Free DISA STIG and SRG Library | Vaulted

V-14705

The administrator will enable CEF to improve router stability during a SYN flood attack in an IPv6 enclave.

Finding ID
NET-IPV6-033
Rule ID
SV-15425r1_rule
Severity
Cat II
CCE
(None)
Group Title
IPv6 routers are not configured with CEF enabled
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably when presented with large volumes of traffic addressed to many destinations—such as a SYN flood attacks that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache. Note: Juniper’s FPC (Flexible PIC Concentrator) architecture with the integrated Packet Forwarding Engine provides similar functionality and capabilities and is far superior than the traditional routing cache that is vulnerable to a DoS attack described above. The forwarding plane on all Juniper M and T Series platforms are built around this architecture and therefore is not configurable. The forwarding plane on all Juniper M and T Series platforms are built around the FPC (Flexible PIC Concentrator) architecture that has similar capabilities as CEF. FPC is not configurable and is totally integrated with the Packet Forwarding Engine; hence, this will always be not a finding.

Fix Text

The IAO will ensure that the ipv6 cef command has been configured on Cisco routers.

Check Content

IOS Procedure: Review all Cisco routers to ensure that CEF has been enabled. The configuration should look similar to the following: ipv6 cef

Responsibility

Information Assurance Officer

IA Controls

ECSC-1