Cisco Press
800 East 96th Street
Indianapolis, Indiana 46240 USA
Cisco Press
Router Security Strategies
Securing IP Network Traffic Planes
Gregg Schudel, CCIE No. 9591
David J. Smith, CCIE No. 1986
ii
Router Security Strategies:
Securing IP Network Traffic Planes
Gregg Schudel, CCIE No. 9591
David J. Smith, CCIE No. 1986
Copyright © 2008 Cisco Systems, Inc.
Cisco Press logo is a trademark of Cisco Systems, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ-
ten permission from the publisher, except for the inclusion of brief quotations in a review.
Printed in the United States of America
First Printing December 2007
Library of Congress Cataloging-in-Publication Data:
Schudel, Gregg.
Router security strategies : securing IP network traffic planes /
Gregg Schudel, David J. Smith.
p. cm.
ISBN 978-1-58705-336-8 (pbk.)

1. Routers (Computer networks)—Security measures. 2. Computer networks—Security measures.
3. TCP/IP (Computer network protocol)—Security measures. I. Smith, David J., CCIE. II. Title.
TK5105.543.S38 2007
005.8—dc22
2007042606
ISBN-13: 978-1-58705-336-8
ISBN-10: 1-58705-336-5
Warning and Disclaimer
This book is designed to provide information about strategies for securing IP network traffic planes. Every effort
has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither
liability nor responsibility to any person or entity with respect to any loss or damages arising from the information
contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc.
iii
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital-
ized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book
should not be regarded as affecting the validity of any trademark or service mark.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted
with care and precision, undergoing rigorous development that involves the unique expertise of members from the
professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could
improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at
Please make sure to include the book title and ISBN in your message.
We greatly appreciate your assistance.
Corporate and Government Sales
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales,
which may include electronic versions and/or custom covers and content particular to your business, training goals,

marketing focus, and branding interests. For more information, please contact:
U.S. Corporate and Government Sales 1-800-382-3419
For sales outside the United States please contact: International Sales
Publisher Paul Boger
Associate Publisher Dave Dusthimer
Cisco Representative Anthony Wolfenden
Cisco Press Program Manager Jeff Brady
Executive Editor Brett Bartow
Managing Editor Patrick Kanouse
Development Editor Eric Stewart
Project Editor San Dee Phillips/Jennifer Gallant
Copy Editor Bill McManus
Technical Editors Marcelo Silva, Vaughn Suazo
Editorial Assistant Vanessa Evans
Book Designer Louisa Adair
Composition ICC Macmillan Inc.
Indexer WordWise Publishing Services, LLC
Proofreader Molly Proue
iv
About the Authors
Gregg Schudel, CCIE No. 9591 (Security), joined Cisco in 2000 as a consulting system engineer sup-
porting the U.S. Service Provider Organization. Gregg focuses on IP core network and services security
architectures and technology for inter-exchange carriers, web services providers, and mobile providers.
Gregg is also part of a team of Corporate and Field resources focused on driving Cisco Service Provider
Security Strategy. Prior to joining Cisco, Gregg worked for many years with BBN Technologies, where
he supported network security research and development, most notably in conjunction with DARPA and
other federal agencies involved in security research.
Gregg holds an MS in engineering from George Washington University, and a BS in engineering from
Florida Institute of Technology. Gregg can be contacted through e-mail at
David J. Smith, CCIE No. 1986 (Routing and Switching), joined Cisco in 1995 and is a

consulting system engineer supporting the Service Provider Organization. Since 1999 David has
focused on service provider IP core and edge architectures, including IP routing, MPLS technologies,
QoS, infrastructure security, and network telemetry. Between 1995 and 1999, David supported
enterprise customers designing campus and global WANs. Prior to joining Cisco, David worked at
Bellcore developing systems software and experimental ATM switches.
David holds an MS in information networking from Carnegie Mellon University, and a BS in computer
engineering from Lehigh University. David can be contacted through e-mail at
v
About the Technical Reviewers
Marcelo I. Silva, M.S., is a technical marketing engineer for the Service Provider Technology Group
(SPTG) at Cisco. Marcelo is a 19-year veteran of the technology field with experiences in academia and
the high-tech industry. Prior to Cisco, Marcelo was an independent systems consultant and full-time
lecturer at the University of Maryland, Baltimore County. His career at Cisco began in 2000, working
directly with large U.S. service provider customers designing IP/MPLS core and edge networks.
Marcelo’s primary responsibility at Cisco today as a technical marketing engineer (TME) requires him
to travel the world advising services provider customers on the deployment of Cisco’s high-end routers:
Cisco 12000 Series (GSR) and Cisco CRS-1 Carrier Routing System. Marcelo has an MS in information
systems from the University of Maryland, and lives in Waterloo, Belgium with his wife Adriana and son
Gabriel.
Vaughn Suazo, CCIE No. 5109 (Routing and Switching, Security), is a consulting systems engineer
for Wireline Emerging Providers at Cisco. Vaughn is a 17-year veteran of the technology field with
experience in server technologies, LAN/WAN networking, and network security. His career at Cisco
began in 1999, working directly with service provider customers on technology areas such as core and
edge IP network architectures, MPLS applications, network security, and IP services. Vaughn’s primary
responsibility at Cisco today is as a consulting systems engineer (CSE) for service provider customers,
specializing in service provider security and data center technologies and solutions. Vaughn lives in
Oklahoma City, Oklahoma with his wife Terri and two children, and enjoys golfing in his leisure time.
vi
Dedications
To my best friend and beautiful wife, Carol, for her love and encouragement, and for allowing me to

commit precious time away from our family to write this book. To my awesome boys, Alex and Gary,
for their patience and understanding, and for their energy and enthusiasm that keeps me motivated.
Thanks to my co-author, David Smith, for gratefully accepting my challenge, and for bringing his
knowledge and experience to this project.
—Gregg
I dedicate this book to my loving wife, Vickie, and my wonderful children, Harry, Devon, and Edward,
whom have made my dreams come true. Thank you for all of your support and inspiration during the
writing of this book. I also dedicate this book to my mother and late father, whose sacrifices have
afforded my brothers and me great opportunities. Finally, to my co-author, Gregg Schudel, for consider-
ing me for this special project. It was an opportunity of a lifetime and I am forever grateful.
—David
Acknowledgments
This book benefited from the efforts of all Cisco engineers who share our dedication and passion for
understanding and furthering IP network security. Among them, there are a few to whom we are partic-
ularly grateful. To Barry Greene, for his constant innovations, tireless leadership, and dedication to SP
security. Without his efforts, many of these IP traffic plane security concepts would not have been devel-
oped. Also, to Michael Behringer, for his constant encouragement, and for always providing sound
advice on our many technical questions. And to Roland Dobbins, Ryan McDowell, Jason Bos, Rajiv
Raghunarayan, Darrel Lewis, Paul Quinn, Sean Donelan, and Dave Lapin, for always making them-
selves available to consult on the most detailed of questions.
We gratefully thank our extraordinary technical reviewers, Marcelo Silva and Vaughn Suazo, for their
thorough critiques and feedback. Thanks also to John Stuppi and Ilker Temir for providing their invalu-
able reviews as well as to Russell Smoak for his leadership. We also thank Dan Hamilton, Don Heidrich,
Chris Metz, Vaughn Suazo, and Andrew Whitaker for reviewing our original proposal and providing
valuable suggestions. We also give special thanks to John Stewart, Cisco Systems Vice President and
Chief Security Officer, for taking time from his very busy schedule to write the foreword of our book, as
well as for his unique leadership in the areas of both security and network operations.
We would like to thank our managers, Jerry Marsh and Jim Steinhardt, for their tremendous support
throughout this project.
Finally, special thanks go to Cisco Press and our production team: Brett Bartow (Executive Editor),

Eric Stewart (Development Editor), San Dee Phillips (Senior Project Editor), Jennifer Gallant (Project
Editor), and Bill McManus (Copy Editor). Thanks also to Andrew Cupp (Development Editor) for the
valuable editorial assistance. Thank you for working with us to make this book a reality.
vii
viii
Contents at a Glance
Foreword xix
Introduction xx
Part I IP Network and Traffic Plane Security Fundamentals 3
Chapter 1 Internet Protocol Operations Fundamentals 5
Chapter 2 Threat Models for IP Networks 65
Chapter 3 IP Network Traffic Plane Security Concepts 117
Part II Security Techniques for Protecting IP Traffic Planes 145
Chapter 4 IP Data Plane Security 147
Chapter 5 IP Control Plane Security 219
Chapter 6 IP Management Plane Security 299
Chapter 7 IP Services Plane Security 347
Part III Case Studies 403
Chapter 8 Enterprise Network Case Studies 405
Chapter 9 Service Provider Network Case Studies 443
Part IV Appendixes 485
Appendix A Answers to Chapter Review Questions 487
Appendix B IP Protocol Headers 497
Appendix C Cisco IOS to IOS XR Security Transition 557
Appendix D Security Incident Handling 597
Index 608
ix
Contents
Foreword xix
Introduction xx

Part I IP Network and Traffic Plane Security Fundamentals 3
Chapter 1 Internet Protocol Operations Fundamentals 5
IP Network Concepts 5
Enterprise Networks 7
Service Provider Networks 9
IP Protocol Operations 11
IP Traffic Concepts 19
Transit IP Packets 20
Receive-Adjacency IP Packets 21
Exception IP and Non-IP Packets 22
Exception IP Packets 22
Non-IP Packets 23
IP Traffic Planes 24
Data Plane 25
Control Plane 27
Management Plane 29
Services Plane 30
IP Router Packet Processing Concepts 32
Process Switching 36
Fast Switching 39
Cisco Express Forwarding 44
Forwarding Information Base 44
Adjacency Table 45
CEF Operation 46
General IP Router Architecture Types 50
Centralized CPU-Based Architectures 50
Centralized ASIC-Based Architectures 52
Distributed CPU-Based Architectures 54
Distributed ASIC-Based Architectures 56
Summary 62

Review Questions 62
Further Reading 63
x
Chapter 2 Threat Models for IP Networks 65
Threats Against IP Network Infrastructures 65
Resource Exhaustion Attacks 66
Direct Attacks 67
Transit Attacks 70
Reflection Attacks 74
Spoofing Attacks 75
Transport Protocol Attacks 76
UDP Protocol Attacks 78
TCP Protocol Attacks 78
Routing Protocol Threats 81
Other IP Control Plane Threats 83
Unauthorized Access Attacks 85
Software Vulnerabilities 87
Malicious Network Reconnaissance 88
Threats Against Layer 2 Network Infrastructures 89
CAM Table Overflow Attacks 89
MAC Spoofing Attacks 90
VLAN Hopping Attacks 92
Private VLAN Attacks 93
STP Attacks 94
VTP Attacks 95
Threats Against IP VPN Network Infrastructures 96
MPLS VPN Threat Models 96
Threats Against the Customer Edge 98
Threats Against the Provider Edge 99
Threats Against the Provider Core 101

Threats Against the Inter-Provider Edge 103
Carrier Supporting Carrier Threats 103
Inter-AS VPN Threats 105
IPsec VPN Threat Models 108
Summary 111
Review Questions 112
Further Reading 113
Chapter 3 IP Network Traffic Plane Security Concepts 117
Principles of Defense in Depth and Breadth 117
Understanding Defense in Depth and Breadth Concepts 118
What Needs to Be Protected? 119
What Are Defensive Layers? 119
What Is the Operational Envelope of the Network? 122
xi
What Is Your Organization’s Operational Model? 123
IP Network Traffic Planes: Defense in Depth and Breadth 123
Data Plane 124
Control Plane 124
Management Plane 125
Services Plane 126
Network Interface Types 127
Physical Interfaces 128
Logical Interfaces 131
Network Edge Security Concepts 133
Internet Edge 133
MPLS VPN Edge 136
Network Core Security Concepts 138
IP Core 139
MPLS VPN Core 140
Summary 141

Review Questions 141
Further Reading 142
Part II Security Techniques for Protecting IP Traffic Planes 145
Chapter 4 IP Data Plane Security 147
Interface ACL Techniques 147
Unicast RPF Techniques 156
Strict uRPF 157
Loose uRPF 161
VRF Mode uRPF 163
Feasible uRPF 167
Flexible Packet Matching 168
QoS Techniques 170
Queuing 170
IP QoS Packet Coloring (Marking) 171
Rate Limiting 173
IP Options Techniques 174
Disable IP Source Routing 175
IP Options Selective Drop 175
ACL Support for Filtering IP Options 177
Control Plane Policing 178
xii
ICMP Data Plane Mitigation Techniques 178
Disabling IP Directed Broadcasts 181
IP Sanity Checks 182
BGP Policy Enforcement Using QPPB 183
IP Routing Techniques 187
IP Network Core Infrastructure Hiding 187
IS-IS Advertise-Passive-Only 187
IP Network Edge External Link Protection 189
Protection Using More Specific IP Prefixes 190

Protection Using BGP Communities 191
Protection Using ACLs with Discontiguous Network Masks 192
Remotely Triggered Black Hole Filtering 193
IP Transport and Application Layer Techniques 200
TCP Intercept 200
Network Address Translation 201
IOS Firewall 203
IOS Intrusion Prevention System 205
Traffic Scrubbing 206
Deep Packet Inspection 207
Layer 2 Ethernet Security Techniques 208
Port Security 208
MAC Address–Based Traffic Blocking 209
Disable Auto Trunking 210
VLAN ACLs 211
IP Source Guard 212
Private VLANs 212
Traffic Storm Control 213
Unknown Unicast Flood Blocking 214
Summary 214
Review Questions 214
Further Reading 215
Chapter 5 IP Control Plane Security 219
Disabling Unused Control Plane Services 220
ICMP Techniques 220
Selective Packet Discard 222
SPD State Check 223
SPD Input Queue Check 226
SPD Monitoring and Tuning 226
xiii

IP Receive ACLs 230
IP Receive ACL Deployment Techniques 232
Activating an IP Receive ACL 233
IP Receive ACL Configuration Guidelines 234
IP Receive ACL Feature Support 241
Control Plane Policing 241
CoPP Configuration Guidelines 243
Defining CoPP Policies 243
Tuning CoPP Policies 252
Platform-Specific CoPP Implementation Details 260
Cisco 12000 CoPP Implementation 260
Cisco Catalyst 6500/Cisco 7600 CoPP Implementation 264
Neighbor Authentication 269
MD5 Authentication 270
Generalized TTL Security Mechanism 273
Protocol-Specific ACL Filters 277
BGP Security Techniques 279
BGP Prefix Filters 280
IP Prefix Limits 282
AS Path Limits 283
BGP Graceful Restart 283
Layer 2 Ethernet Control Plane Security 285
VTP Authentication 285
DHCP Snooping 286
Dynamic ARP Inspection 289
Sticky ARP 291
Spanning Tree Protocol 292
Summary 294
Review Questions 294
Further Reading 295

Chapter 6 IP Management Plane Security 299
Management Interfaces 300
Password Security 303
SNMP Security 306
Remote Terminal Access Security 309
Disabling Unused Management Plane Services 311
xiv
Disabling Idle User Sessions 315
System Banners 316
Secure IOS File Systems 319
Role-Based CLI Access 320
Management Plane Protection 324
Authentication, Authorization, and Accounting 326
AutoSecure 329
Network Telemetry and Security 330
Management VPN for MPLS VPNs 335
Summary 341
Review Questions 342
Further Reading 343
Chapter 7 IP Services Plane Security 347
Services Plane Overview 347
Quality of Service 350
QoS Mechanisms 351
Classification 353
Marking 353
Policing 354
Queuing 354
MQC 355
Packet Recoloring Example 356
Traffic Management Example 358

Securing QoS Services 361
MPLS VPN Services 362
MPLS VPN Overview 363
Customer Edge Security 364
Provider Edge Security 365
Infrastructure ACL 366
IP Receive ACL 366
Control Plane Policing 367
VRF Prefix Limits 367
IP Fragmentation and Reassembly 368
Provider Core Security 370
Disable IP TTL to MPLS TTL Propagation at the Network Edge 370
IP Fragmentation 371
Router Alert Label 371
Network SLAs 372
xv
Inter-Provider Edge Security 372
Carrier Supporting Carrier Security 373
Inter-AS VPN Security 374
IPsec VPN Services 376
IPsec VPN Overview 376
IKE 377
IPsec 378
Securing IPsec VPN Services 386
IKE Security 386
Fragmentation 387
IPsec VPN Access Control 391
QoS 393
Other IPsec Security-Related Features 394
Other Services 394

SSL VPN Services 395
VoIP Services 396
Video Services 397
Summary 399
Review Questions 399
Further Reading 400
Part III Case Studies 403
Chapter 8 Enterprise Network Case Studies 405
Case Study 1: IPsec VPN and Internet Access 406
Network Topology and Requirements 407
Router Configuration 409
Data Plane 418
Control Plane 420
Management Plane 422
Services Plane 424
Case Study 2: MPLS VPN 426
Network Topology and Requirements 426
Router Configuration 428
Data Plane 435
Control Plane 437
Management Plane 438
Services Plane 440
Summary 441
Further Reading 441
xvi
Chapter 9 Service Provider Network Case Studies 443
Case Study 1: IPsec VPN and Internet Access 444
Network Topology and Requirements 445
Router Configuration 448
Data Plane 455

Control Plane 458
Management Plane 460
Services Plane 463
Case Study 2: MPLS VPN 463
Network Topology and Requirements 464
Router Configuration 467
Data Plane 474
Control Plane 474
Management Plane 477
Services Plane 481
Summary 483
Further Reading 483
Part IV Appendixes 485
Appendix A Answers to Chapter Review Questions 487
Appendix B IP Protocol Headers 497
IP Version 4 Header 499
TCP Header 510
UDP Header 518
ICMP Header 521
ICMP Echo Request/Echo Reply Query Message Headers 525
ICMP Time to Live Exceeded in Transit Error Message Header 529
ICMP Destination Unreachable, Fragmentation Needed and Don’t Fragment was
Set Error Message Header 533
Other ICMP Destination Unreachable Error Message Headers 539
Ethernet/802.1Q Header 543
IEEE 802.3 Ethernet Frame Header Format 543
IEEE 802.1Q VLAN Header Format 547
MPLS Protocol Header 551
Further Reading 554
xvii

Appendix C Cisco IOS to IOS XR Security Transition 557
Data Plane Security Commands 558
Control Plane Security Commands 562
Management Plane Security Commands 578
Services Plane Security Commands 592
Further Reading 595
Appendix D Security Incident Handling 597
Six Phases of Incident Response 597
Preparation 598
Understand the Threats 598
Deploy Defense in Depth and Breadth Security Strategies 598
Establish Well-Defined Incident Response Procedures 599
Establish an Incident Response Team 600
Identification 600
Classification 600
Traceback 601
Reaction 601
Post-Mortem Analysis 602
Cisco Product Security 602
Cisco Security Vulnerability Policy 603
Cisco Computer and Network Security 603
Cisco Safety and Security 603
Cisco IPS Signature Pack Updates and Archives 603
Cisco Security Center 603
Cisco IntelliShield Alert Manager Service 603
Cisco Software Center 604
Industry Security Organizations 604
Regional Network Operators Groups 605
Further Reading 606
Index 608

xviii
Icons Used in This Book
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used in the IOS
Command Reference. The Command Reference describes these conventions as follows:
• Boldface indicates commands and keywords that are entered literally as shown. In actual con-
figuration examples and output (not general command syntax), boldface indicates commands
that are manually input by the user (such as a show command).
• Italics indicate arguments for which you supply actual values.
• Vertical bars (|) separate alternative, mutually exclusive elements.
• Square brackets [ ] indicate optional elements.
• Braces { } indicate a required choice.
• Braces within brackets [{ }] indicate a required choice within an optional element.
PC PC with
Software
Sun
Workstation
Macintosh
Terminal File
Server
Web
Server
Ciscoworks
Workstation
Printer Laptop IBM
Mainframe
Front End
Processor
Cluster
Controller

Modem
DSU/CSU
Router Bridge
Hub DSU/CSU
Catalyst
Switch
Multilayer
Switch
ATM
Switch
ISDN/Frame Relay
Switch
Communication
Server
Gateway
Access
Server
Network Cloud
To ken
Ring
Token Ring
Line: Ethernet
FDDI
FDDI
Line: Serial
Line: Switched Serial
xix
Foreword
In the past 20 years, networks moved from archane (ARPANET) to everywhere (wireless hotspots), and
with that adoption came its use in health care systems, airplanes, commerce, video communications,

telephony, storage, and interactive sports just to name a few.
Networking went from the data center, to the service provider, to our neighborhoods, to our homes.
To say that network security is an “important topic” is such an understatement, to me, because it fails to
call out the disparity between host security—where many dollars are spent—to network security—where
little is spent. How is that possible given how vital networks are today, and why is this happening?
Instead of answering that question here, embrace for a moment that network security is essential
because networks are now essential. To that end, the knowledge about what threats and attacks against
network devices already exist, required configuration techniques for networking devices to best counter
those threats and attacks, and real-life examples on how this increases resilency in your network are
included here from which to learn.
The bulk of Gregg’s and David’s book splits its time between data, management, and services plane
security—explaining the what, then the why, and then the how for each traffic plane. Securing all four
traffic planes are necessary to secure a network device and, therefore, a network built with many such
devices. Focusing on all four, which are considerably different from one another, is the only way to do it
right.
If you do nothing else as a result, after reading this book ask yourself—when protecting data, have I
protected my increasingly data-rich, services-rich, and capability-rich network which I now rely upon?
Experience has taught each one of us that defense-in-depth and defense-in-breadth are both the stron-
gest techniques. Your network is multi-device, multi-layer deep, and nearly ubiqutious in its reach—it
already plays the key role in protecting your network. Make sure it is successful; after all
we’re all connected.
John Stewart
Vice President and Chief Security Officer
Cisco
xx
Introduction
The networking world is evolving at an ever-increasing pace. The rapid displacement of legacy, pur-
pose-built networks based on time-division multiplexing (TDM), Frame Relay, and Asynchronous
Transfer Mode (ATM) technologies to ubiquitous Internet Protocol (IP) packet-based networks capable
of supporting converged network services is well under way. Service providers can no longer afford to

deploy multiple networks, each built to support a single application or service such as voice, business-
class data, or Internet traffic. The cost of deploying and operating multiple networks in this business
model is not financially sustainable. In addition, customer demand for integrated services and applica-
tions, as well as new services and applications, means service delivery velocity is a critical requirement
of modern network architectures. Leading wireline and wireless service providers worldwide are
already migrating legacy network services onto IP core networks to take advantage of the bandwidth
efficiencies and scalability offered by IP networks, and their ability to enable rapid expansion into new
service markets.
Building and operating IP network infrastructures to meet the same carrier-class requirements that cus-
tomers demand, while carrying multiple, diverse services that have different bandwidth, jitter, and
latency requirements, is a challenging task. Single-purpose networks were designed and built to support
specific, tightly controlled operational characteristics. Carrying Internet traffic, voice traffic, cellular
traffic, and private (VPN) business traffic over a common IP backbone has significant implications for
both network design and network security. The loss of integrity through a network attack, for example,
in any one of the traffic services can potentially disrupt the entire “common network,” causing an impact
to the entire revenue base. Further, enterprises are increasingly dependent upon IP networking for
business operations.
Fundamentally, all networks have essentially two kinds of packets: data packets, which belong to cus-
tomers and carry customer traffic, and control and management packets, which belong to the network
and are used to create and operate the network. One of the strengths of the IP protocol is that all
packets traverse a “common pipe” (or are “in-band”). Networking professionals coming from the legacy
TDM/ATM network world may be unfamiliar with the concept of a common pipe for data and control
plane traffic, as these legacy systems separate data channels from “out-of-band” control channels.
Misunderstanding and trepidation often exist about how data packets and control packets can be
segmented and secured in a common network.
Even though IP networks carry all packets in-band, it is possible and, now more than ever, critical to
distinguish between the various types of packets being transported. Separating traffic into data, control,
management, and services planes (referred to as traffic planes) and properly segmenting and protecting
these traffic planes are required tasks to secure today’s highly converged IP networks. This book is the
first to cover IP network traffic plane separation and security in a formal and thorough manner.

xxi
Goals and Methods
The goal of this book is to familiarize you with concepts, benefits, and implementation details for
segmenting and securing IP network traffic planes. This includes a review of the many threats facing
IP networks and the many techniques available to mitigate the risks. Defense in depth and breadth
strategies are also reviewed to highlight the interactions between various IP traffic plane security
techniques. Detailed analyses at the operational level of IP networks from the perspective of each of the
data, control, management, and services planes form the basis for the security principles and configura-
tion examples described herein. Case studies further illustrate how optimizing the selection of IP traffic
plane protection measures using defense in depth and breadth principles provides an effective security
strategy.
Who Should Read This Book?
This book was written for network engineers, and network operations and security staff of organizations
who deploy and/or maintain IP and IP/MPLS networks. The primary audience includes those engineers
who are engaged in day-to-day design, engineering, and operations of IP networks. Subscribers of a
service based on IP or IP/MPLS will benefit from this book as well. The secondary audience includes
those with less network-centric backgrounds who wish to understand the issues and requirements of IP
network traffic plane separation and security. This book also provides great insight into the technical
interworkings and operations of IP routers that both senior and less-experienced network professionals
can benefit from.
xxii
How This Book Is Organized
For those readers who are new to IP network security concepts, especially the concepts of separation
and protection of IP traffic planes, this book should be read cover to cover. If you are already familiar
with IP networks, protocols, network design, and operations, you may refer to specific sections of
interest. This book is divided into four general parts, which are described next.
Part I, “IP Network and Traffic Plane Security Fundamentals,” provides a basic overview of the IP pro-
tocol, the operations of IP networks, and the operations of routers and routing hardware and software. It
is in this section that the concepts of IP traffic segmentation and security are introduced. At the end of
this section, casual readers will understand, at a high level, what IP traffic plane separation and protec-

tion entails. This section includes the following chapters:
• Chapter 1, “Internet Protocol Operations Fundamentals”: Discusses the fundamentals of
the IP protocol, and looks at the operational aspects of IP networks from the perspective of the
routing and switching hardware and software. It is in this context that the concept of IP net-
work traffic planes is introduced.
• Chapter 2, “Threat Models for IP Networks”: Lays out threat models for routing and
switching environments within each IP network traffic plane. By reviewing threats in this man-
ner, you learn why IP traffic planes must be protected and from what types of attacks.
• Chapter 3, “IP Network Traffic Plane Security Concepts”: Provides a broad overview of
each IP traffic plane, and how defense in depth and breadth strategies are used to provide
robust network security.
Part II, “Security Techniques for Protecting IP Traffic Planes,” provides the in-depth, working details
that serious networking professional can use to actually implement IP traffic plane separation and pro-
tection strategies. For less-experienced network professionals, this section provides great insight into
the technical operations of IP routers. This section includes the following chapters:
• Chapter 4, “IP Data Plane Security”: Focuses on the data plane and associated security
mechanisms. The data plane is the logical entity containing all user traffic generated by hosts,
clients, servers, and applications that use the network as transport only.
• Chapter 5, “IP Control Plane Security”: Focuses on the control plane and associated security
mechanisms. The control plane is the logical entity associated with routing protocol processes
and functions used to create and maintain the necessary intelligence about the operational state
of the network, including forwarding topologies.
• Chapter 6, “IP Management Plane Security”: Focuses on the management plane and associ-
ated security mechanisms. The management plane is the logical entity that describes the traffic
used to access, manage, and monitor all of the network elements for provisioning, mainte-
nance, and monitoring functions.
• Chapter 7, “IP Services Plane Security”: Focuses on the services plane and associated secu-
rity mechanisms. The services plane is the logical entity that includes user traffic that receives
dedicated network-based services requiring special handling beyond traditional forwarding to
apply or enforce the intended policies for various service types.

xxiii
Part III, “Case Studies,” provides case studies for two different network types: the enterprise network,
and the service provider network. These case studies are used to further illustrate how the individual
components discussed in detail in Part II are integrated into a comprehensive IP network traffic plane
separation and protection plan. This section includes the following chapters:
• Chapter 8, “Enterprise Network Case Studies”: Uses two basic enterprise network situa-
tions—the Internet-based IPsec VPN design, and the MPLS VPN design—to illustrate the
application of IP network traffic plane separation and protection concepts for enterprises.
These cases studies focus on the Internet edge router and customer edge (CE) router,
respectively, to present the IP traffic plane security concepts.
• Chapter 9, “Service Provider Network Case Studies”: Uses the same topologies from the
two case studies of Chapter 8, but presents them from the service provider network perspec-
tive. In this chapter, two provider edge router configurations are studied—one for the Internet-
based IPsec VPN design case, and one for the MPLS VPN case—to illustrate the application of
IP network traffic plane separation and protection concepts for service providers.
Part IV, “Appendixes,” supplements many of the discussions in the body of the book by providing handy
references that should be useful not only during the course of reading the book, but also in day-to-day
work. The following appendixes are provided:
• Appendix A, “Answers to Chapter Review Questions”: Provides answers to the chapter
review questions.
• Appendix B, “IP Protocol Headers”: Covers the header format for several common IP
network protocols, and describes the security implications and abuse potential for each header
field.
• Appendix C, “Cisco IOS to IOS XR Security Transition”: Provides a one-for-one mapping
between common IOS 12.0S security-related configuration commands and their respective IOS
XR counterparts.
• Appendix D, “Security Incident Handling”: Provides a short overview of security incident
handling techniques, and a list of common security incident handling organizations.