IP forwarding supports CSM filters that are applied to IP packets extracted to the control plane. CSM filters are used to protect the control plane from DoS attacks, unauthorized access to the node, and similar security breaches.
IP filters scan all traffic and take the appropriate (configured) action against matching packets. Packets that are not filtered by the IP filters and are destined for the 7705 SAR are scanned by the configured CSM filter.
For information on IP filters, see the 7705 SAR Router Configuration Guide.
Although the Control and Switching module on the 7705 SAR is called a CSM, the CSM filters are referred to as CPM filters in the CLI to maintain consistency with other SR routers.
Both IPv4 and IPv6 CSM filters are supported.
IPv4 CSM filters drop or accept incoming packets based on the following match criteria:
DSCP name
destination IP address
destination port
fragmentation
ICMP code
ICMP type
IP option value
multiple options
option present
source IP address
source port
TCP ACK
TCP SYN
IPv6 CSM filters drop or accept incoming packets based on the following match criteria:
DSCP name
destination IP address
destination port
ICMP code
ICMP type
source IP address
source port
TCP ACK
TCP SYN
To prevent DoS-like attacks from overwhelming the control plane while ensuring that critical control traffic such as signaling is always serviced in a timely manner, the 7705 SAR segregates the incoming control plane traffic into different queues. These queues are used to shape and rate-limit traffic for each protocol or group of protocols, or on a per-flow basis, with the main goal of mitigating DoS attacks and ensuring that the control plane does not end up with more traffic than it can handle.
These queues are fixed use (each queue handles a specific type of traffic, which is not user-configurable) and fixed configuration (each queue is configured for particular rates and buffering capacity and is not user-configurable).