network Processors (NPs) to accelerate the forwarding of transit packets within the data plane and services plane. On the other hand, control plane and management plane traffic are processed directly by the CPU within the route processor (RP) of these devices instead of being forwarded.
Under normal network operating conditions, the vast majority of packets handled by network devices are transit packets within the data plane and services plane. As mentioned, modern network devices are optimized to handle these packets efficiently in the fast path. Normally, there are considerably fewer receive and exceptions packets within the control and management planes, and the punt path and route processor resources available for handling these types of packets reflects this fact. When high packet rates overload the control and/or management plane, these punt path and route processor resources can be overwhelmed, reducing the availability of these resources for tasks critical to the operation and maintenance of the network and network devices carrying the various traffic types. For example, if a high volume of rogue packets generated by a virus or worm is handled by the control plane, the router will spend an excessive amount of time processing and discarding unnecessary traffic. The route processor is thus not available to support its required tasks such as computing periodic routing table updates, maintaining the CEF table used by the fast path for the forwarding of data plane packets and maintaining interface link states.
When considering route processor attack scenarios, it´s natural to think only of malicious events. However, both malicious and non-malicious events can overwhelm route processor resources. Malicious events include crafted packet attacks or simply high rates of packets directed at the control plane. Non-malicious events may result from router or network misconfigurations, software bugs, or in some circumstances, network failure reconvergence events. From the perspective of the router, the underlying condition is irrelevant when the result is the same. It is important to take the appropriate steps to protect the route processor from being overwhelmed, whether by malicious or non-malicious events.
Cisco IOS software provides many security features that may be used to control traffic within each of the IP network traffic planes. Some of these features are generic and applicable to a broad range of security functions, while others are specifically designed to protect the route processor. Multiple security features may be deployed or required for deployment to implement the most appropriate security policy. When multiple features are used, the order of operation should be considered, as well as where in the packet processing path the action actually takes place. To illustrate this, two security features that can be used to control packets reaching the route processor − the interface access list (ACL) and Control Plane Policing (CoPP) − are described. These two features in particular were selected to illustrate how differences in security policy enforcement point can complicate or simply the overall security policy in general.
- Interface access control lists (iACLs) are the traditional and most generally available approach for managing all packets entering or exiting a network device. As illustrated below, iACLs are applied at the interface level and affect all packets ingressing (or egressing if applied in that direction) the interface. Therefore, policies enforced in the form of an iACL must take into consideration not only transit packets within the data and services plane, but also receive and exceptions IP packets within the data, control, management, and services planes as well. (IP−based ACLs will not affect or perform policy enforcement on non−IP packets). While effective, the iACL is also processing numerous transit packets and hence it doing work that is not strictly required to secure the route processor resources. (Note that defense in depth and breadth concepts do favor configuring multiple, independent mechanisms, however.)
Control Plane Policing
- Control plane policing is a Cisco IOS route processor protection mechanism that can be deployed to control only those packets that require handling by the route processor. As illustrated below, CoPP only affects packets that are punted to the route processor for handling. This included receive IP packets, exceptions IP packets, and certain non-IP packets. In addition, CoPP is implemented using the Modular QoS CLI (MQC) framework for policy construction. In this way, in addition to providing a simple permit/deny capability, CoPP allows specific packets to be permitted and/or policed at a certain rate. This capability substantially improves the ability to define an effective CoPP policy. (It should be noted that the feature name ´Control Plane Policing´ is something of a misnomer since CoPP generally protects the punt path to the route processor and not solely the control plane.)
These two features are only part of Cisco Network Foundation Protection (NFP), an umbrella strategy that encompasses all of the rich set of security features included as part of Cisco IOS software and which provides the tools, technologies, techniques, and services that enable organizations to secure their network infrastructures. Cisco NFP helps to establish a methodical approach to protecting IP network traffic planes, forming the foundation to address the complexity of attacks and help ensure the availability of network elements for continuous delivery of services.
This article provides you with an overview of the concepts of IP network traffic planes, including the concepts of packet processing and route processor protection. These concepts are critical to understanding the requirements for security techniques necessary in today´s highly converged networks. The application of these concepts forms the basis for the best common practice (BCP) recommendations for securing IP networks.