Huawei: Protection of the control plane
The article discusses aspects of protecting the control plane of the Huawei NE Series routers. Examples are given for the NE40e, with software: VRP V800R008. On other types of routers (for example, NE5k) and with a different software version, the configuration may differ slightly.
For a more detailed study of this issue, I can recommend further acquaintance with RFC 6192 (Protecting the router Control Plane).
In VRP, there are a number of ways to automatically diagnose and protect the control plane of routers. However, given the scarcity and opacity of the documentation, I recommend still adhering to the traditional method of protection: creating whitelists for the necessary protocols and services and closing the rest of the traffic.
The main policy section is as follows:
cpu-defend policy 1
process-sequence whitelist user-defined-flow blacklist
cp-acl ip-pool enable
whitelist disable
blacklist acl 3900
blacklist ipv6 acl 3950
application-apperceive disable
ip urpf loose
The process-sequence determines the sequence of policy operation: whitelist (which is turned off in our case), user-defined-flow, blacklist (rule 3900 for IPv4 and 3950 for IPv6).
Considering that we will determine the allowed protocols ourselves, the rest of the traffic will be filtered by the black list - there is no need for application-apperceive analysis.
The mechanism of URPf (Unicast Reverse Path Forwarding) is enabled at a conservative loose level.
The blacklists for IPv4 and IPv6 look like this:
acl number 3900
description --- ACL For IPv4 Discard ---
rule 5 deny tcp
rule 10 deny udp
rule 15 deny ip
#
acl ipv6 number 3950
description --- ACL For IPv6 Discard ---
rule 5 deny tcp
rule 10 deny udp
rule 15 deny ipv6
The policy must be applied on each slot:
slot 1
cpu-defend-policy 1
#
slot 2
cpu-defend-policy 1
…
"Default" includes the following protection mechanisms:
udp-packet-defend enable
fragment-flood enable
abnormal-packet-defend enable
tcpsyn-flood enable
attack-source-trace enable
It is recommended to close all unused protocols and services in the ma-defend section . This option can be enabled, both globally and by slots. For example:
system-view
ma-defend global-policy
protocol OSPF deny
protocol RIP deny
or
system-view
ma-defend slot-policy 1
protocol … deny
The following describes the user-defined policy. The general rules are summarized in the table below. The values for speed / priority are indicated as an example and do not claim to be “ultimate truth”. The maximum number of elements in a user-defined policy is 64.
Type of traffic | Speed | A priority | Rule number |
---|---|---|---|
Bgp | 1 Mb / s | High | 3901 |
LDP | 1 Mb / s | High | 3902 |
IS-IS | N \ a | N \ a | N \ a |
VRRP | 1 Mb / s | High | 3904 |
Bfd | 1 Mb / s | High | 3905 |
MCAST | 1 Mb / s | High | 3906 |
Ssh | 512 Kb / s | Middle | 3907 |
FTP | 5 Mb / s | Low | 3908 |
DNS | 512 Kb / s | Low | 3909 |
SNMP | 1 Mb / s | Middle | 3910 |
TACACS + | 1 Mb / s | Low | 3911 |
NTP | 512 Kb / s | Low | 3912 |
ICMP, trace, lsp-ping | 512 Kb / s | Low | 3913 |
Next, consider the ACL filters for the corresponding protocols \ services.
3901. BGP protocol.
The rule for filtering the BGP protocol can look either in a simplified form:
acl number 3901
rule permit tcp destination-port eq bgp
rule permit tcp source-port eq bgp
or for each feast separately:
acl ip-pool BGP-Peers
ip address 10.1.1.1 0.0.0.0
acl number 3901
rule permit tcp source-pool BGP-Peers 0 destination-port eq bgp
rule permit tcp source-pool BGP-Peers 0 source-port eq bgp
3902. LDP protocol.
rule 5 permit tcp source-pool Lo0_P2P destination-port eq 646
rule 10 permit tcp source-pool Lo0_P2P source-port eq 646
rule 15 permit udp source-pool Lo0_P2P destination-port eq 646
rule 20 permit udp source-pool Lo0_P2P source-port eq 646
3904. VRRP
acl ip-pool VRRP_Peers
ip address 10.1.1.1 0.0.0.0
acl number 3904
rule permit 112 source-pool VRRP_Peers
3905. BFD
acl number 3343
rule permit udp source-pool Lo0_P2P destination-port eq 3784
rule permit udp source-pool Lo0_P2P source-port eq 3784
3906. All MCAST (IGMP, PIM, MSDP)
acl number 3906
rule permit 103
rule permit igmp
rule permit udp destination-port eq 639
rule permit udp source-port eq 639
rule permit tcp destination-port eq 639
rule permit tcp source-port eq 639
3907. SSH
acl number 3907
description ### SSH access ###
rule 5 permit tcp source-pool MGMT source-port eq 22
rule 10 permit tcp source-pool MGMT destination-port eq 22
rule 15 permit tcp source-pool MGMT destination-port eq 830
3908. FTP. FTP-data
acl port-pool ftp
eq 20
eq 21
acl number 3908
rule 10 permit tcp source-pool MGMT source-port-pool ftp
rule 15 permit tcp source-pool MGMT destination-port-pool ftp
3909. DNS
acl ip-pool DNS
ip address 1.1.1.1 0.0.0.0
ip address 8.8.8.8 0.0.0.0
acl number 3909
rule 5 permit udp source-pool DNS source-port eq dns
3910. SNMP
acl number 3909
rule 5 permit udp source-pool SNMP source-port eq snmp
rule 10 permit udp source-pool SNMP destination-port eq snmp
3911. TACACS +
acl number 3911
rule 5 permit tcp source-pool TACACS source-port eq tacacs
rule 10 permit udp source-pool TACACS source-port eq tacacs-ds
3912. NTP
acl number 3911
rule 5 permit udp source-pool NTP source-port eq ntp
rule 10 permit udp source-pool NTP destination-port eq ntp
3913. ICMP
acl number 3342
rule permit icmp icmp-type echo
rule permit icmp icmp-type echo-reply
rule permit icmp icmp-type ttl-exceeded
rule permit icmp icmp-type port-unreachable
rule permit icmp icmp-type Fragmentneed-DFset
rule permit icmp
rule permit udp destination-port range 33434 33678
rule permit udp destination-port eq 3503
3951. BGP for IPv6
acl ipv6 number 3951
rule 5 permit tcp destination-port eq bgp
3952. ICMPv6
acl ipv6 number 3952
rule 30 permit icmpv6
rule 35 permit udp destination-port range 33434 33678
To apply sheets, they need to be bound to the cpu-defend policy as follows:
cpu-defend policy 1
...
user-defined-flow 1 acl 3901
user-defined-flow 2 acl 3902
user-defined-flow 4 acl 3904
user-defined-flow 5 acl 3905
user-defined-flow 6 acl 3906
user-defined-flow 7 acl 3907
user-defined-flow 8 acl 3908
user-defined-flow 9 acl 3909
user-defined-flow 10 acl 3910
user-defined-flow 11 acl 3911
user-defined-flow 12 acl 3912
user-defined-flow 13 acl 3913
user-defined-flow 51 ipv6 acl 3951
user-defined-flow 52 ipv6 acl 3952
car blacklist cir 0 cbs 0
car user-defined-flow 1 cir 1000
car user-defined-flow 2 cir 1000
car user-defined-flow 4 cir 1000
car user-defined-flow 5 cir 1000
car user-defined-flow 6 cir 1000
car user-defined-flow 7 cir 512
car user-defined-flow 8 cir 5000
car user-defined-flow 9 cir 512
car user-defined-flow 10 cir 1000
car user-defined-flow 11 cir 1000
car user-defined-flow 12 cir 512
car user-defined-flow 13 cir 512
car user-defined-flow 51 cir 10000
car user-defined-flow 52 cir 512
priority user-defined-flow 1 high
priority user-defined-flow 2 high
priority user-defined-flow 4 high
priority user-defined-flow 5 high
priority user-defined-flow 6 high
priority user-defined-flow 7 middle
priority user-defined-flow 8 low
priority user-defined-flow 9 low
priority user-defined-flow 10 middle
priority user-defined-flow 11 low
priority user-defined-flow 12 low
priority user-defined-flow 13 low
priority user-defined-flow 51 high
priority user-defined-flow 52 low
To issue trashholding alerts, you can use the following function:
cpu-defend policy 1
...
alarm drop-rate user-defined-flow 7 threshold 100 interval 60
here the value of threshhold is set in packets, and the interval in seconds.
Statistics on the operation of CoPP filters can be viewed in the display cpu-defend section ...
After completing the settings, you should also scan the router.
In conclusion, I would like to note that Huawei (like any modern vendor) offers all the necessary methods to protect the control plane of its routers. And periodically appearing reports about found vulnerabilities show that these tools should not be neglected.