Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Similar documents
Unicast Reverse Path Forwarding Loose Mode

Contents. Configuring urpf 1

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

Lab Guide 2 - BGP Configuration

BGP Configuration for a Transit ISP

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)

Methods for Detection and Mitigation of BGP Route Leaks

Prevent DoS using IP source address spoofing

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

Introduction to IP Routing. Geoff Huston

ISP Border Definition. Alexander Azimov

Remember Extension Headers?

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

Collective responsibility for security and resilience of the global routing system

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)

RIB Size Estimation for BGPSEC

Security in inter-domain routing

BGP Attributes and Path Selection

Connecting to a Service Provider Using External BGP

Multihoming Techniques. bdnog8 May 4 8, 2018 Jashore, Bangladesh.

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

BGP Attributes and Policy Control

BGP and the Internet

COM-208: Computer Networks - Homework 6

Improving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut

I Commands. Send comments to

Collective responsibility for security and resilience of the global routing system

IPv4/IPv6 BGP Routing Workshop. Organized by:

Improving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut

Network Policy Enforcement

Using MSDP to Interconnect Multiple PIM-SM Domains

Multicast Quick Start Configuration Guide

Juniper JN Enterprise Routing and Switching Support Professional (JNCSP-ENT)

Border Gateway Protocol - BGP

Service Provider Multihoming

Vendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Border Gateway Protocol. Version: Demo

MANRS How to behave on the internet

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Vendor: Cisco. Exam Code: Exam Name: CCIE Routing and Switching Written v5.0. Version: Demo

Network Layer (Routing)

Service Provider Multihoming

BGP Routing and BGP Policy. BGP Routing. Agenda. BGP Routing Information Base. L47 - BGP Routing. L47 - BGP Routing

Internet Engineering Task Force (IETF) Request for Comments: 7999 Category: Informational. NTT G. Doering SpaceNet AG G. Hankins Nokia October 2016

Configuring Unicast RPF

An overview of how packets are routed in the Internet

Network Configuration Example

BGP on IOS: Getting Started

Reducing FIB Size with Virtual Aggregation (VA)

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

BGP Origin Validation

BGP Attributes and Policy Control

Routing Basics. SANOG July, 2017 Gurgaon, INDIA

BGP Additional Paths. Finding Feature Information. Information About BGP Additional Paths. Problem That Additional Paths Can Solve

Configuring VRF-lite CHAPTER

BGP101. Howard C. Berkowitz. (703)

Data Plane Protection. The googles they do nothing.

BGP Operations and Security. Training Course

Asymmetric Satellite Services. Introduction and Background. Transmit Interface Command. Agenda. Asymmetric Satellite Services

BGP in the Internet Best Current Practices

TBGP: A more scalable and functional BGP. Paul Francis Jan. 2004

Exam Questions

PIM adjacencies and multicast blackhole mitigation issues draft-morin-mboned-mcast-blackhole-mitigation-01

LARGE SCALE IP ROUTING

BGP Protocol & Configuration. Scalable Infrastructure Workshop AfNOG2008

BGP route filtering and advanced features

Introduction to routing

BGP Diverse Path Using a Diverse-Path Route Reflector

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)

An introduction to BGP security

Introduction to BGP ISP/IXP Workshops

Connecting to a Service Provider Using External BGP

Chapter 8: Subnetting IP networks. Introduction to Networks v5.1

PROTECT NETWORK EDGE WITH BGP, URPF AND S/RTBH. by John Brown, CityLink Telecommunications, LLC

BGP Attributes and Policy Control

ITBraindumps. Latest IT Braindumps study guide

BGP Cost Community. Prerequisites for the BGP Cost Community Feature

2016/09/07 08:37 1/5 Internal BGP Lab. Set up Internal BGP (ibgp) within the each Group autonomous system to carry routing information within the AS.

debug ip ospf database external default-metric subnet area 0 stub distribute-list in Serial0/1

Illegitimate Source IP Addresses At Internet Exchange Points

v Number: Passing Score: 800 Time Limit: 120 min File Version:

BGP Enhancements for IPv6. ISP Training Workshops

Solution for Route Leaks Using BGP Communities

IPv6 Module 7 BGP Route Filtering and Advanced Features

Request for Comments: 5120 Category: Standards Track Cisco Systems N. Sheth Juniper Networks February 2008

CS519: Computer Networks. Lecture 4, Part 5: Mar 1, 2004 Internet Routing:

Module 14 Transit. Objective: To investigate methods for providing transit services. Prerequisites: Modules 12 and 13, and the Transit Presentation

Virtual Subnet : A L3VPN-based Subnet Extension Solution for Cloud Data Center Interconnect

Module 10 An IPv6 Internet Exchange Point

Network Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013

Internet Routing Basics

InterAS Option B. Information About InterAS. InterAS and ASBR

Measuring IPv6 Deployment

Configuring Bidirectional PIM

Introduction to BGP. ISP/IXP Workshops

Network Infra Security Filtering at the Border. Network Security Workshop April 2017 Bali Indonesia

Configuring Unicast Reverse Path Forwarding

BGP Attributes and Policy Control. BGP Attributes. Agenda. What Is an Attribute? AS-Path. AS-Path loop detection. BGP Attributes

Symbols I N D E X. (vertical bar), string searches, 19 20

cisco. Number: Passing Score: 800 Time Limit: 120 min.

Transcription:

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01 K. Sriram and D. Montgomery OPSEC Working Group Meeting, IETF-99 July 2017 Acknowledgements: The authors are grateful to many folks who offered feedback on the GROW WG mailing list. 1

Difficulties with Adoption of urpf Solutions Strict urpf is usable in very limited scenarios Loose urpf is not very effective for denying traffic with IPv4 address spoofing (except bogons, etc.) Feasible path urpf is a refinement but ISPs apprehensive that they might deny traffic with legitimate customer source IP addresses When faced with multi-homing and asymmetric routing Is there a way to make feasible-path more generalized and accurate? Goal: Encourage wider deployment of urpf 2

Key Principles of Enhanced Feasible Path urpf The Algorithm 1. ISP ebgp router creates a union of all announced prefixes that have a common origin AS 2. Those announcements have potentially been received on different customer/ peer/ provider interfaces 3. Take that union of prefixes and include it in Reverse Path Filter (RPF) tables on all interfaces on which one or more of the prefixes in the union were announced 4. ISP might choose to apply Step #3 across customer interfaces only 3

Scenario 1 AS2 (ISP-a) P1 [AS2 AS1] P2 [AS3 AS1] AS3 (ISP-b) P1 [AS1] P2 [AS1] P1 AS1 P2 Consider data packets received at AS2 with source address in P1 or P2: X Strict urpf fails X Feasible-path urpf fails (since routes for P1, P2 are selectively announced to different upstream ISPs) Loose urpf works (but not desirable) Enhanced Feasible-path urpf works best 4

Scenario 2 AS2 (ISP-a) routes for P1, P2 AS3 (ISP-b) P2 [AS1 AS1 AS1] P1 [AS1] P1 [AS1 AS1 AS1] P2 [AS1] P1 AS1 P2 Consider data packets received at AS2 with source address in P1 or P2: Feasible-path urpf works (if customer route preferred at AS3 over shorter path) X Feasible-path urpf fails (if shorter path preferred at AS3 over customer route) Loose urpf works (but not desirable) Enhanced Feasible-path urpf works best 5

Scenario 3 P1 [AS2 AS1] AS2 (ISP2) AS4 (ISP4) P2 [AS5 AS1] P2 [AS3 AS1] AS3 (ISP3) p2p AS5 (ISP5) P1 [AS1] AS1 P2 [AS1] P2 [AS1] P1 P2 Consider that data packets (sourced from AS1) may be received at AS4 with source address in P1 or P2 from any of the neighbors (AS2, AS3, AS5): X Feasible-Path urpf fails (since routes for P1, P2 are selectively announced to different upstream ISPs) Loose urpf works (but not desirable) Enhanced Feasible-Path urpf works best 6

Example of a Challenging Scenario (from GROW discussion) P1 and P2 NOT PROPAGATED AS4 (ISP4) P1 [AS3 AS1] P2 [AS3 AS1] AS2 (ISP2) P1 [AS1] NO_EXPORT P2 [AS1] NO_EXPORT AS1 P1 P2 AS3 (ISP3) P1 [AS1] P2 [AS1] Contradictory to the basic premise of feasible path urpf (see BCP-84) 7

Operational Recommendations (BCP-84) The mechanism relies on consistent route advertisements (i.e., the same prefix(es), through all the paths) propagating to all the routers performing Feasible RPF checking. 8

More Relaxed Operational Recommendations (this draft) For multi-homed stub AS: MUST announce at least one origination prefix (exportable) to each transit provider AS For non-stub AS: The above recommendation applies Additionally, for the transit routes selected as best path, MUST announce at least one route for each unique {prefix, origin AS} pair to each transit provider 9

Implementation Considerations Existing RPF checks in edge routers take advantage of existing line card implementations to perform the RPF functions. For implementation of the proposed technique, the general necessary feature would be to extend the line cards to take arbitrary RPF lists that are not necessarily tied to the existing FIB contents. For example, in the proposed method, the RPF lists are constructed by applying a set of rules to all received BGP routes (not just those selected as best path and installed in FIB). Thanks to Jeff Haas for offering suggestions about implementation. 10

Summary The proposal adds better logic to feasible path urpf ISP might limit this kind of broader criterion for the feasible paths to customer interfaces only Implementation details are similar to those for the current feasible path method Proposed enhanced urpf method should help alleviate ISP s concern about customer service disruption 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback