X.805 Security Architecture

Security Defense of Forwarding Engines

The forwarding engines (FEs) of routers provide high performance. Therefore, the best network security solution is to implement a security check on the forwarding plane to identify and process invalid packets.

Most FEs, however, are implemented based on hardware such as application-specific integrated circuits (ASICs) or network processors (NPS) and are less flexible than software. FEs can detect only invalid packets that have deterministic characteristics and do not require complex computing or processing. They are designed with simple security mechanisms using fixed processes.

For example:

In a malformed packet check, FEs detect and discard packets that obviously violate protocol rules.

In broadcast storm suppression, FEs track the source of a broadcast storm, and discard broadcast packets or limit the rate of broadcast packets by using dynamic access control lists (ACLs) on the forwarding plane.

URPF directly checks a packet for whether the outbound port matches the source IP address. If the outbound port does not match the source IP address, the packet is discarded.

In fragmented packet flooding, the forwarding plane limits the rate of fragmented packets.

For simple packets, such as ARP, Internet Control Message Protocol (ICMP), and Point-to-Point Protocol (PPP) Keepalive packets, sent from clients, the forwarding plane responds to these packets.

With high performance, FEs can effectively handle traffic flooding attacks. In this way, the CPU does not need to process flooded packets, and the router reliability is ensured.

Security Defense for Channels Between the Forwarding Plane and the Control Plane

Compared with the control plane, the forwarding plane provides infinite processing capabilities. Therefore, the forwarding plane can easily send mass packets, which may cause an overload of the control plane.

The packet rates on the channels between the forwarding plane and the control plane must be limited to prevent the forwarding plane from sending too many packets to the control plane. In addition, normal service packets that have high priorities and pass the security check must be permitted to ensure normal service provisioning. In consideration of security and availability, the following mechanisms are used to ensure reliable running of routers while improving the service processing capabilities of the routers:

• Central processing unit-committed access rate (CP-CAR): A bandwidth for sending packets to the control plane is configured for each protocol. Different CP-CARs may be configured for typical packets of a protocol, such as ARP Request and ARP Reply packets;

  
  

• Dynamic/static blacklist: When attack events are dynamically detected or a static blacklist is configured, all blacklisted packets are rejected to prevent attacks by invalid packets;

  
  

• Dynamic/static whitelist: When sessions on the control plane pass the security check or trusted access objects are statically configured, the packets of these objects are free from rate limitation.

The preceding measures ensure that packets sent from the forwarding plane to the control plane do not cause CPU overload and that the CPU provides services to the maximum.

Security Check and Defense of Application Layer Services

The forwarding plane cannot detect or control complex and in-depth attacks because it lacks the capability of perceiving the structure of every protocol.

The security defense on the channels between the forwarding and control planes only protects the CPU against overload but does not check whether sent packets are secure.

In this case, security check engines need to be embedded into modules at the application layer. Each protocol stack module must be able to dynamically check the validity of packets and sessions and discard invalid packets or sessions in a timely manner to protect the protocol stacks: 

https://support.huawei.com/enterprise/en/doc/EDOC1100055026/8657bf1a/overview.