Cisco IOS LISP Application Note Series: Access Control Lists

Transcription

1 Cisco IOS LISP Application Note Series: Access Control Lists Version 1.1 (28 April 2011) Background The LISP Application Note Series provides targeted information that focuses on the integration and configuration of relevant Cisco IOS features in conjunction with the deployment of LISP. LISP (Locator/ID Separation Protocol) is not a feature, but rather a next- generation routing architecture which implements a new semantic for IP addressing that creates two namespaces: Endpoint Identifiers (EIDs), which are assigned to end- hosts, and Routing Locators (RLOCs), which are assigned to devices (primarily routers) that make up the global routing system. Creating separate namespaces for EIDs and RLOCs creates a level of indirection that yields many advantages over a single namespace (i.e. the current IP address concept) including: improved scalability of the routing system through greater aggregation of RLOCs, improved multi- homing efficiency, ingress traffic engineering, and the ability to move EIDs without breaking sessions (mobility). LISP also was designed at the outset to be Address Family agnostic, and thus handles multiple AF s seamlessly making its use ideal in IPv6 transition solutions. This and other LISP Application Notes in this series assume a working knowledge of LISP and are not intended to provide basic information on its use- cases, or guidelines on configuration and deployment. These details can be found in the Cisco LISP Command Reference Guide, Cisco LISP Configuration Guide, (References [1]) and other information available at Application Note Organization Like all Application Notes in the LISP series, this application note is organized into three main sections. 1. Concept Overview This section provides a brief description of the feature or technology being addressed in this Application Note in the context of a LISP implementation. 2. Concept Details This section provides a detailed description of the feature or technology and its interaction with LISP, and a description of its (typical) usage in deployment. 3. Concept Examples This section provides detailed testing of the feature or technology. This provides verification of the detailed descriptions, and also allows network administrators to set up a similar LISP environment and repeat the feature test. Comments and corrections are welcome. Please direct all queries to: lisp- support@cisco.com Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 1

2 Concept Overview: Cisco IOS Access Control Lists and LISP The Access Control List (ACL) is perhaps one of the most fundamental features of Cisco IOS and its use is familiar to network administrators for many applications including: restricting traffic flows, classifying and identifying interesting traffic for other functions such as Network Address Translation (NAT), Quality of Service (QoS), and IP Security (IPSec), and for filtering routing updates and many others. This application note describes the use of ACLs for restricting traffic within LISP implementations. When considering the deployment of ACLs with LISP, the following aspects are important. 1. LISP encapsulation utilizes a UDP header just prior to the LISP header for all packets to distinguish between two distinct packet groups: LISP control plane packets, which utilize a UDP destination port of 4342, and LISP data plane packets, which utilize a UDP destination port of ACLs may need to consider this distinction between these two groups of packets. 2. LISP is an encapsulation protocol and, because ACLs only filter based on Layer 3 and Layer 4 header information, ACLs may need to be applied at a specific point or at several different points within the packet forwarding and LISP encapsulation process in order to implement a site security policy. The application point and direction of the ACL will dictate whether EID namespace or RLOC namespace is used within the ACL itself. Packets can be filtered using EID namespace just prior to LISP encapsulation or just after LISP decapsulation; packets can be filtered using RLOC namespace just after LISP encapsulation or just prior to LISP decapsulation. This application note covers both of the above topics in detail. Concept Details: Cisco IOS Access Control Lists and LISP LISP Packets For the purposes of this application note, LISP packets can be separated into two groups, as follows: LISP control plane packets LISP- enabled devices create control plane packets to register EID- prefixes with Map- Servers, to conduct EID- to- RLOC mapping resolutions, and for various other protocol operations purposes. The UDP destination port 4342 in the LISP packet header indicates that it contains a LISP control plane packet. LISP control plane packets are handled directly by the LISP device itself (i.e. the device route processor). As with other types of control plane traffic, protecting the control plane from abuse is beneficial to network health (see Reference [5]). LISP control plane message types are described in Reference [2]. LISP data plane packets LISP- enabled devices encapsulate data plane packets to forward user traffic between LISP sites. The UDP destination port 4341 in the LISP packet header indicates that it contains a LISP data plane packet. LISP data plane packets are handled in the fast path (hardware/cef processing) of the LISP device. The LISP device is only responsible for encapsulating and forwarding, or decapsulating and forwarding these packets. LISP data plane packet encapsulation consists of an outer IPv4 or IPv6 header utilizing RLOC namespace addresses, and a UDP header and LISP header, all being added to the original packet. Figure 1 below shows a typical LISP data plane packet encapsulation with an IPv4 EID and IPv4 RLOC. ACLs can be applied at several different configuration points, giving them the ability to operate on packets either before or after LISP encapsulation (or both), as desired, to meet the site security requirements. Since ACLs only operate on the Layer 3 and Layer 4 headers of a packet, ACLs that are applied to packets after LISP encapsulation will only be able to operate on the outer header illustrated in Figure 1. In this case the ACL would see only the RLOC namespace addresses and the LISP UDP header. ACLs that are applied to packets 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 2

3 before LISP encapsulation or after LISP decapsulation will operate on the original, host- generated packets. These are the addresses that become the inner header illustrated in Figure 1. Figure 1. LISP data plane packet format (draft- 09 header) LISP Processing and ACLs In Cisco IOS, ACLs are applied to interfaces, and from a LISP perspective, three interfaces are relevant to ACL discussions: the LISP Site- facing interface, the Core- facing interface, and the LISP0 interface, as illustrated in Figure 2. At each of these different application points, ACLs can be applied in the in (ingress) and out (egress) direction, leading to the possibility of six unique ACLs per address family (IPv4 and IPv6). This gives them the ability to operate on packets either before or after LISP encapsulation (or both), as desired, to meet the site security requirements. Figure 2. Conceptual interfaces and ACL application points with LISP 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 3

4 The LISP process in IOS creates the LISP0 virtual interface, as illustrated in Figure 2, as a reference point for encapsulation and decapsulation operations. This LISP0 virtual interface, described in detail in the Application Note available at Reference [1], serves as the natural boundary between the EID and RLOC namespaces for the Ingress Tunnel Router (ITR) or Egress Tunnel Router (ETR) commonly referred to as an xtr when both LISP functions are deployed. Egress features are applied to packets that are leaving the router via LISP, just prior to LISP encapsulation. Similarly, ingress features are applied to packets that are arriving from LISP, just after LISP decapsulation. Note that in both cases, the LISP0 ingress and egress feature application points are in the EID namespace. It is important to understand that these three application points do not offer the same filtering options, due to the LISP encapsulation process. Referring to Figure 2, the following observations can be made about the point of application and functionality of ACLs used within a LISP deployment: ACLs can be applied in the in (ingress) direction and the out (egress) direction on the LISP site- facing interface, shown as E1/0 in the figure. When ACLs are applied here, filtering will be applied to user- packets in the EID namespace either before (potential) LISP encapsulation (when applied in the in direction), or after LISP decapsulation (when applied in the out direction). ACLs can be applied in the in (ingress) direction and the out (egress) direction on the SP Core/Internet- facing interface, shown as E0/0 in the figure. When ACLs are applied here, filtering will be applied to packets in the RLOC namespace either before LISP decapsulation (when applied in the in direction), or after LISP encapsulation (when applied in the out direction). ACLs can be applied in the in (ingress) direction and the out (egress) direction on the LISP0 interface. The LISP0 interface is logical and simply provides a reference point for the application of CEF features, like ACLs. ACLs applied here always refer to user- packets in the EID namespace (i.e. not LISP encapsulated). An ACL applied in the in direction refers to user- packets that have just been decapsulated and are being forwarded toward the LISP site, and an ACL applied in the out direction refers to user- packets being sent to LISP to be encapsulated and then forwarded toward the SP Core/Internet. No preferential manner for applying ACLs is implied or intended. The selected interface(s) and direction(s) should be based on site needs in terms of security requirements and management support. For example, sites may find that that existing ACLs can be reapplied without modification to the LISP0 interface. This document is not intended to provide guidance on specific site security policies. A thorough review of existing policies, combined with an understanding of the use of ACLs with LISP, and adequate validation testing should be completed prior to any production deployments of any technology. Caveats and Notes Related to ACLs The following caveats and notes are applicable to ACLs for use with LISP: 1. As is always the case with ACLs and Cisco IOS devices, the use of the log keyword can be used to provide additional detail about source and destinations for a given protocol. Although this keyword provides valuable insight into the details of ACL hits, using the log keyword results in packets matching the access- list statement being handled by process switching (slow path) instead of CEF switching, resulting in platform- dependent performance impacts. 2. In Cisco IOS devices, there should be no performance difference between using an ACL on a physical (or logical) interface, and using an ACL on the LISP 0 interface. In both cases, assuming the log keyword is not used, packets are CEF- switched and should experience that same forwarding performance through the router. Therefore, the primary consideration should be to develop and apply ACLs that best meet the security requirements of the site Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 4

5 In general, normal Cisco IOS ACL rules are applicable, and normal procedures for the construction of ACLs should be followed. Concept Examples: Cisco IOS Access Control Lists and LISP The following example demonstrates the use of ACLs within a LISP deployment. This example is provided only as validation for the above ACL discussions, and not as an indication of appropriate ACL deployments for meeting site security requirements. Initial LISP Configuration The test network topology for this example is illustrated in Figure 3. In this test network, the following elements are defined: LISP Site A, which includes the LISP IPv4 EID- prefix /24. The Cisco IOS router xtr- A is the LISP xtr, and it registers with the Map- Server located at The router Site- A provides a convenient host for traffic source/destination during the ACL validation testing. The ACLs will all be applied only to xtr- A. LISP Site B, which includes the LISP IPv4 EID- prefix /24. The Cisco IOS router xtr- B is the LISP xtr, and it registers with the Map- Server located at The router Site- B provides a convenient host for traffic source/destination during the ACL validation testing. SP Core/Internet, which includes the router Core, represents the public (RLOC- space) through which the LISP sites communicate. This core network is IPv4- only in this example. Map- Server/Map- Resolver, which provides mapping- resolution services for the LISP sites. The Cisco ISO router MS/MR is deployed as a LISP Map- Server/Map- Resolver. The xtrs from LISP Site A and LISP Site B register to this device, and use it for EID- to- RLOC mapping resolution. This is a fairly basic network topology, but it is quite adequate for demonstrating the use of ACLs within a LISP deployment. Full configurations for each device are included in the Appendix of this application note. Figure 3. Cisco IOS ACL use with LISP example test network topology Cisco IOS ACL Examination The ACL examination testing documented here applies a unique ACL to each possible location and direction that is relevant to the LISP deployment using router xtr- A as the device under test (DUT). Thus, six separate ACLs in total are applied: two (in, out) to the site- facing interface E0/1, two (in, out) to the Internet- facing interface E0/0, and two (in, out) to the LISP0 interface. The location and direction of these six ACLs is illustrated in Figure Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5

6 Figure 4. Cisco IOS ACL use with LISP example ACL deployment locations Source- pings from Site- A ( ) to Site- B ( ) are used as traffic generators for this ACL testing. All six uniquely identified ACLs have identical elements. In this way, the counters displayed for each ACL indicate the directionality and specific Layer 3 header information at each test point. Therefore, all ACLs are constructed with the following entries: permit icmp host host echo Step 1. Preparations for testing ACLs First, clear the access- list counters on xtr- A in order to minimize ambiguity during testing. xtr-a#clear access-list counters Step 2. Test the ACLs with a source- ping. Source- ping Site B EID ( ) with a source of the Site A EID ( ), using a repeat value of 100. All packets should succeed. SiteA#ping so repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to , timeout is 2 seconds: 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 6

7 Packet sent with a source address of Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/8 ms All 100 echo/echo- reply packets succeeded. This is also reflected in the value of the counters in the ACLs. Step 3. Review the ACL counters. Show each ACL and observer which counters have incremented by 100. xtr-a#sh ip access-lists lisp0-out Extended IP access list lisp0-out 10 permit icmp host host echo (100 matches) xtr-a#sh ip access-lists site-in Extended IP access list site-in 10 permit icmp host host echo (100 matches) xtr-a#show ip access-lists lisp0-in Extended IP access list lisp0-in 10 permit icmp host host echo 20 (100 matches) xtr-a#sh ip access-lists site-out Extended IP access list site-out 10 permit icmp host host echo 20 (100 matches) xtr-a#sh ip access-lists rloc-out Extended IP access list rloc-out 10 permit icmp host host echo (100 matches) xtr-a#sh ip access-lists rloc-in Extended IP access list rloc-in 10 permit icmp host host echo (100 matches) Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 7

8 Several observations can be made based on the above show command output. 1. As expected, the ACLs applied to the LISP0 interface and the site- facing interface (E0/1 in this case) show the same results, but in the opposite directions. That is, lisp0- out and site- in show the same results, and lisp0- in and site- out show the same results. This reflects the directional behavior of the ACLs on the respective interface. The ACLs lisp0- out and site- in both see the echo packets with source and destination , while the ACLs lisp0- in and site- out both see the echo- reply packets with source and destination When developing and applying ACLs to meet a site security requirement, it may be useful to consider that an ACL only needs to be applied to the LISP0 interface (one place) as opposed to potentially numerous site- facing interfaces when filtering using EID addresses. 2. ACLs rloc- in and rloc- out are the only ACLs that see the LISP- encapsulated (outer header) addresses. When developing and applying ACLs to meet a site security requirement, consider that an ACL can only be applied to core- facing interfaces in order to filter on RLOC addresses. Based on these observations, it is clear that LISP data plane packets can be filtered by ACLs applied to site- facing interfaces or the LISP0 interface, using the EID addresses. When applied to Core- facing interfaces, ACLs can only filter LISP data plane packets based on the UDP destination port 4341 and RLOC addresses. It is also clear that LISP control plane packets can only be filtered by ACLs applied to Core- facing interfaces, and then only based on the UDP destination port 4342 and RLOC addresses. IPv6 Considerations The mixed address family capabilities of LISP allow for both IPv4 and IPv6 packets to be used as EIDs and as RLOCs, with the following combinations being possible (lisp site address- family, rloc address- family): (IPv4, IPv4), (IPv4, IPv6), (IPv6, IPv4), and (IPv6, IPv6). It is possible then that both IPv4 and IPv6 ACLs may be required to satisfy site security needs. Only IPv4 ACLs were used in this example test case; IPv6 packets and ACLs were not illustrated. However, the use and application of IPv6 ACLs is exactly the same as the use and application of IPv4 ACLs in terms of interactions (interfaces and directions) with LISP. Whether IPv4 and/or IPv6 ACLs are required is dictated by the site security needs. As an example, note that the both LISP sites shown in Figure 3 have both IPv4 and IPv6 EIDs (Site- A: /24, 2001:db8:a::/48, and Site- B: /24, 2001:db8:b::/48). Only the IPv4 EIDs were used in the example tests above. Note also that the Core network and both sites only use IPv4 addresses. It is quite simple with LISP to connect these two IPv6 islands over the IPv4 infrastructure. In this case, IPv6 ACLs would be required on the site- facing interfaces and the LISP0 interface, and IPv4 ACLs would be required on the core- facing interface since the original packets would be IPv6 and the LISP0- encapsulted packets would use IPv4 RLOCs (outer header). Conclusions This application note described the use of ACLs with LISP implementations. ACLs are one of the most fundamental tools available to network administrators for restricting traffic flows and implementing site security policies. The interactions of ACLs with LISP operations were described, and an example using IPv4 EIDs and RLOCs was used to illustrate these concepts. The LISP0 interface is logical and simply provides a reference point for the application of CEF features, like ACLs. Applying ACLs to LISP0 only affects packets in EID namespace and can be a helpful for consolidating ACLs when there are numerous site- facing interfaces. In general, the selected interface(s) and direction(s) should be based on site needs in terms of security requirements and management support. Finally, the mixed address family capabilities of LISP were highlighted, and the potential impact of this on the selection of appropriate ACLs was described Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 8

9 LISP Resources 1. LISP Documentation, including the LISP Command Reference Guide, LISP Configuration Guide, and LISP Lab Test Guide, which can be found here: 2. LISP IETF Draft RFCS can be found here: 3. Cisco Marketing Information about LISP can be found here: 4. LISP Beta Network information can be found here: and 5. Router Security Strategies: Securing IP Network Traffic Planes, Cisco Press. Comments and corrections are welcome. Please direct all queries to: lisp Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 9

10 Appendix: Test Network Router Configurations xtr- A hostname xtr-a ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef interface Loopback0 no ip address interface LISP0 ip access-group lisp0-in in ip access-group lisp0-out out interface Ethernet0/0 description To Core ip address ip access-group rloc-in in ip access-group rloc-out out interface Ethernet0/1 description To Site ip address ip access-group site-in in ip access-group site-out out ipv6 address 2001:DB8:A:2::2/64 router lisp database-mapping / priority 1 weight 1 database-mapping 2001:DB8:A::/ priority 1 weight 1 ipv4 itr map-resolver ipv4 itr ipv4 etr map-server key site-a-s3cr3t ipv4 etr ipv6 itr map-resolver ipv6 itr ipv6 etr map-server key site-a-s3cr3t ipv6 etr exit router ospf 1 log-adjacency-changes network area 0 default-information originate ip route ip access-list extended lisp0-in permit icmp host host echo ip access-list extended lisp0-out permit icmp host host echo ip access-list extended rloc-in permit icmp host host echo ip access-list extended rloc-out 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 10

11 permit icmp host host echo ip access-list extended site-in permit icmp host host echo ip access-list extended site-out permit icmp host host echo ipv6 route 2001:DB8:A::1/ :DB8:A:2::1 ipv6 route ::/0 Null0 Site- A hostname SiteA ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef interface Loopback0 ip address ipv6 address 2001:DB8:A::1/128 interface Ethernet0/1 ip address ipv6 address 2001:DB8:A:2::1/64 router ospf 1 log-adjacency-changes passive-interface Loopback0 network area 0 network area 0 ipv6 route ::/0 2001:DB8:A:2::2 xtr- B hostname xtr-b ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef interface Loopback0 no ip address interface LISP0 interface Ethernet0/0 ip address ipv6 address 2001:DB8:B:2::2/64 interface Ethernet0/1 description To Core ip address router lisp 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 11

12 database-mapping / priority 1 weight 1 database-mapping 2001:DB8:B::/ priority 1 weight 1 ipv4 itr map-resolver ipv4 itr ipv4 etr map-server key site-b-s3cr3t ipv4 etr ipv6 itr map-resolver ipv6 itr ipv6 etr map-server key site-b-s3cr3t ipv6 etr exit router ospf 1 log-adjacency-changes network area 0 default-information originate ip route ipv6 route 2001:DB8:B::1/ :DB8:B:2::1 ipv6 route ::/0 Null0 Site- B hostname SiteB ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef interface Loopback0 ip address ipv6 address 2001:DB8:B::1/128 interface Ethernet0/0 ip address ipv6 address 2001:DB8:B:2::1/64 router ospf 1 log-adjacency-changes passive-interface Loopback0 network area 0 network area 0 ipv6 route ::/0 2001:DB8:2::2 MS- MR hostname MS-MR vrf definition lisp rd 1:1 address-family ipv4 exit-address-family address-family ipv6 exit-address-family ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef router lisp site Site-A description LISP Site A authentication-key site-a-s3cr3t 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 12

13 eid-prefix /24 eid-prefix 2001:DB8:A::/48 exit site Site-B description LISP Site B authentication-key site-b-s3cr3t eid-prefix /24 eid-prefix 2001:DB8:B::/48 exit ipv4 map-server ipv4 map-resolver ipv4 alt-vrf lisp ipv6 map-server ipv6 map-resolver ipv6 alt-vrf lisp exit interface LISP0 interface Ethernet0/0 description To Core ip address ip route Core hostname Core ip cef no ip domain lookup no ipv6 cef interface Loopback0 ip address interface Ethernet0/0 description To xtr-a ip address interface Ethernet0/1 description To xtr-b ip address interface Ethernet0/2 description To MS-MR ip address Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 13