STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Router Security Technical Implementation Guide

V-283841

CAT I (High)

The Nokia router must be configured to restrict traffic destined to itself.

Rule ID

SV-283841r1203772_rule

STIG

Nokia Service Router OS 25.x Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001097

Discussion

The route processor handles traffic destined to the router, which is the key component used to build forwarding paths and is instrumental with all network management functions. Therefore, any disruption or denial-of-service attack to the route processor can result in mission-critical network outages.

Check Content

Review the access control list (ACL) or filter for the router receive path and verify it will only process specific management plane and control plane traffic from specific sources, as shown in the example below:

- show system security cpm-filter ip-filter entry 10

CPM IP Filter Entry

Entry Id           : 10
Description        : (Not Specified)
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id             : n/a
Src. IP            : 100.100.100.100/32
Src. Port          : n/a
Dst. IP            : n/a
Dest. Port         : n/a
Protocol           : icmp               Dscp               : Undefined

- show system security cpm-filter ipv6-filter entry 20

CPM IPv6 Filter Entry

Entry Id           : 20
Description        : (Not Specified)
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id             : n/a
Src. IP            : 2001:acad:1234:200::2/128

If the router is not configured with a receive-path filter to restrict traffic destined to itself, this is a finding.

Fix Text

Configure all routers with receive path filters to restrict traffic destined to the router.

Create a cpm-filter to control traffic to the control plane module, as shown below:

CPM-filter for IPv4 traffic:

- configure system security cpm-filter
- config>sys>security>cpm-filter# default-action accept
- config>sys>security>cpm-filter# ip-filter
- config>sys>sec>cpm>ip-filter# entry 10 create
- cfg>sys>sec>cpm>ip-filter>entry# match src-ip 100.100.100.100/32
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "icmp"
- cfg>sys>sec>cpm>ip-filter>entry>match# back
- cfg>sys>sec>cpm>ip-filter>entry# action accept
- cfg>sys>sec>cpm>ip-filter>entry# action drop
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# no shutdown
- config>sys>sec>cpm>ip-filter# exit all

CPM-Filter for IPv6 traffic: 

- configure system security cpm-filter
- config>sys>security>cpm-filter# default-action accept
- config>sys>security>cpm-filter# ipv6-filter
- config>sys>sec>cpm>ipv6-filter# entry 20 create
- cfg>sys>sec>cpm>ipv6-filter>entry# match src-ip 2001:acad:1234:200::2/128
- cfg>sys>sec>cpm>ipv6-filter>entry# action drop
- cfg>sys>sec>cpm>ipv6-filter>entry# exit
- config>sys>sec>cpm>ipv6-filter# no shutdown
- config>sys>sec>cpm>ipv6-filter# exit all