The PE router must be configured to enforce a Quality-of-Service (QoS) policy so that all customer traffic receives forwarding treatment as specified in the service level agreement (SLA).

From Router Security Requirements Guide

Part of SRG-NET-000193-RTR-000109

Associated with: CCI-001095

SV-93029r1_rule The PE router must be configured to enforce a Quality-of-Service (QoS) policy so that all customer traffic receives forwarding treatment as specified in the service level agreement (SLA).

Vulnerability discussion

QoS enables DISA to offer value-added IP services in accordance with SLAs, ensuring that customer requirements can be met while providing a method to provision the edge and core to accommodate those requirements.The IP core will recognize and provide forwarding treatment of customer traffic according to the Differentiated Services Code Points (DSCP). Customers marking traffic within their DiffServ domain will be required to comply with the DSCP classification that has been approved by the DOD QoS Working Group. Non-compliance could enable a customer or even an attacker to rob bandwidth from other customers or mission-critical services.

Check content

Review the router configuration verify that the class-maps are configured to match on DSCP, protocols, or access control lists (ACLs) that identify traffic types based on ports. Verify that the policy-map is configured to set DSCP values for the defined class-maps in accordance with the customer SLA. Verify that an input service policy is bound to all CE-facing interfaces. If the PE router does not enforce a QoS policy to ensure that all customer traffic receives forwarding treatment as specified in the SLA, this is a finding.

Fix text

The ISSM will ensure QoS policies are configured on all the PE routers so all customer traffic receives forwarding treatment as specified in the SLA.

Pro Tips

Powered by sagemincer