[c-nsp] Update: DOS Mitigation on MPLS Networks

Bruce Pinsky bep at whack.org
Wed Apr 13 13:44:52 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

christian.macnevin at uk.bnpparibas.com wrote:
| After some playing round in the lab, I'm surprised to find that applying a
| route-map to the outbound vpnv4 neighbor (ie: the PE's connection to the
| Route Reflectors) actually does modify the routes correctly, without them
| escaping the VRF in question.
|
| So, roughly, the following works, and seems to be the best compromise for
| the amount of config required:
|
| #STANDARD CONFIG ON ALL BOXES
|
| router bgp <asn>
| address-family vpnv4
| neighbor <rr> route-map blah out
| !
| route-map blah permit 10
| match ip address prefix-list poison
| set ip next-hop 1.2.3.4
| route-map blah permit 20
| !
| ip route vrf <vrf_n> 1.2.3.4 null0   (needs to be repeated for every VRF on
| every box - address 1.2.3.4 stays the same everywhere and in every vrf)
| !
|
| #CONFIG ON PE NEAREST VICTIM (CONFIGURED WHEN NEEDED)
|
| !! If your victim is on 5.6.7.8..
| ip prefix-list poison permit 5.6.7.8/32
| ip route 5.6.7.8 255.255.255.255 1.2.3.4
| !
|

Am I missing something or is setting the static route to 1.2.3.4 not
required since you are setting the next-hop to that via the route-map?  It
seems redundant to me.


| The down side of this is that if you're announcing a /32 of that exact same
| address in any other VRF on that same router, it will also get blackholed.
| In general though, it's unlikely that anything except CE loopbacks will get
| advertised into a VRF with a host mask like that, so you're 99% safe.
|

And that's the big problem I see here.  While the chance of collision may
be small for a single host, the chances increase if you need to blackhole
an entire subnet, particularly if that subnet is something in RFC1918 space
that is likely to be replicated across multiple customer VRFs.


| If you can see any holes in this or have a better idea, let me know. I must
| admit, I was quite surprised to see that applying the route map at that
| point worked, and am slightly nervous the behaviour may change in future
| IOS releases.
|

Wouldn't it make more sense to incorporate your route-map into a standard
that is applied to all PE->CE peers rather than to the RR peers?  And for
those connections that are statically routed or where routes come in via an
IGP, you can still use a static route as you did in your example above.

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCXVqTE1XcgMgrtyYRAinPAKDj+6xcadaLNkShsmwsd7jcucLawgCgvIKJ
ayawu7BhTxD546jJY90DpfM=
=GbPd
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list