mpls-based traffic shunt
DESCRIPTION
MPLS-based Traffic Shunt. NANOG28 Salt Lake City June 2003. Yehuda Afek – Riverhead Networks Roy Brooks – Cisco Systems Nicolas Fischbach – COLT Telecom. Credits. Cisco Systems: Paul Quinn COLT Telecom: Andreas Friedrich, Marc Binderberger Riverhead Networks: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/1.jpg)
1
MPLS-based Traffic MPLS-based Traffic ShuntShunt
Yehuda Afek – Riverhead Yehuda Afek – Riverhead NetworksNetworks
Roy Brooks – Cisco SystemsRoy Brooks – Cisco Systems
Nicolas Fischbach – COLT Nicolas Fischbach – COLT TelecomTelecom
NANOG28NANOG28Salt Lake CitySalt Lake City
June 2003June 2003
![Page 2: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/2.jpg)
2CreditsCredits
• Cisco Systems:
Paul Quinn
• COLT Telecom:
Andreas Friedrich, Marc Binderberger
• Riverhead Networks:
Anat Bremler-Barr, Boaz Elgar, Roi Hermoni
![Page 3: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/3.jpg)
3Sink HoleSink Hole
61.1.1.1
Announce: 61.1.1.1 -> Sink Hole
Sink hole server
![Page 4: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/4.jpg)
4Traffic ShuntTraffic Shunt
61.1.1.1
Sink hole server
![Page 5: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/5.jpg)
5ApplicationsApplications
Cleaning DDoS traffic
Reverse proxy
On-demand traffic analysis
![Page 6: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/6.jpg)
6Sink Hole ShuntSink Hole Shunt Unidirectional:
Data in & not out
IP-based
Blackholing DDoS, forensic
CenterTrack [Stone NANOG 17]
Bidirectional: Data in, processed and out
Tunnels: GRE, IPIP, MPLS, L2TPv3
DDoS cleaning
Reverse proxy, traffic analysis
Bellwether [Hardie Wessels NANOG 19]
![Page 7: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/7.jpg)
7Traffic ShuntTraffic Shunt
61.1.1.1
Careful setup required to prevent
infinite loops
![Page 8: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/8.jpg)
8Traffic ShuntTraffic ShuntTunnels: Peering - Sink
Returned traffic must not pass through a peering
router
61.1.1.1
![Page 9: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/9.jpg)
9Traffic ShuntTraffic ShuntTunnels: Sink – CPE router
61.1.1.1
![Page 10: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/10.jpg)
10TunnelsTunnels GRE/IPIP
Cisco GSRs and Juniper routers require special interface cards
Processing overhead
MPLS Supported without any special interface No extra H/W From IOS-12.0(7)S and JunOS 5.3 and up
![Page 11: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/11.jpg)
11MPLS Shunt: RequirementsMPLS Shunt: Requirements
No dynamic configuration• Only one-time set-up
Minimum initial (static) configuration
No need for sink hole router/device to speak MPLS
• But could!
![Page 12: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/12.jpg)
12Two MPLS methodsTwo MPLS methods
Method #1: Pure MPLS using Proxy Egress LSP Penultimate hop popping RFC3031
Method #2: MPLS VPN
![Page 13: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/13.jpg)
13
61.1.1.1
Method 1: MPLS LSPs with LoopbacksMethod 1: MPLS LSPs with Loopbacks
LSPs
Sinkhole server
![Page 14: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/14.jpg)
14Method 1: MPLS LSP Proxy EgressMethod 1: MPLS LSP Proxy Egress
4
In OutMPLS Table
(6, 3 )(5, 42)
In OutMPLS Table
(5, 25 )(2, 3)
In OutMPLS Table
(2, untagged)(4, 25)
IP42IP 3IP 25IP
IP
In OutMPLS Table
(2, 42)IP: a Loop back
2 2 565 2
IP:a
LSP
LSP Proxy Egress
Loopback
Sink router
iBGP
IP Lookup
Penultimate Router
![Page 15: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/15.jpg)
15
61.1.1.1
Method 1: MPLS LSP Proxy EgressMethod 1: MPLS LSP Proxy Egress
Penultimate RouteriBGP
![Page 16: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/16.jpg)
16Actual DeploymentActual Deployment
FRANKFURT#show mpls forwarding-table labels 16 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Untagged 61.222.65.77/32 24831266 Gi6/0 61.44.88.111
LONDON#show mpls forwarding-table 61.222.65.77Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 503 560 61.222.65.77/32 0 PO11/0 point2point
![Page 17: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/17.jpg)
17Method 2: MPLS VPN - VRFMethod 2: MPLS VPN - VRF
Sink CPE router
VRF interface to MPLS VPN
61.1.1.1
Advertise 61.1.1.1
MP-BGP VPNv4
iBGP IPv4
![Page 18: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/18.jpg)
18Method 2: MPLS VPN - VRFMethod 2: MPLS VPN - VRF
Sink CPE router
CORE-2#sh ip route vrf rx-monitor
B 61.1.1.1 [200/0] via 11.61.128.7, 00:00:53
CORE-2#sh ip cef vrf rx-monitor 61.1.1.1
fast tag rewrite with PO0/0, point2point, tags imposed {45 118}
via 11.61.128.7, 0 dependencies, recursive
61.1.1.1
iBGP IPv4
![Page 19: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/19.jpg)
19Method 2: MPLS VPN - VRFMethod 2: MPLS VPN - VRF
Sink CPE router
ip route vrf rx-monitor 61.1.1.1 255.255.255.255 14.0.1.2 global
core-as#sh ip cef vrf rx-monitor 61.1.1.1
via 14.0.1.2, 0 dependencies, recursive
next hop 14.0.1.2, FastEthernet1/0 via 14.0.1.2/32 (Default)
tag rewrite with Fa1/0, 14.0.1.2, tags imposed {}
61.1.1.1
iBGP IPv4
![Page 20: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/20.jpg)
20Method 2: MPLS VPN - VRF SELECTMethod 2: MPLS VPN - VRF SELECT
VRF SELECT interface to MPLS
VPN
61.1.1.1
Monitor the outgoing traffic
ip vrf receive tx-monitorvrf selection source 61.1.1.1 255.255.255.255 vrf tx-monitor !interface GigabitEthernet5/0 ip vrf select source ip address 14.0.1.2 255.255.255.252
Sink
Server
![Page 21: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/21.jpg)
21Methods RequirementsMethods Requirements Method #1: Pure MPLS Using Proxy
Egress LSP IOS 12.0(17)ST JunOS 5.4
Method #2: MPLS VPN VRF – IOS12.0(11)ST
VRF Select – IOS12.0(22)S JunOS 5.3
![Page 22: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/22.jpg)
22CaveatsCaveats
MPLS VPN Support & availability
Proxy Egress LSP Peering router which
is also an access router
Shunt: DDoS or other traffic thru the backbone Latency (few extra hops)
![Page 23: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/23.jpg)
23AdvantagesAdvantages
Not on the critical path
Does not effect normal traffic
No additional load on the routers
LDP need to advertise only sink-hole
loop-back
Simple to deploy & Scalable
![Page 24: MPLS-based Traffic Shunt](https://reader036.vdocuments.us/reader036/viewer/2022062518/568146f7550346895db42e1b/html5/thumbnails/24.jpg)
24What next? Distributed Sink Hole !What next? Distributed Sink Hole !
61.1.1.1