Download presentation
Presentation is loading. Please wait.
Published byAbigail Preston Modified over 9 years ago
1
1 MPLS-based Traffic Shunt Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom NANOG28 Salt Lake City June 2003
2
2 Credits Cisco Systems: Paul Quinn COLT Telecom: Andreas Friedrich, Marc Binderberger Riverhead Networks: Anat Bremler-Barr, Boaz Elgar, Roi Hermoni
3
3 Sink Hole 61.1.1.1 Announce: 61.1.1.1 -> Sink Hole Sink hole server
4
4 Traffic Shunt 61.1.1.1 Sink hole server
5
5 Applications lCleaning DDoS traffic lReverse proxy lOn-demand traffic analysis
6
6 Sink Hole Shunt lUnidirectional: Data in & not out lIP-based lBlackholing DDoS, forensic lCenterTrack [Stone NANOG 17] lBidirectional: Data in, processed and out lTunnels: GRE, IPIP, MPLS, L2TPv3 lDDoS cleaning lReverse proxy, traffic analysis lBellwether [Hardie Wessels NANOG 19]
7
7 Traffic Shunt 61.1.1.1 Careful setup required to prevent infinite loops
8
8 Traffic Shunt Tunnels: Peering - Sink Returned traffic must not pass through a peering router 61.1.1.1
9
9 Traffic Shunt Tunnels: Sink – CPE router 61.1.1.1
10
10 Tunnels lGRE/IPIP l Cisco GSRs and Juniper routers require special interface cards l Processing overhead lMPLS l Supported without any special interface l No extra H/W l From IOS-12.0(7)S and JunOS 5.3 and up
11
11 MPLS Shunt: Requirements lNo dynamic configuration Only one-time set-up lMinimum initial (static) configuration lNo need for sink hole router/device to speak MPLS But could!
12
12 Two MPLS methods lMethod #1: Pure MPLS using Proxy Egress LSP l Penultimate hop popping l RFC3031 lMethod #2: MPLS VPN
13
13 61.1.1.1 Method 1: MPLS LSPs with Loopbacks LSPs Sinkhole server
14
14 Method 1: MPLS LSP Proxy Egress 4 InOut MPLS Table (6, 3 )(5, 42) InOut MPLS Table (5, 25 )(2, 3) InOut MPLS Table (2, untagged)(4, 25) IP 42 IP 3 25 IP InOut MPLS Table (2, 42)IP: a Loop back 22565 2 IP: a LSP LSP Proxy Egress Loopback Sink router iBGP IP Lookup Penultimate Router
15
15 61.1.1.1 Method 1: MPLS LSP Proxy Egress Penultimate Router iBGP
16
16 Actual Deployment FRANKFURT#show mpls forwarding-table labels 16 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Untagged 61.222.65.77/32 24831266 Gi6/0 61.44.88.111 LONDON#show mpls forwarding-table 61.222.65.77 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 503 560 61.222.65.77/32 0 PO11/0 point2point
17
17 Method 2: MPLS VPN - VRF Sink CPE router VRF interface to MPLS VPN 61.1.1.1 Advertise 61.1.1.1 MP-BGP VPNv4 iBGP IPv4
18
18 Method 2: MPLS VPN - VRF Sink CPE router CORE-2#sh ip route vrf rx-monitor B 61.1.1.1 [200/0] via 11.61.128.7, 00:00:53 CORE-2#sh ip cef vrf rx-monitor 61.1.1.1 fast tag rewrite with PO0/0, point2point, tags imposed {45 118} via 11.61.128.7, 0 dependencies, recursive 61.1.1.1 iBGP IPv4
19
19 Method 2: MPLS VPN - VRF Sink CPE router ip route vrf rx-monitor 61.1.1.1 255.255.255.255 14.0.1.2 global core-as#sh ip cef vrf rx-monitor 61.1.1.1 via 14.0.1.2, 0 dependencies, recursive next hop 14.0.1.2, FastEthernet1/0 via 14.0.1.2/32 (Default) tag rewrite with Fa1/0, 14.0.1.2, tags imposed {} 61.1.1.1 iBGP IPv4
20
20 Method 2: MPLS VPN - VRF SELECT VRF SELECT interface to MPLS VPN 61.1.1.1 Monitor the outgoing traffic ip vrf receive tx-monitor vrf selection source 61.1.1.1 255.255.255.255 vrf tx-monitor ! interface GigabitEthernet5/0 ip vrf select source ip address 14.0.1.2 255.255.255.252 Sink Server
21
21 Methods Requirements lMethod #1: Pure MPLS Using Proxy Egress LSP l IOS 12.0(17)ST l JunOS 5.4 lMethod #2: MPLS VPN lVRF – IOS12.0(11)ST lVRF Select – IOS12.0(22)S l JunOS 5.3
22
22 Caveats MPLS VPN lSupport & availability Proxy Egress LSP lPeering router which is also an access router Shunt: lDDoS or other traffic thru the backbone lLatency (few extra hops)
23
23 Advantages lNot on the critical path lDoes not effect normal traffic lNo additional load on the routers lLDP need to advertise only sink-hole loop-back lSimple to deploy & Scalable
24
24 What next? Distributed Sink Hole ! 61.1.1.1
25
25 Thank you! afek@riverhead.com rbrooks@cisco.com nicolas.fischbach@colt.ch
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.