1 / 25

MPLS-based Traffic Shunt

MPLS-based Traffic Shunt. NANOG28 Salt Lake City June 2003. Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom. Credits. Cisco Systems: Paul Quinn COLT Telecom: Andreas Friedrich, Marc Binderberger Riverhead Networks:

urban
Download Presentation

MPLS-based Traffic Shunt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MPLS-based Traffic Shunt NANOG28 Salt Lake City June 2003 Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom

  2. Credits • Cisco Systems: Paul Quinn • COLT Telecom: Andreas Friedrich, Marc Binderberger • Riverhead Networks: Anat Bremler-Barr, Boaz Elgar, Roi Hermoni

  3. Announce: 61.1.1.1 -> Sink Hole Sink Hole 61.1.1.1 Sink hole server

  4. Traffic Shunt 61.1.1.1 Sink hole server

  5. Applications • Cleaning DDoS traffic • Reverse proxy • On-demand traffic analysis

  6. Unidirectional: Data in & not out IP-based Blackholing DDoS, forensic CenterTrack [Stone NANOG 17] Bidirectional: Data in, processed and out Tunnels: GRE, IPIP, MPLS, L2TPv3 DDoS cleaning Reverse proxy, traffic analysis Bellwether [Hardie Wessels NANOG 19] Sink Hole Shunt

  7. Traffic Shunt 61.1.1.1 Careful setup required to prevent infinite loops

  8. Traffic Shunt Tunnels: Peering - Sink 61.1.1.1 Returned traffic must not pass through a peering router

  9. Traffic Shunt Tunnels: Sink – CPE router 61.1.1.1

  10. Tunnels • GRE/IPIP • Cisco GSRs and Juniper routers require special interface cards • Processing overhead • MPLS • Supported without any special interface • No extra H/W • From IOS-12.0(7)S and JunOS 5.3 and up

  11. MPLS Shunt: Requirements • No dynamic configuration • Only one-time set-up • Minimum initial (static) configuration • No need for sink hole router/device to speak MPLS • But could!

  12. Two MPLS methods • Method #1: Pure MPLS using Proxy Egress LSP • Penultimate hop popping • RFC3031 • Method #2: MPLS VPN

  13. LSPs Method 1: MPLS LSPs with Loopbacks 61.1.1.1 Sinkhole server

  14. iBGP Penultimate Router 2 5 6 5 4 2 2 IP IP IP Lookup MPLS Table MPLS Table MPLS Table In In Out Out In Out (5, 42) (2, 3) (5, 25 ) (6, 3 ) IP: a Loop back (2, 42) 25 42 3 IP IP IP Method 1: MPLS LSP Proxy Egress Loopback LSP IP: a Sink router MPLS Table In Out (4, 25) (2, untagged) LSP Proxy Egress

  15. iBGP Method 1: MPLS LSP Proxy Egress 61.1.1.1 Penultimate Router

  16. Actual Deployment LONDON#show mpls forwarding-table 61.222.65.77 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 503 560 61.222.65.77/32 0 PO11/0 point2point FRANKFURT#show mpls forwarding-table labels 16 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Untagged 61.222.65.77/32 24831266 Gi6/0 61.44.88.111

  17. Advertise 61.1.1.1 iBGP IPv4 Method 2: MPLS VPN - VRF Sink  CPE router MP-BGP VPNv4 61.1.1.1 VRF interface to MPLS VPN

  18. iBGP IPv4 Method 2: MPLS VPN - VRF Sink  CPE router 61.1.1.1 CORE-2#sh ip route vrf rx-monitor B 61.1.1.1 [200/0] via 11.61.128.7, 00:00:53 CORE-2#sh ip cef vrf rx-monitor 61.1.1.1 fast tag rewrite with PO0/0, point2point, tags imposed {45 118} via 11.61.128.7, 0 dependencies, recursive

  19. iBGP IPv4 Method 2: MPLS VPN - VRF Sink  CPE router 61.1.1.1 ip route vrf rx-monitor 61.1.1.1 255.255.255.255 14.0.1.2 global core-as#sh ip cef vrf rx-monitor 61.1.1.1 via 14.0.1.2, 0 dependencies, recursive next hop 14.0.1.2, FastEthernet1/0 via 14.0.1.2/32 (Default) tag rewrite with Fa1/0, 14.0.1.2, tags imposed {}

  20. ip vrf receive tx-monitor vrf selection source 61.1.1.1 255.255.255.255 vrf tx-monitor ! interface GigabitEthernet5/0 ip vrf select source ip address 14.0.1.2 255.255.255.252 Method 2: MPLS VPN - VRF SELECT Monitor the outgoing traffic VRF SELECT interface to MPLS VPN 61.1.1.1 Sink Server

  21. Methods Requirements • Method #1: Pure MPLS Using Proxy Egress LSP • IOS 12.0(17)ST • JunOS 5.4 • Method #2: MPLS VPN • VRF – IOS12.0(11)ST • VRF Select – IOS12.0(22)S • JunOS 5.3

  22. MPLS VPN Support & availability Proxy Egress LSP Peering router which is also an access router Caveats Shunt: • DDoS or other traffic thru the backbone • Latency (few extra hops)

  23. Advantages • Not on the critical path • Does not effect normal traffic • No additional load on the routers • LDP need to advertise only sink-hole loop-back • Simple to deploy & Scalable

  24. What next? Distributed Sink Hole ! 61.1.1.1

  25. Thank you! afek@riverhead.com rbrooks@cisco.com nicolas.fischbach@colt.ch

More Related