Building network automation solutions

9 module online course

Start now!

RFC 3514 implemented by the ASR series of routers

The information on the IOS XE software used by the recently launched ASR 1000 router is pretty scarce (there is still no link to the documentation available on CCO), but obviously some backdoor links already exist, as I was able to find some IOS XE-related documents with Google. One of the most amazing features I've found is the support for the security-oriented RFC 3514 which allows you to mark the security level of an IP packet.

The RFC 3514 requires the end host to participate in the process, but as most operating system vendors still don't have a trusted computing platform, a transparent proxy has to be implemented on the network edges to properly tag the ingress packets. ASR 1000 has the first high-speed implementation of the RFC 3514 proxy thanks to its non-deterministic parallel QuantumFlow processors.

The configuration of the RFC 3514 proxy is extremely simple: all you need to do is to configure auto-secure mark on the ingress interfaces of the ASR 1000. Once the security bit has been set, you can use the match ip security-bit 0|1 command in a class-map or a route-map on any router running IOS release 12.4(11)T or later (the command is still hidden).


  1. How does the ASR know which packets to mark by using the auto-secure mark command?
  2. Nicely done. =)
  3. Are packets that hit the route-map statement still going to processed quickly though?

    Or is that the beauty if the Quantum Flow processors, full IOS flexability, no hit to the forwarding rate?
  4. @William: I still haven't figured out the details, but it looks like the decision which packet to mark is an NP-problem which is obviously not easily solved in polynomial time. However, with non-deterministic quantum processors, the decision can be reached at line speeds.

    @whisper: once the security bit is set, checking it is fast (like you'd check IP precedence or DSCP class).
  5. brilliant! about time someone implemented this... :)
  6. To set the record straight: if you've followed the link to the RFC text, you probably noticed that it was published on April 1st 2003 ... and my post was published exactly five years later :)

    Unfortunately we still have to rely on deterministic techniques like firewalls and IPS to identify “evil” packets … and a working quantum computer hasn't been demonstrated yet, regardless of how a certain chipset is named ;)
Add comment