Some Considerations About IXP Customers Connection Models

Transcription

1 Some Considerations About Customers Connection Models LACNIC XII NAPLA Panama Eduardo Ascenço Reis LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 1

2 Agenda Summary Preliminary Information Traditional Connection Model New Connection Model Ethernet Family Links Advantages Some Negative Results Ethernet Links L2 Problem L3 Problem LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 2

3 Summary With the proliferation adoption of Metro Ethernet Networks to provide L2 links between Autonomous Systems (AS) and Internet exchange Points () comes many benefits, like: connection simplification, uniform and familiar technology (Ethernet family), lower costs, less points of failures, etc. On the other hand, directly connect Ethernet family links can expose the AS to vulnerabilities issues on security and network areas. This presentation intends to focus the discussion on some network potential vulnerabilities and suggestions about how to protect the AS, looking forward a safe network. The key points that will be addressed in the presentation are: routing vulnerabilities on external traffic engineering and Ethernet (L2) isolation/protection. LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 3

4 Information / PTT Internet exchange Point PTT Ponto de Troca de Tráfego LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 4

5 Presentation Reference Point This presentation is focused on participants and not on the itself. LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 5

6 Preliminary Information switching fabric / peering fabric Traditionally based on exchange matrix Ethernet family equipments (switches) model can be simplified as a single LAN switch LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 6

7 Preliminary Information LAN Model AS A AS B AS C LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 7

8 Preliminary Information Metro Ethernet Model AS A AS B MAN case e.g. PTTmetro ( AS C LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 8

9 Preliminary Information AS Autonomous System (AS) internal network also normally based on Ethernet family equipments (switches) AS internal network can be simplified as a LAN LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 9

10 Traditional Connection Model TDM (PDH/SDH) or ATM Links area Peering Fabric LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 10

11 Traditional Connection Model TDM (PDH/SDH) or ATM Links area Peering Fabric WAN Technologies Converter LAN LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 11

12 Traditional Connection Model TDM (PDH/SDH) or ATM Links area Peering Fabric L2 Domain L3 Element L3 Element L2 Domain LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 12

13 Traditional Connection Model Prefixes Feed TDM (PDH/SDH) or ATM Links area Peering Fabric Local Prefixes Feed Full BGP Table Partial BGP Table LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 13

14 New Connection Model Ethernet Family Links Ethernet family (Gigabit Ethernet and 10 Gibabit Ethernet) links become a familiar technology for outside use on Metropolitan Networks (MAN) and even on long distance connections (WAN) LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 14

15 New Connection Model Ethernet Family Links Advantages Ethernet Links area Peering Fabric Ethernet Family Ethernet Family Ethernet Family LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 15

16 New Connection Model Ethernet Family Links Advantages Simplification Lower Operational Cost Ethernet Links area Peering Fabric Ethernet Family Ethernet Family Ethernet Family Uniform Technology LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 16

17 New Connection Model Ethernet Family Links Advantages Lower Cost Less equipments (less points of failure, simple management and support) Ethernet Links area Peering Fabric No more need for remote router and eventually data center collocation at site LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 17

18 New Connection Model Ethernet Family Links Advantages Lower Cost Equipments Optimization Ethernet Links Peering Fabric 802.1Q Vlan A Vlan B Vlan C interface sharing s interfaces are more expensive than switches interfaces LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 18

19 New Connection Model Some Negative Results At Least Two Kinds of Possible Problems Lose of Simple Logical Isolation Between L2 Domains Lose of Intra AS BGP Tables Isolation (Global and ) LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 19

20 Ethernet Links L2 Problem Lose of Simple Logical Isolation Between L2 Domains 802.1Q Ethernet Links Peering Fabric L3 Element L2 Domain L2 Domain L2 Domain LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 20

21 Ethernet Links L2 Problem Ethernet networks were not originally design to prevent against problems on different administration networks L2 interconnection. Special resources may be needed for protection and nowadays some solutions are only possible when using proprietary features. LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 21

22 Ethernet Links L2 Problem Ethernet logical isolation is done by VLANs ISP/NSP IP MPLS Peering Fabric VLAN A VLAN B VLAN C VLAN D LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 22

23 Ethernet Links L2 Problem Independent connected VLANs may have the same ID ISP/NSP IP MPLS Peering Fabric VLAN A VLAN B VLAN C VLAN D VLAN ID 10 VLAN ID 10 VLAN ID 10 VLAN ID 10 Special care must be taken when trunk (802.1Q) connections are used between L2 domains LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 23

24 Ethernet Links L2 Problem Ethernet logical isolation on ISP/NSP 802.1ad (QinQ) VLAN W1 Metro Tag AS C ISP/NSP 802.1Q IP MPLS Peering Fabric 802.1Q VLAN W2 Metro Tag LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 24

25 Ethernet Links L2 Problem AS C Directly connect AS router to Link Peering Fabric VLAN X 802.1Q Dedicated AS VLAN between router and Link LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 25

26 Ethernet Links L2 Problem Some Ethernet Protections Points Explicitly define trunk mode between L2 domains interconnection (avoid auto / dynamic configuration) Explicitly define and control links aggregation conditions (LACP 802.3ad) Ethernet frames inbound and outbound filters Neighbor discover protocols (e.g. CDP, EDP, etc) Loop free / Fault tolerant L2 protocols (e.g. STP, EAPS, REP, etc) Non ARP Broadcast LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 26

27 Ethernet Links L2 Problem Restrictive Allowed Ethernet Frames Operation AS permit only specific and expected Ethertypes frames on links to 0x0800 IPv4 0x0806 ARP 0x86dd IPv6 LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 27

28 Ethernet Links L3 Problem BGP Table Prefixes Feed 802.1Q Ethernet Links Peering Fabric ASes Local Prefixes Feed Full BGP Table LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 28

29 Ethernet Links L3 Problem and AS C want to exchange traffic by AS A would like to exchange traffic with by, but does not AS A AS C LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 29

30 Ethernet Links L3 Problem Non Valid Traffic Exchange No BGP Session AS A Valid Traffic Exchange Established BGP Session AS C LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 30

31 Ethernet Links L3 Problem AS N Normal traffic between AS A and goes through AS N (transit) AS A AS A CIDR A1 CIDR D1 CIDR D2 LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 31

32 Ethernet Links L3 Problem AS N Static route CIDR D1 to IP D Static route CIDR D2 to IP D AS A CIDR D1 CIDR D2 IP D LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 32

33 Ethernet Links L3 Problem AS N Abused Condition AS A CIDR D1 CIDR D2 IP D LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 33

34 Ethernet Links L3 Problem AS T AS A Internet LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 34

35 Ethernet Links L3 Problem AS T Default static route to IP D AS A Internet IP D LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 35

36 Ethernet Links L3 Problem AS T Abused Condition AS A Internet IP D LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 36

37 Ethernet Links L3 Problem Solution ibgp Ethernet Links Peering Fabric ASes Core/Edge Dedicated LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 37

38 Ethernet Links L3 Problem Solution Prefixes Feed Prefixes Feed Core ibgp for Ethernet Links Peering Fabric ASes Local Prefixes Feed Local Prefixes Feed LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 38

39 Ethernet Links L3 Problem Solution Prefixes Feed Prefixes Feed Core ibgp for Ethernet Links Peering Fabric ASes Local Prefixes Feed Local Prefixes Feed Full BGP Table Partial BGP Table and no default route LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 39

40 Ethernet Links L3 Problem Solution AS T Default static route to IP D AS A Internet Core for IP D LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 40

41 Ethernet Links L3 Problem Solution AS T Default static route to IP D AS A Internet Core for IP D X Unreachable Destinations LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 41

42 Ethernet Links L3 Problem Solution AS T Static route CIDR D1 to IP D Static route CIDR D2 to IP D AS A Internet CIDR D1 CIDR D2 Core for IP D LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 42

43 Ethernet Links L3 Problem Solution AS T Static route CIDR D1 to IP D Static route CIDR D2 to IP D AS A Internet CIDR D1 CIDR D2? Abused Condition Core for IP D LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 43

44 Ethernet Links L3 Problem Solution Unicast Reverse Path Forwarding (urpf) Core ibgp for Ethernet Links Peering Fabric ASes Full BGP Table Partial BGP Table and no default route LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 44

45 Ethernet Links L3 Problem Solution AS T Static route CIDR D1 to IP D Static route CIDR D2 to IP D AS A Internet CIDR D1 CIDR D2 Core for + urpf IP D X Unreachable Destinations LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 45

46 Thanks Eduardo Ascenço Reis LACNIC XII NAPLA Panama / Eduardo Ascenço Reis Some Considerations About Customers Connection Models 46