[c-nsp] Update: DOS Mitigation on MPLS Networks

christian.macnevin at uk.bnpparibas.com christian.macnevin at uk.bnpparibas.com
Wed Apr 13 09:30:29 EDT 2005


After some playing round in the lab, I'm surprised to find that applying a
route-map to the outbound vpnv4 neighbor (ie: the PE's connection to the
Route Reflectors) actually does modify the routes correctly, without them
escaping the VRF in question.

So, roughly, the following works, and seems to be the best compromise for
the amount of config required:

#STANDARD CONFIG ON ALL BOXES

router bgp <asn>
address-family vpnv4
neighbor <rr> route-map blah out
!
route-map blah permit 10
match ip address prefix-list poison
set ip next-hop 1.2.3.4
route-map blah permit 20
!
ip route vrf <vrf_n> 1.2.3.4 null0   (needs to be repeated for every VRF on
every box - address 1.2.3.4 stays the same everywhere and in every vrf)
!

#CONFIG ON PE NEAREST VICTIM (CONFIGURED WHEN NEEDED)

!! If your victim is on 5.6.7.8..
ip prefix-list poison permit 5.6.7.8/32
ip route 5.6.7.8 255.255.255.255 1.2.3.4
!

The down side of this is that if you're announcing a /32 of that exact same
address in any other VRF on that same router, it will also get blackholed.
In general though, it's unlikely that anything except CE loopbacks will get
advertised into a VRF with a host mask like that, so you're 99% safe.

If you can see any holes in this or have a better idea, let me know. I must
admit, I was quite surprised to see that applying the route map at that
point worked, and am slightly nervous the behaviour may change in future
IOS releases.

Christian




Internet
bep at whack.org - 12/04/2005 17:39


Please respond to bep at whack.org

To:    Christian MACNEVIN

cc:    cisco-nsp


Subject:    Re: [c-nsp] DOS Mitigation on MPLS Networks


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

christian.macnevin at uk.bnpparibas.com wrote:
| Hi all,
|
| I'm looking at deploying a mechanism similar to those used on public ipv4
| networks for killing off traffic destined for a given prefix.
|
| The method I was thinking of was tagging a prefix at its ingress PE with
a
| BGP community. This community is then matched by all the PEs, which
| redirect it to null0 or somesuch. This is on a homogenous Cisco IOS
| network.
|
| Unfortunately, IOS doesn't allow you to set the ip next hop to a
'martian'
| address (eg 127.0.0.1) within a route map, and setting the next-hop
| interface to null0 isn't allowed on a bgp import. So instead of being
able
| to use one route map and apply it to all VRFs equally, I'm looking at
| having to opssibly having to specify the route-map for every individual
vrf
| on every PE, which isn't desirable.
|
| Has anyone tackled this before or know of any good resources for it?
|

Haven't had a chance to try it, but could you point the next-hop to an
unused address like 1.1.1.1 and then recursively route 1.1.1.1 to null0 via
a static route in the VRF?  While you would have to put the route in each
VRF via a config line, that would certainly be less work than having to
define a unique route map per VRF and applying to each peer.

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCW/m6E1XcgMgrtyYRAompAKDWAssp0vyZkirsczfJndqt8V+IsACg8PkY
Tns3D5JL80wRIXNxaHN6q+k=
=A9xq
 -----END PGP SIGNATURE-----







This message and any attachments (the "message") is 
intended solely for the addressees and is confidential. 
If you receive this message in error, please delete it and 
immediately notify the sender. Any use not in accord with
its purpose, any dissemination or disclosure, either whole 
or partial, is prohibited except formal approval. The internet 
can not guarantee the integrity of this message. 
BNP PARIBAS (and its subsidiaries) shall (will) not 
therefore be liable for the message if modified. 

**********************************************************************************************

BNP Paribas Private Bank London Branch is authorised 
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in the
United Kingdom.

BNP Paribas Securities Services London Branch is authorised
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in the 
United Kingdom.
  
BNP Paribas Fund Services UK Limited is authorised and 
regulated by the Financial Services Authority.



More information about the cisco-nsp mailing list