ルータのコントロールプレーンを防御する手法がRFC6192として標準化
悪意のあるトラフィックからルータのコントロールプレーンを保護するための手法がRFC6192として標準化されました。
This memo provides a method for protecting a router’s control plane
from undesired or malicious traffic. In this approach, all
legitimate router control plane traffic is identified. Once
legitimate traffic has been identified, a filter is deployed in the
router’s forwarding plane. That filter prevents traffic not
specifically identified as legitimate from reaching the router’s
control plane, or rate-limits such traffic to an acceptable level.
RFCの中には、実際にCiscoとJuniperの設定例が記載されています。
Cisco IOSの場合は、CoPP (Control Plane Policing)を使ってコントロールプレーン宛のパケットを制御します。
!Start: Protecting The Router Control Plane
!
!Control Plane Policing (CoPP) Configuration
!
!Access Control List Definitions
!
ip access-list extended ICMP
permit icmp any any
ipv6 access-list ICMPv6
permit icmp any any
ip access-list extended OSPF
permit ospf 192.0.2.0 0.0.0.255 any
ipv6 access-list OSPFv3
permit 89 FE80::/10 any
ip access-list extended IBGP
permit tcp 192.0.2.0 0.0.0.255 eq bgp any
permit tcp 192.0.2.0 0.0.0.255 any eq bgp
ipv6 access-list IBGPv6
permit tcp 2001:DB8:1::/48 eq bgp any
permit tcp 2001:DB8:1::/48 any eq bgp
ip access-list extended EBGP
permit tcp host 198.51.100.25 eq bgp any
permit tcp host 198.51.100.25 any eq bgp
permit tcp host 198.51.100.27 eq bgp any
permit tcp host 198.51.100.27 any eq bgp
permit tcp host 198.51.100.29 eq bgp any
permit tcp host 198.51.100.29 any eq bgp
permit tcp host 198.51.100.31 eq bgp any
permit tcp host 198.51.100.31 any eq bgp