The PE router must be configured to enforce a Quality-of-Service (QoS) policy so that all customer traffic receives forwarding treatment as specified in the service level agreement (SLA).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-78323 | SRG-NET-000193-RTR-000109 | SV-93029r1_rule | Medium |
| Description |
|---|
| QoS enables DISA to offer value-added IP services in accordance with SLAs, ensuring that customer requirements can be met while providing a method to provision the edge and core to accommodate those requirements. The IP core will recognize and provide forwarding treatment of customer traffic according to the Differentiated Services Code Points (DSCP). Customers marking traffic within their DiffServ domain will be required to comply with the DSCP classification that has been approved by the DOD QoS Working Group. Non-compliance could enable a customer or even an attacker to rob bandwidth from other customers or mission-critical services. |
| STIG | Date |
|---|---|
| Router Security Requirements Guide | 2018-01-26 |
Details
| Check Text ( C-77881r1_chk ) |
|---|
| Review the router configuration verify that the class-maps are configured to match on DSCP, protocols, or access control lists (ACLs) that identify traffic types based on ports. Verify that the policy-map is configured to set DSCP values for the defined class-maps in accordance with the customer SLA. Verify that an input service policy is bound to all CE-facing interfaces. If the PE router does not enforce a QoS policy to ensure that all customer traffic receives forwarding treatment as specified in the SLA, this is a finding. |
| Fix Text (F-85051r1_fix) |
|---|
| The ISSM will ensure QoS policies are configured on all the PE routers so all customer traffic receives forwarding treatment as specified in the SLA. |