STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Router Security Technical Implementation Guide

V-283842

CAT II (Medium)

The Nokia router must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection.

Rule ID

SV-283842r1203775_rule

STIG

Nokia Service Router OS 25.x Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002385

Discussion

The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages. A DoS attack targeting the RP can result in excessive CPU and memory utilization. To maintain network stability and RP security, the router must be able to handle specific control plane and management plane traffic that is destined to the RP. In the past, one method of filtering was to use ingress filters on forwarding interfaces to filter both forwarding path and receiving path traffic. However, this method does not scale well as the number of interfaces grows and the size of the ingress filters grows. Control plane policing increases the security of routers and multilayer switches by protecting the RP from unnecessary or malicious traffic. Filtering and rate limiting the traffic flow of control plane packets can be implemented to protect routers against reconnaissance and DoS attacks, allowing the control plane to maintain packet forwarding and protocol states despite an attack or heavy load on the router or multilayer switch.

Check Content

Determine whether control plane protection has been implemented on the device by verifying that traffic types have been classified based on importance levels and a policy has been configured to filter and rate limit the traffic according to each class, as shown below:

- show router interface "TO-PE2" dist-cpu-protection detail

Interface "TO-PE2" (Router: Base)

Distributed CPU Protection Policy :  protect-cpm

-------------------------------------------------------------------------------
Statistics/Policer-State Information
-------------------------------------------------------------------------------
Static Policer
-------------------------------------------------------------------------------
Policer-Name        : Rate-Limit-ICMP-Traffic
Card/FP             : 1/1               Policer-State       : Conform
Protocols Mapped    : icmp
Exceed-Count        : 0
Total Exceed-Count  : 0                 Exceed-State-Count  : 0
Detec. Time Remain  : 0 seconds         Hold-Down Remain.   : none
Operational (adapted) Rate Parameters:
 Oper. Packets      : 1 ppi              Oper. Within       : 1 seconds
 Oper. Initial Delay: none
 Oper. Depth        : 0 packets

If the router does not have control plane protection implemented, this is a finding.

Fix Text

Implement control plane protection by classifying traffic types based on importance and configure filters to restrict and rate limit the traffic directed to and processed by the RP according to each class.

Create a CPM filter to drop the traffic to protect the control plane, as shown in the commands below:

- configure system security cpm-filter
- config>sys>security>cpm-filter# ip-filter
- config>sys>sec>cpm>ip-filter# entry 10 create
- cfg>sys>sec>cpm>ip-filter>entry# match src-ip 100.100.100.x/32
- cfg>sys>sec>cpm>ip-filter>entry# match protocol "icmp"
- cfg>sys>sec>cpm>ip-filter>entry>match# exit
- cfg>sys>sec>cpm>ip-filter>entry# action drop
- cfg>sys>sec>cpm>ip-filter>entry# exit
- config>sys>sec>cpm>ip-filter# no shutdown
- config>sys>sec>cpm>ip-filter# exit all

Create a dist-cpu-protection policy to rate-limit traffic before it reaches the CPM, as shown in the commands below:

- configure system security dist-cpu-protection
- config>sys>security>dist-cpu-protection# policy "protect-cpm" create
- config>sys>security>dist-cpu-protection>policy# static-policer Rate-Limit-ICMP-Traffic create
- config>sys>security>dist-cpu-protection>policy>static$ rate packets 1 within 1
- config>sys>security>dist-cpu-protection>policy>static$ exceed-action discard
- config>sys>security>dist-cpu-protection>policy>static$ exit
- config>sys>security>dist-cpu-protection>policy# protocol icmp create
- config>sys>security>dist-cpu-protection>policy>protocol$ enforcement static "Rate-Limit-ICMP-Traffic"
-config>sys>security>dist-cpu-protection>policy>protocol$ exit all

Apply a Distributed CPU Protection Policy on the interface:
 
- configure router interface "TO-PE2" dist-cpu-protection "protect-cpm"