Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 MPLS-based Traffic Shunt Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom NANOG28 Salt Lake City June 2003.

Similar presentations


Presentation on theme: "1 MPLS-based Traffic Shunt Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom NANOG28 Salt Lake City June 2003."— Presentation transcript:

1 1 MPLS-based Traffic Shunt Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom NANOG28 Salt Lake City June 2003

2 2 Credits Cisco Systems: Paul Quinn COLT Telecom: Andreas Friedrich, Marc Binderberger Riverhead Networks: Anat Bremler-Barr, Boaz Elgar, Roi Hermoni

3 3 Sink Hole 61.1.1.1 Announce: 61.1.1.1 -> Sink Hole Sink hole server

4 4 Traffic Shunt 61.1.1.1 Sink hole server

5 5 Applications lCleaning DDoS traffic lReverse proxy lOn-demand traffic analysis

6 6 Sink Hole Shunt lUnidirectional: Data in & not out lIP-based lBlackholing DDoS, forensic lCenterTrack [Stone NANOG 17] lBidirectional: Data in, processed and out lTunnels: GRE, IPIP, MPLS, L2TPv3 lDDoS cleaning lReverse proxy, traffic analysis lBellwether [Hardie Wessels NANOG 19]

7 7 Traffic Shunt 61.1.1.1 Careful setup required to prevent infinite loops

8 8 Traffic Shunt Tunnels: Peering - Sink Returned traffic must not pass through a peering router 61.1.1.1

9 9 Traffic Shunt Tunnels: Sink – CPE router 61.1.1.1

10 10 Tunnels lGRE/IPIP l Cisco GSRs and Juniper routers require special interface cards l Processing overhead lMPLS l Supported without any special interface l No extra H/W l From IOS-12.0(7)S and JunOS 5.3 and up

11 11 MPLS Shunt: Requirements lNo dynamic configuration Only one-time set-up lMinimum initial (static) configuration lNo need for sink hole router/device to speak MPLS But could!

12 12 Two MPLS methods lMethod #1: Pure MPLS using Proxy Egress LSP l Penultimate hop popping l RFC3031 lMethod #2: MPLS VPN

13 13 61.1.1.1 Method 1: MPLS LSPs with Loopbacks LSPs Sinkhole server

14 14 Method 1: MPLS LSP Proxy Egress 4 InOut MPLS Table (6, 3 )(5, 42) InOut MPLS Table (5, 25 )(2, 3) InOut MPLS Table (2, untagged)(4, 25) IP 42 IP 3 25 IP InOut MPLS Table (2, 42)IP: a Loop back 22565 2 IP: a LSP LSP Proxy Egress Loopback Sink router iBGP IP Lookup Penultimate Router

15 15 61.1.1.1 Method 1: MPLS LSP Proxy Egress Penultimate Router iBGP

16 16 Actual Deployment FRANKFURT#show mpls forwarding-table labels 16 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Untagged 61.222.65.77/32 24831266 Gi6/0 61.44.88.111 LONDON#show mpls forwarding-table 61.222.65.77 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 503 560 61.222.65.77/32 0 PO11/0 point2point

17 17 Method 2: MPLS VPN - VRF Sink  CPE router VRF interface to MPLS VPN 61.1.1.1 Advertise 61.1.1.1 MP-BGP VPNv4 iBGP IPv4

18 18 Method 2: MPLS VPN - VRF Sink  CPE router CORE-2#sh ip route vrf rx-monitor B 61.1.1.1 [200/0] via 11.61.128.7, 00:00:53 CORE-2#sh ip cef vrf rx-monitor 61.1.1.1 fast tag rewrite with PO0/0, point2point, tags imposed {45 118} via 11.61.128.7, 0 dependencies, recursive 61.1.1.1 iBGP IPv4

19 19 Method 2: MPLS VPN - VRF Sink  CPE router ip route vrf rx-monitor 61.1.1.1 255.255.255.255 14.0.1.2 global core-as#sh ip cef vrf rx-monitor 61.1.1.1 via 14.0.1.2, 0 dependencies, recursive next hop 14.0.1.2, FastEthernet1/0 via 14.0.1.2/32 (Default) tag rewrite with Fa1/0, 14.0.1.2, tags imposed {} 61.1.1.1 iBGP IPv4

20 20 Method 2: MPLS VPN - VRF SELECT VRF SELECT interface to MPLS VPN 61.1.1.1 Monitor the outgoing traffic ip vrf receive tx-monitor vrf selection source 61.1.1.1 255.255.255.255 vrf tx-monitor ! interface GigabitEthernet5/0 ip vrf select source ip address 14.0.1.2 255.255.255.252 Sink Server

21 21 Methods Requirements lMethod #1: Pure MPLS Using Proxy Egress LSP l IOS 12.0(17)ST l JunOS 5.4 lMethod #2: MPLS VPN lVRF – IOS12.0(11)ST lVRF Select – IOS12.0(22)S l JunOS 5.3

22 22 Caveats MPLS VPN lSupport & availability Proxy Egress LSP lPeering router which is also an access router Shunt: lDDoS or other traffic thru the backbone lLatency (few extra hops)

23 23 Advantages lNot on the critical path lDoes not effect normal traffic lNo additional load on the routers lLDP need to advertise only sink-hole loop-back lSimple to deploy & Scalable

24 24 What next? Distributed Sink Hole ! 61.1.1.1

25 25 Thank you! afek@riverhead.com rbrooks@cisco.com nicolas.fischbach@colt.ch


Download ppt "1 MPLS-based Traffic Shunt Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom NANOG28 Salt Lake City June 2003."

Similar presentations


Ads by Google