[j-nsp] ddos protocol protection - IPv4-unclassified

Saku Ytti saku at ytti.fi
Mon Apr 10 18:36:30 EDT 2017


On 11 April 2017 at 00:42,  <adamv0025 at netconsultings.com> wrote:

> Nope ASR9k is using LPTS to cya :)

Some problems with LPTS

a) LPTS punted packets are not subject to MQC, so you cannot use
interface policers to limit say say ICMP, BGP etc
b) LPTS only has 'aggregate' (NPU) level policing, ddos-protection has
aggregate => ifd => ifl => sub
c) There is no log information of what is causing LPTS or XIPC to drop packets

All this means, for example if you have 'bad' and 'good' customer
sending you say BGP (or ICMP6, or what ever). Maybe 'bad' customer has
L2 loop, and accidentally offers line rate of BGP. This means that
your aggregate BGP policer, BGP-known @ 2500pps is congested. If your
'good' BGP is say 5pps and your 'bad' BGP is say 1.48Mpps, there is
99.5% probability that any given BGP through that NPU will time out
(1-(2500.0/1480010))**3).

If you manage to identify the culprit somehow (perhaps capturing NPU
counters), only thing you can do is add ACL to the offending interface
dropping all BGP packets, as ACL is subject to LPTS punted packets,
even though MQC is not. For obviously you cannot do this as
pre-emptive measure, so there is no proactive way to actually protect
the box today.
And some newer IOS-XR platforms don't implement LPTS at all, even
though you can configure it, it'll commit, and it may look casually
like it's doing something.

In summary LPTS is great out of the box, but impossible to configure
right. JunOS is terrible out of the box, but possible to configure
right, but no one does it, because it's too hard (I know I can't do it
for all cases, like DHCP snooping).

-- 
++ytti


More information about the juniper-nsp mailing list