1 00:00:07,224 --> 00:00:10,200 - And reviews what you can do to protect network devices 2 00:00:10,200 --> 00:00:13,440 in the event of attacks involving traffic directed 3 00:00:13,440 --> 00:00:16,633 to the network device itself. 4 00:00:17,520 --> 00:00:21,580 The route processor, the CPU on a router, 5 00:00:21,580 --> 00:00:23,570 can only do so much. 6 00:00:23,570 --> 00:00:25,390 So whenever possible the router 7 00:00:25,390 --> 00:00:29,710 is going to cache information about how to forward packets. 8 00:00:29,710 --> 00:00:33,620 Transit packets going from one device on the network 9 00:00:33,620 --> 00:00:36,000 to some other device. 10 00:00:36,000 --> 00:00:39,650 By using cached information when a packet shows up 11 00:00:39,650 --> 00:00:41,460 that needs to be forwarded, 12 00:00:41,460 --> 00:00:44,760 the CPU has to expend little effort. 13 00:00:44,760 --> 00:00:48,350 Forwarding of traffic is a function of the data plane 14 00:00:48,350 --> 00:00:50,970 and that is what really benefits 15 00:00:50,970 --> 00:00:54,020 from using cached information. 16 00:00:54,020 --> 00:00:57,210 So what has that got to do with the control plane? 17 00:00:57,210 --> 00:01:01,300 If a packet, such as an open shortest path first, OSPF 18 00:01:01,300 --> 00:01:06,117 or enhanced interior gateway routing protocol, EIGRP, 19 00:01:06,960 --> 00:01:11,960 routing advertisement packet is sent to an IP on the router, 20 00:01:12,447 --> 00:01:15,440 it is no longer a transit packet 21 00:01:15,440 --> 00:01:19,130 that can be simply forwarded by looking up information 22 00:01:19,130 --> 00:01:21,590 in a route cache of some type. 23 00:01:21,590 --> 00:01:24,160 Instead because the packet is addressed 24 00:01:24,160 --> 00:01:25,710 to the router itself, 25 00:01:25,710 --> 00:01:28,270 the router has to spend some CPU cycles 26 00:01:28,270 --> 00:01:29,920 to interpret the packet, 27 00:01:29,920 --> 00:01:32,420 look at the application layer information, 28 00:01:32,420 --> 00:01:34,520 and then potentially respond. 29 00:01:34,520 --> 00:01:37,390 If an attacker sends thousands of packets like these 30 00:01:37,390 --> 00:01:41,100 to the router, or if there is a bot and then if hundreds 31 00:01:41,100 --> 00:01:44,350 of thousands of devices, each configured to send these types 32 00:01:44,350 --> 00:01:47,740 of packets to the router, the router could be so busy 33 00:01:47,740 --> 00:01:50,670 just processing all these requests that it might not 34 00:01:50,670 --> 00:01:53,980 have enough resources to do its normal work. 35 00:01:53,980 --> 00:01:58,100 Control plane security is primarily guarding against attacks 36 00:01:58,100 --> 00:02:02,020 that might otherwise negatively impact the CPU 37 00:02:02,020 --> 00:02:04,080 including routing updates, 38 00:02:04,080 --> 00:02:07,049 which are also processed by the CPU. 39 00:02:07,049 --> 00:02:12,049 You can deploy COPP and CPPR to protect the control plane. 40 00:02:14,090 --> 00:02:18,740 Control plane policing, or COPP, can be configured 41 00:02:18,740 --> 00:02:23,360 as a filter for any traffic destined to an IP address 42 00:02:23,360 --> 00:02:24,900 on the router itself. 43 00:02:24,900 --> 00:02:29,410 For instance, you can specify that management traffic 44 00:02:29,410 --> 00:02:34,410 such as SSH, HTPS, SSL, and so on can be rate limited 45 00:02:35,410 --> 00:02:39,490 or policed down to a specific level or dropped completely. 46 00:02:39,490 --> 00:02:42,450 This way if an attack occurs that involves 47 00:02:42,450 --> 00:02:44,490 an excessive amount of this traffic, 48 00:02:44,490 --> 00:02:49,180 the excessive traffic above the threshold set 49 00:02:49,180 --> 00:02:52,120 could simply be ignored and not have to be processed 50 00:02:52,120 --> 00:02:54,260 directly by the CPU. 51 00:02:54,260 --> 00:02:55,570 Another way to think of this 52 00:02:55,570 --> 00:02:58,996 is as applying quality of service 53 00:02:58,996 --> 00:03:01,810 to the valid management traffic 54 00:03:01,810 --> 00:03:06,122 and policing to the bogus management traffic. 55 00:03:06,122 --> 00:03:11,122 COPP is applied to a logical control plane interface, 56 00:03:11,881 --> 00:03:15,250 not directly to any layer three interface. 57 00:03:15,250 --> 00:03:20,250 So that policy can be applied globally to the router. 58 00:03:20,625 --> 00:03:23,973 Control plane protection or CPPR 59 00:03:23,973 --> 00:03:28,840 allows for more detailed classification of traffic, 60 00:03:28,840 --> 00:03:30,410 more than COPP. 61 00:03:30,410 --> 00:03:33,420 That is going to use the CPU for handling. 62 00:03:33,420 --> 00:03:36,940 The three specific sub-interfaces that can be classified 63 00:03:36,940 --> 00:03:40,580 are host sub interface, which handles traffic 64 00:03:40,580 --> 00:03:45,110 to one of the physical or logical interfaces of the router, 65 00:03:45,110 --> 00:03:47,610 transit sub interface, which handles 66 00:03:47,610 --> 00:03:51,750 certain data plane traffic that requires CPU intervention 67 00:03:51,750 --> 00:03:54,698 before forwarding, such as IP options, 68 00:03:54,698 --> 00:03:59,610 and Cisco Express Forwarding, CEF, exception traffic 69 00:03:59,610 --> 00:04:03,470 related to network operations, such as people lives 70 00:04:03,470 --> 00:04:06,690 or packets with time to live mechanisms 71 00:04:06,690 --> 00:04:08,740 that are expiring. 72 00:04:08,740 --> 00:04:12,260 The benefit of CPPR is that you can rate limit 73 00:04:12,260 --> 00:04:14,500 and filter this type of traffic 74 00:04:14,500 --> 00:04:18,783 with a more fine tooth comb than COPP. 75 00:04:18,783 --> 00:04:23,480 CPPR is also applied to a logical control plane interface 76 00:04:23,480 --> 00:04:26,500 so that regardless of the logical or physical interface 77 00:04:26,500 --> 00:04:30,580 on which the packets arrive, the broader processor 78 00:04:30,580 --> 00:04:32,500 can still be protected. 79 00:04:32,500 --> 00:04:37,030 Using COPP or COPPR, you can specify which types 80 00:04:37,030 --> 00:04:41,580 of management traffic are acceptable at which levels. 81 00:04:41,580 --> 00:04:45,100 For example, you could decide and configure the router 82 00:04:45,100 --> 00:04:50,100 to believe that SSH is acceptable at 100 packets per second. 83 00:04:50,509 --> 00:04:55,509 Syslog is acceptable at 200 packets per second and so on. 84 00:04:55,580 --> 00:04:59,495 Traffic that exceeds the thresholds can be safely dropped 85 00:04:59,495 --> 00:05:03,670 if it is not from one of your specific management stations. 86 00:05:03,670 --> 00:05:07,300 You can specify all those details in the policy. 87 00:05:07,300 --> 00:05:10,370 Routing protocol authentication is another best practice 88 00:05:10,370 --> 00:05:12,830 for securing the control plane. 89 00:05:12,830 --> 00:05:16,701 If you use authentication, a rogue router on the network 90 00:05:16,701 --> 00:05:21,701 will not be believed by the authorization network devices. 91 00:05:22,070 --> 00:05:24,870 The attacker may have intended to route all the traffic 92 00:05:24,870 --> 00:05:28,615 through his device, or perhaps, at least learned detailed 93 00:05:28,615 --> 00:05:32,783 about the routed tables and networks. 94 00:05:33,620 --> 00:05:36,520 Although not necessarily a security feature, 95 00:05:36,520 --> 00:05:40,740 selective packet discard, or SPD, provides the ability 96 00:05:40,740 --> 00:05:44,485 to prioritize certain types of packets. 97 00:05:44,485 --> 00:05:47,180 For example, routing protocol packets 98 00:05:47,180 --> 00:05:50,410 and layer two keep alive messages which are received 99 00:05:50,410 --> 00:05:54,640 by the route processor, SPD provides priority 100 00:05:54,640 --> 00:05:57,780 of critical control plane traffic over traffic 101 00:05:57,780 --> 00:06:00,316 that is less important or worse yet, 102 00:06:00,316 --> 00:06:04,920 is being sent maliciously to starve the CPU of resources 103 00:06:04,920 --> 00:06:06,753 required for the RP.