MPLS-based Traffic Shunt

1
MPLS-based Traffic Shunt
NANOG28 Salt Lake City June 2003

• Yehuda Afek Riverhead Networks
• Roy Brooks Cisco Systems
• Nicolas Fischbach COLT Telecom

2
Credits

• Cisco Systems
• Paul Quinn
• COLT Telecom
• Andreas Friedrich, Marc Binderberger
• Riverhead Networks
• Anat Bremler-Barr, Boaz Elgar, Roi
  Hermoni

3
Sink Hole
61.1.1.1
Sink hole server
4
Traffic Shunt
61.1.1.1
Sink hole server
5
Applications

• Cleaning DDoS traffic
• Reverse proxy
• On-demand traffic analysis

6
Sink Hole Shunt

• Unidirectional Data in not out
• IP-based
• Blackholing DDoS, forensic
• CenterTrack Stone NANOG 17

• Bidirectional Data in, processed and out
• Tunnels GRE, IPIP, MPLS, L2TPv3
• DDoS cleaning
• Reverse proxy, traffic analysis
• Bellwether Hardie Wessels NANOG 19

7
Traffic Shunt
61.1.1.1
Careful setup required to prevent infinite loops
8
Traffic Shunt
Tunnels Peering - Sink
61.1.1.1
Returned traffic must not pass through a peering
router
9
Traffic Shunt
Tunnels Sink CPE router
61.1.1.1
10
Tunnels

• GRE/IPIP
• Cisco GSRs and Juniper routers require special
  interface cards
• Processing overhead
• MPLS
• Supported without any special interface
• No extra H/W
• From IOS-12.0(7)S and JunOS 5.3 and up

11
MPLS Shunt Requirements

• No dynamic configuration
• Only one-time set-up
• Minimum initial (static) configuration
• No need for sink hole router/device to speak MPLS
• But could!

12
Two MPLS methods

• Method 1 Pure MPLS using Proxy Egress LSP
• Penultimate hop popping
• RFC3031
• Method 2 MPLS VPN

13
Method 1 MPLS LSPs with Loopbacks
61.1.1.1
Sinkhole server
14
Method 1 MPLS LSP Proxy Egress
Loopback
LSP
IP a
Sink router
MPLS Table
In
Out
(2, untagged)
(4, 25)
LSP Proxy Egress
15
Method 1 MPLS LSP Proxy Egress
61.1.1.1
Penultimate Router
16
Actual Deployment
LONDONshow mpls forwarding-table
61.222.65.77 Local Outgoing Prefix
Bytes tag Outgoing Next Hop tag tag or
VC or Tunnel Id switched interface
503 560 61.222.65.77/32 0
PO11/0 point2point
FRANKFURTshow mpls forwarding-table labels 16
Local Outgoing Prefix Bytes tag
Outgoing Next Hop tag tag or VC or
Tunnel Id switched interface
16 Untagged 61.222.65.77/32 24831266
Gi6/0 61.44.88.111
17
Method 2 MPLS VPN - VRF
Sink ? CPE router
MP-BGP VPNv4
61.1.1.1
VRF interface to MPLS VPN
18
Method 2 MPLS VPN - VRF
Sink ? CPE router
61.1.1.1
CORE-2sh ip route vrf rx-monitor B
61.1.1.1 200/0 via 11.61.128.7,
000053 CORE-2sh ip cef vrf rx-monitor
61.1.1.1 fast tag rewrite with PO0/0,
point2point, tags imposed 45 118 via
11.61.128.7, 0 dependencies, recursive
19
Method 2 MPLS VPN - VRF
Sink ? CPE router
61.1.1.1
ip route vrf rx-monitor 61.1.1.1 255.255.255.255
14.0.1.2 global core-assh ip cef vrf rx-monitor
61.1.1.1 via 14.0.1.2, 0 dependencies,
recursive next hop 14.0.1.2, FastEthernet1/0
via 14.0.1.2/32 (Default) tag rewrite with
Fa1/0, 14.0.1.2, tags imposed
20
Method 2 MPLS VPN - VRF SELECT
Monitor the outgoing traffic
VRF SELECT interface to MPLS VPN
61.1.1.1
Sink Server
21
Methods Requirements

• Method 1 Pure MPLS Using Proxy Egress LSP
• IOS 12.0(17)ST
• JunOS 5.4
• Method 2 MPLS VPN
• VRF IOS12.0(11)ST
• VRF Select IOS12.0(22)S
• JunOS 5.3

22
Caveats

• Shunt
• DDoS or other traffic thru the backbone
• Latency (few extra hops)

• Proxy Egress LSP
• Peering router which is also an access router

• MPLS VPN
• Support availability

23
Advantages

• Not on the critical path
• Does not effect normal traffic
• No additional load on the routers
• LDP need to advertise only sink-hole loop-back
• Simple to deploy Scalable

24
What next? Distributed Sink Hole !
61.1.1.1
25
Thank you!
afek_at_riverhead.com rbrooks_at_cisco.com nicolas.fisc
hbach_at_colt.ch