Per Peer CPM Queuing
Page 54 7450 ESS System Mangement Guide
SSHv2 supports both RSA and DSA keys. The Digital Signature Algorithm is a U.S Federal
Government standard for digital signatures. PuTTYGen can be used to generate either type of
key. The SR OS currently supports only RSA keys.
Assume the client is using PuTTY. First the user generates a key pair using PuTTYgen. The
user sets the key type (SSH-1 RSA, SS-2 RSA, or SSH-2 DSA) and sets the number of bits to
be used for the key (default = 1024). The user can also configure a passphrase that will be used
to store the key locally in encrypted form. If the passphrase is configured the user must enter
the passphrase in order to use the private key. Thus, it is a password for the private key. If the
passphrase is not used the key is stored in plaintext locally.
Next the user must configure the server to use his public key. This typically requires the user
to add the public key to a file on the server. For example, if the server is using OpenSSH, the
key must be added to the ssh/authorized_keys file. On the SR OS, the user can program the
public Key via Telnet/SSH or SNMP.
Per Peer CPM Queuing
System-level security is crucial in service provider networks to address the increased threat of
Denial-of-Service (DoS) attacks.
Control Processor Module Queuing (CPMQ) implements separate hardware-based queues
which are allocated on a per-peer basis. CPMQ allocates a separate queue for each LDP and
BGP peer and ensures that each queue is served in a round-robin fashion. This mechanism
guarantees fair and “non-blocking” access to shared CPU resources across all peers. This
would ensure, for example, that an LDP-based DoS attack from a given peer would be
mitigated and compartmentalized so that not all CPU resources would be dedicated to the
otherwise overwhelming control traffic sent by that specific peer.
CPMQ, using the “per-peer-queuing” command, ensures that service levels would not (or only
partially be) impacted in case of an attack from a spoofed LDP or BGP peer IP address.
Per Peer CPM Queueing is supported on the 7450 ESS-6/7/12 platforms. It is not supported on
the 7450 ESS-1.
To Next Page
Loading...
