CPCAR

What Is CPCAR?

Control Plane Committed Access Rate (CPCAR) serves as the foundation for defending against CPU attacks, as it imposes limits on the rate of protocol packets transmitted to the control plane. Its primary objective is to protect the control plane and ensure the CPU can effectively handle various services. The rate limiting mechanisms employed by CPCAR encompass protocol-based rate limiting, queue-based scheduling and rate limiting, as well as unified rate limiting for all packets. These measures collectively contribute to a secure and efficient operation of the control plane.

The Significance of CPCAR

One of the local attack defense functions is CPU attack defense, which is centered around CPCAR.

Apart from regular service packets, network devices' CPUs may also be bombarded with a substantial volume of attack packets. These malicious packets pose a significant risk as they can overwhelm the CPUs, leading to service disruptions and potential system failures. Additionally, even a large influx of legitimate packets can result in high CPU usage, negatively impacting CPU performance and causing service interruptions.

To ensure optimal processing and response to normal service packets, network devices implement local attack defense mechanisms. These mechanisms are specifically designed to address packets directed towards the CPU and primarily aim to safeguard the device against attacks. The purpose of local attack defense is to protect the device, mitigate the impact of attacks, and maintain the continuity of existing services in the event of an attack.

CPCAR applies rate-limiting exclusively to packets that are directed to the control plane and subsequently processed by the CPU. As a result, it does not have any impact on the forwarding of traffic that does not require CPU processing.

Core Technology of CPCAR

Network devices implement the Committed Access Rate (CAR) mechanism to identify protocol packets using Access Control Lists (ACLs) and regulate their transmission to the CPU, ensuring control plane security. The CPCAR feature offers the following rate-limiting strategies for packets sent to the CPU: protocol-based rate limiting, queue-based scheduling and rate limiting, and unified rate limiting for all packets.

1. Protocol-based rate limiting: To prevent excessive traffic volume of a specific protocol from hindering the timely processing of other protocols, CPCAR allows setting the Committed Information Rate (CIR) and Committed Burst Size (CBS) for each protocol. Protocol packets exceeding the rate limit are discarded, ensuring normal processing of services and minimizing protocol interference.

2. Queue-based scheduling and rate limiting: After configuring rate limits for protocols, the device assigns a dedicated queue to each protocol type, such as management protocols (e.g., Telnet and SSH) and routing protocols. Queues are scheduled based on weights or priorities, favoring higher-priority services during CPU conflicts. Rate limiting can be implemented per queue, restricting the maximum packet rate sent to the CPU. Protocol packets exceeding the rate limit in a queue are dropped.

3. Unified rate limiting for all packets: By setting an overall rate limit for all packets, the total number of packets transmitted to the CPU is constrained. This approach allows for efficient processing of additional protocol packets without adversely affecting CPU performance.

When all three rate limiting modes are active, the device applies the minimum rate limit among them to control the packet rate effectively.

Default CPCAR values may not accommodate dynamic requirements for protocol packet rates sent to the CPU. To address this, network devices incorporate adaptive CPCAR adjustment, which considers factors such as service volume, packet loss behavior, and CPU utilization. This adaptive mechanism ensures optimal rate limiting for protocol packets based on real-time conditions, promoting efficient CPU utilization and maintaining network stability.