[j-nsp] ddos protocol protection - IPv4-unclassified

Saku Ytti saku at ytti.fi
Mon Apr 10 19:53:12 EDT 2017 

On 11 April 2017 at 02:31, James Jun <james at towardex.com> wrote:

> How about LPTS Excessive Flow Trap feature?
>
> Page 51 on https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKARC-2017.pdf
> -- and --
> http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-3/addr-serv/configuration/guide/b-ipaddr-cg53crs/Implementing_EPFT.html

I never got explanation from Cisco what it does, how does it measure
them, where does it get the information. Suspiciously you don't
configure any rates for any routing protocols, not even configure any
routing-protocols just big flat 'routing-protocols', what ever that
may do.
Very curious if someone can lab situation where they manage to break
the router before turning this on, but not after.

Cisco is coming up solutions address these problems. There is also
another issue in XIPC not related to LPTS, your LPTS might be in
violation at all, it might be just admitting too much traffic to XIPC
which then causes bunch of TCP sessions to die.
IOS-XR RE/RP has multiple worker processes for handling TCP in
software, after punt the packet is hashed and given to some worker,
but the worker (XIPC queue) might be too busy and may end up dropping
packets. This is also somewhat blind drop, which separate to the LPTS
issue needs to be solved.

>From my POV, LPTS drop should be far more aggressive, XIPC drops
should never occur. And when LPTS is dropping, software should create
more-specific policer in HW.

> Isn't this only on NCS5k/5500 series boxes, which are merchant silicon boxes
> with IOS XR offering for use as cheap MPLS LSR or metro/data center use,

Yeah it definitely at least did not support LPTS, but I believe it is
getting LPTS in future.

> more or less comparable to that of QFX5K/ACX?  I'm not sure what other XR

ACX is quite large group of boxes by now, some support lo0 filters,
not all. QFX5k does support lo0 filters, the TCAM is just very tiny,
and annoyingly it will happily  commit lo0 filter it cannot program in
hardware without any complains, it just won't be installed in
hardware. And AFAIK there is no command in RE CLI to verify it, only
in PFE CLI.
I don't think think any of them do ddos-protection though.


It's quite clear that market is being driven by closed datacenters
where security is mostly uninteresting, density and port cost is
everything. Selection of 1GE optimised L3 edges with full RIB/FIB,
MPLS, QoS is becoming narrow. Few years ago I was thinking I'll never
need to bother myself with L2 access any more, but that seems to be
changing for the lower speeds.
I think lower speed accesses are here to stay, as Internet is more
things than just 1 thing, there are applications for Internet where
there is no bandwidth increase potential ever, but those still need to
be connected. I'd much rather connect everything to L3.

-- 
  ++ytti

More information about the juniper-nsp mailing list