[c-nsp] CSCuy29638 - MPLS (for IPv4) Brokenness Fixed - ASR920

Adam Vitkovsky Adam.Vitkovsky at gamma.co.uk
Sun Aug 7 13:10:10 EDT 2016 

Hi,

> From: Saku Ytti [mailto:saku at ytti.fi]
> Sent: Sunday, August 07, 2016 11:06 AM
>
> On 7 August 2016 at 09:06, Adam Vitkovsky
> <Adam.Vitkovsky at gamma.co.uk> wrote:
>
> Hey,
>
> > This system is called MPP and it's part of LPTS in XR and I miss it so
> > much in other systems.
> > I hate the idea where any enabled service starts listening on every IP
> > on the box, routers are not servers.
>
> LPTS is problematic in many ways:
>
> * It does not really block anything, e.g. in this case, all NTP would be punted
> (through NTP-default policer), and NTP ACLs are evaluated at NTP application
> level, post-punt. So LPTS would have not helped you at all.
If the policer is tight you should be fine, but still one needs to consider who can talk NTP to his box (iACL).


> * LPTS does not have per session policers, all configured BGP goes to BGP-
> known, all unconfigured to BGP-default, if one BGP customer has L2 loop and
> pushes 1.48Mpps packets to you, all your BGP in same NPU and same XIPC
> queue are dead.
Good point, yeah there's always the collateral damage problem.

> * You can't manually fix the LPTS gaps via MQC policy, because MQC is not
> evaluated for punted packets
Are you sure about this?
I would have thought that CP traffic injected to the wire is bypassing all the QOS but not the received CP traffic.
Let's see,
It has to go through the lookup process to determine it's for us packet and once it's in there it might go through all the manipulations.
But the tricky part is when the packet head leaves the NPU -but still I don't see why the inflight buffer could not be instructed to drop the packet instead of dispatching it to LC internals.



> * When something is happening, when your policer is congested or our XIPC
> queue is congested, there are no tooling to ask 'well, what am I dropping?'
> Well there sort of is, you can hope to catch the right packet in NPU counters,
> but that'll cause 50ms stopping to forwarding for every capture attempt
>
> I freely admit that out-of-the-box IOS-XR boxes are best protected routers in
> the network. And almost no operator is actually capable of configuring CoPP
> or lo0+ddos-protection correctly. So in practice it is good, in theory if you
> actually know what you're doing LPTS is terrible.
> From my point of view, doing the right thing is damn simple, accept
> specifically exactly what you must to control-plane, and drop everything else.
>
> However, if fully agree iACL should be in place. Canonical iACL:
> a) permit+police BGP, ICMP from BGP neighbours
> b) drop all internal/PA networks when used as SADDR
> c) permit+police ICMP, traceroute to infrastructure
> d) drop all traffic to infrastructure
> e) allow all
>
I'd start with b + all the martians. But yes that's how a proper iACL should look like.

> Combine this with attack surface reduction, such as not advertising links (if
> far end CE needs internet visibility for one reason or another, give it /32
> static).
> --
>   ++ytti



adam







        Adam Vitkovsky
        IP Engineer

T:      0333 006 5936
E:      Adam.Vitkovsky at gamma.co.uk
W:      www.gamma.co.uk

This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of this email are confidential to the ordinary user of the email address to which it was addressed. This email is not intended to create any legal relationship. No one else may place any reliance upon it, or copy or forward all or any of it in any form (unless otherwise notified). If you receive this email in error, please accept our apologies, we would be obliged if you would telephone our postmaster on +44 (0) 808 178 9652 or email postmaster at gamma.co.uk

Gamma Telecom Limited, a company incorporated in England and Wales, with limited liability, with registered number 04340834, and whose registered office is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.
---------------------------------------------------------------------------------------
 This email has been scanned for email related threats and delivered safely by Mimecast.
 For more information please visit http://www.mimecast.com
---------------------------------------------------------------------------------------

More information about the cisco-nsp mailing list