[c-nsp] CSCuy29638 - MPLS (for IPv4) Brokenness Fixed - ASR920

Saku Ytti saku at ytti.fi
Sun Aug 7 06:05:52 EDT 2016 

On 7 August 2016 at 09:06, Adam Vitkovsky <Adam.Vitkovsky at gamma.co.uk> wrote:

Hey,

> This system is called MPP and it's part of LPTS in XR and I miss it so much
> in other systems.
> I hate the idea where any enabled service starts listening on every IP on
> the box, routers are not servers.

LPTS is problematic in many ways:

* It does not really block anything, e.g. in this case, all NTP would
be punted (through NTP-default policer), and NTP ACLs are evaluated at
NTP application level, post-punt. So LPTS would have not helped you at
all.
* LPTS does not have per session policers, all configured BGP goes to
BGP-known, all unconfigured to BGP-default, if one BGP customer has L2
loop and pushes 1.48Mpps packets to you, all your BGP in same NPU and
same XIPC queue are dead.
* You can't manually fix the LPTS gaps via MQC policy, because MQC is
not evaluated for punted packets
* When something is happening, when your policer is congested or our
XIPC queue is congested, there are no tooling to ask 'well, what am I
dropping?'  Well there sort of is, you can hope to catch the right
packet in NPU counters, but that'll cause 50ms stopping to forwarding
for every capture attempt

I freely admit that out-of-the-box IOS-XR boxes are best protected
routers in the network. And almost no operator is actually capable of
configuring CoPP or lo0+ddos-protection correctly. So in practice it
is good, in theory if you actually know what you're doing LPTS is
terrible.
>From my point of view, doing the right thing is damn simple, accept
specifically exactly what you must to control-plane, and drop
everything else.

However, if fully agree iACL should be in place. Canonical iACL:
a) permit+police BGP, ICMP from BGP neighbours
b) drop all internal/PA networks when used as SADDR
c) permit+police ICMP, traceroute to infrastructure
d) drop all traffic to infrastructure
e) allow all

Combine this with attack surface reduction, such as not advertising
links (if far end CE needs internet visibility for one reason or
another, give it /32 static).
-- 
  ++ytti

More information about the cisco-nsp mailing list