1
MPLS-based Traffic MPLS-based Traffic ShuntShunt
Yehuda Afek – Riverhead Yehuda Afek – Riverhead NetworksNetworks
Roy Brooks – Cisco SystemsRoy Brooks – Cisco Systems
Nicolas Fischbach – COLT Nicolas Fischbach – COLT TelecomTelecom
NANOG28NANOG28Salt Lake CitySalt Lake City
June 2003June 2003
2CreditsCredits
• Cisco Systems:
Paul Quinn
• COLT Telecom:
Andreas Friedrich, Marc Binderberger
• Riverhead Networks:
Anat Bremler-Barr, Boaz Elgar, Roi Hermoni
3Sink HoleSink Hole
61.1.1.1
Announce: 61.1.1.1 -> Sink Hole
Sink hole server
4Traffic ShuntTraffic Shunt
61.1.1.1
Sink hole server
5ApplicationsApplications
Cleaning DDoS traffic
Reverse proxy
On-demand traffic analysis
6Sink Hole ShuntSink Hole Shunt Unidirectional:
Data in & not out
IP-based
Blackholing DDoS, forensic
CenterTrack [Stone NANOG 17]
Bidirectional: Data in, processed and out
Tunnels: GRE, IPIP, MPLS, L2TPv3
DDoS cleaning
Reverse proxy, traffic analysis
Bellwether [Hardie Wessels NANOG 19]
7Traffic ShuntTraffic Shunt
61.1.1.1
Careful setup required to prevent
infinite loops
8Traffic ShuntTraffic ShuntTunnels: Peering - Sink
Returned traffic must not pass through a peering
router
61.1.1.1
9Traffic ShuntTraffic ShuntTunnels: Sink – CPE router
61.1.1.1
10TunnelsTunnels GRE/IPIP
Cisco GSRs and Juniper routers require special interface cards
Processing overhead
MPLS Supported without any special interface No extra H/W From IOS-12.0(7)S and JunOS 5.3 and up
11MPLS Shunt: RequirementsMPLS Shunt: Requirements
No dynamic configuration• Only one-time set-up
Minimum initial (static) configuration
No need for sink hole router/device to speak MPLS
• But could!
12Two MPLS methodsTwo MPLS methods
Method #1: Pure MPLS using Proxy Egress LSP Penultimate hop popping RFC3031
Method #2: MPLS VPN
13
61.1.1.1
Method 1: MPLS LSPs with LoopbacksMethod 1: MPLS LSPs with Loopbacks
LSPs
Sinkhole server
14Method 1: MPLS LSP Proxy EgressMethod 1: MPLS LSP Proxy Egress
4
In OutMPLS Table
(6, 3 )(5, 42)
In OutMPLS Table
(5, 25 )(2, 3)
In OutMPLS Table
(2, untagged)(4, 25)
IP42IP 3IP 25IP
IP
In OutMPLS Table
(2, 42)IP: a Loop back
2 2 565 2
IP:a
LSP
LSP Proxy Egress
Loopback
Sink router
iBGP
IP Lookup
Penultimate Router
15
61.1.1.1
Method 1: MPLS LSP Proxy EgressMethod 1: MPLS LSP Proxy Egress
Penultimate RouteriBGP
16Actual DeploymentActual Deployment
FRANKFURT#show mpls forwarding-table labels 16 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Untagged 61.222.65.77/32 24831266 Gi6/0 61.44.88.111
LONDON#show mpls forwarding-table 61.222.65.77Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 503 560 61.222.65.77/32 0 PO11/0 point2point
17Method 2: MPLS VPN - VRFMethod 2: MPLS VPN - VRF
Sink CPE router
VRF interface to MPLS VPN
61.1.1.1
Advertise 61.1.1.1
MP-BGP VPNv4
iBGP IPv4
18Method 2: MPLS VPN - VRFMethod 2: MPLS VPN - VRF
Sink CPE router
CORE-2#sh ip route vrf rx-monitor
B 61.1.1.1 [200/0] via 11.61.128.7, 00:00:53
CORE-2#sh ip cef vrf rx-monitor 61.1.1.1
fast tag rewrite with PO0/0, point2point, tags imposed {45 118}
via 11.61.128.7, 0 dependencies, recursive
61.1.1.1
iBGP IPv4
19Method 2: MPLS VPN - VRFMethod 2: MPLS VPN - VRF
Sink CPE router
ip route vrf rx-monitor 61.1.1.1 255.255.255.255 14.0.1.2 global
core-as#sh ip cef vrf rx-monitor 61.1.1.1
via 14.0.1.2, 0 dependencies, recursive
next hop 14.0.1.2, FastEthernet1/0 via 14.0.1.2/32 (Default)
tag rewrite with Fa1/0, 14.0.1.2, tags imposed {}
61.1.1.1
iBGP IPv4
20Method 2: MPLS VPN - VRF SELECTMethod 2: MPLS VPN - VRF SELECT
VRF SELECT interface to MPLS
VPN
61.1.1.1
Monitor the outgoing traffic
ip vrf receive tx-monitorvrf selection source 61.1.1.1 255.255.255.255 vrf tx-monitor !interface GigabitEthernet5/0 ip vrf select source ip address 14.0.1.2 255.255.255.252
Sink
Server
21Methods RequirementsMethods Requirements Method #1: Pure MPLS Using Proxy
Egress LSP IOS 12.0(17)ST JunOS 5.4
Method #2: MPLS VPN VRF – IOS12.0(11)ST
VRF Select – IOS12.0(22)S JunOS 5.3
22CaveatsCaveats
MPLS VPN Support & availability
Proxy Egress LSP Peering router which
is also an access router
Shunt: DDoS or other traffic thru the backbone Latency (few extra hops)
23AdvantagesAdvantages
Not on the critical path
Does not effect normal traffic
No additional load on the routers
LDP need to advertise only sink-hole
loop-back
Simple to deploy & Scalable
24What next? Distributed Sink Hole !What next? Distributed Sink Hole !
61.1.1.1