1

MPLS-based Traffic MPLS-based Traffic ShuntShunt

Yehuda Afek – Riverhead Yehuda Afek – Riverhead NetworksNetworks

Roy Brooks – Cisco SystemsRoy Brooks – Cisco Systems

Nicolas Fischbach – COLT Nicolas Fischbach – COLT TelecomTelecom

NANOG28NANOG28Salt Lake CitySalt Lake City

June 2003June 2003

2CreditsCredits

• Cisco Systems:

Paul Quinn

• COLT Telecom:

Andreas Friedrich, Marc Binderberger

• Riverhead Networks:

Anat Bremler-Barr, Boaz Elgar, Roi Hermoni

3Sink HoleSink Hole

61.1.1.1

Announce: 61.1.1.1 -> Sink Hole

Sink hole server

4Traffic ShuntTraffic Shunt

61.1.1.1

Sink hole server

5ApplicationsApplications

Cleaning DDoS traffic

Reverse proxy

On-demand traffic analysis

6Sink Hole ShuntSink Hole Shunt Unidirectional:

Data in & not out

IP-based

Blackholing DDoS, forensic

CenterTrack [Stone NANOG 17]

Bidirectional: Data in, processed and out

Tunnels: GRE, IPIP, MPLS, L2TPv3

DDoS cleaning

Reverse proxy, traffic analysis

Bellwether [Hardie Wessels NANOG 19]

7Traffic ShuntTraffic Shunt

61.1.1.1

Careful setup required to prevent

infinite loops

8Traffic ShuntTraffic ShuntTunnels: Peering - Sink

Returned traffic must not pass through a peering

router

61.1.1.1

9Traffic ShuntTraffic ShuntTunnels: Sink – CPE router

61.1.1.1

10TunnelsTunnels GRE/IPIP

Cisco GSRs and Juniper routers require special interface cards

Processing overhead

MPLS Supported without any special interface No extra H/W From IOS-12.0(7)S and JunOS 5.3 and up

11MPLS Shunt: RequirementsMPLS Shunt: Requirements

No dynamic configuration• Only one-time set-up

Minimum initial (static) configuration

No need for sink hole router/device to speak MPLS

• But could!

12Two MPLS methodsTwo MPLS methods

Method #1: Pure MPLS using Proxy Egress LSP Penultimate hop popping RFC3031

Method #2: MPLS VPN

13

61.1.1.1

Method 1: MPLS LSPs with LoopbacksMethod 1: MPLS LSPs with Loopbacks

LSPs

Sinkhole server

14Method 1: MPLS LSP Proxy EgressMethod 1: MPLS LSP Proxy Egress

4

In OutMPLS Table

(6, 3 )(5, 42)

In OutMPLS Table

(5, 25 )(2, 3)

In OutMPLS Table

(2, untagged)(4, 25)

IP42IP 3IP 25IP

IP

In OutMPLS Table

(2, 42)IP: a Loop back

2 2 565 2

IP:a

LSP

LSP Proxy Egress

Loopback

Sink router

iBGP

IP Lookup

Penultimate Router

15

61.1.1.1

Method 1: MPLS LSP Proxy EgressMethod 1: MPLS LSP Proxy Egress

Penultimate RouteriBGP

16Actual DeploymentActual Deployment

FRANKFURT#show mpls forwarding-table labels 16 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Untagged 61.222.65.77/32 24831266 Gi6/0 61.44.88.111

LONDON#show mpls forwarding-table 61.222.65.77Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 503 560 61.222.65.77/32 0 PO11/0 point2point

17Method 2: MPLS VPN - VRFMethod 2: MPLS VPN - VRF

Sink CPE router

VRF interface to MPLS VPN

61.1.1.1

Advertise 61.1.1.1

MP-BGP VPNv4

iBGP IPv4

18Method 2: MPLS VPN - VRFMethod 2: MPLS VPN - VRF

Sink CPE router

CORE-2#sh ip route vrf rx-monitor

B 61.1.1.1 [200/0] via 11.61.128.7, 00:00:53

CORE-2#sh ip cef vrf rx-monitor 61.1.1.1

fast tag rewrite with PO0/0, point2point, tags imposed {45 118}

via 11.61.128.7, 0 dependencies, recursive

61.1.1.1

iBGP IPv4

19Method 2: MPLS VPN - VRFMethod 2: MPLS VPN - VRF

Sink CPE router

ip route vrf rx-monitor 61.1.1.1 255.255.255.255 14.0.1.2 global

core-as#sh ip cef vrf rx-monitor 61.1.1.1

via 14.0.1.2, 0 dependencies, recursive

next hop 14.0.1.2, FastEthernet1/0 via 14.0.1.2/32 (Default)

tag rewrite with Fa1/0, 14.0.1.2, tags imposed {}

61.1.1.1

iBGP IPv4

20Method 2: MPLS VPN - VRF SELECTMethod 2: MPLS VPN - VRF SELECT

VRF SELECT interface to MPLS

VPN

61.1.1.1

Monitor the outgoing traffic

ip vrf receive tx-monitorvrf selection source 61.1.1.1 255.255.255.255 vrf tx-monitor !interface GigabitEthernet5/0 ip vrf select source ip address 14.0.1.2 255.255.255.252

Sink

Server

21Methods RequirementsMethods Requirements Method #1: Pure MPLS Using Proxy

Egress LSP IOS 12.0(17)ST JunOS 5.4

Method #2: MPLS VPN VRF – IOS12.0(11)ST

VRF Select – IOS12.0(22)S JunOS 5.3

22CaveatsCaveats

MPLS VPN Support & availability

Proxy Egress LSP Peering router which

is also an access router

Shunt: DDoS or other traffic thru the backbone Latency (few extra hops)

23AdvantagesAdvantages

Not on the critical path

Does not effect normal traffic

No additional load on the routers

LDP need to advertise only sink-hole

loop-back

Simple to deploy & Scalable

24What next? Distributed Sink Hole !What next? Distributed Sink Hole !

61.1.1.1

25Thank you!Thank you!

afek@riverhead.com

rbrooks@cisco.com

nicolas.fischbach@colt.ch