IS-IS Extensions for Flow Specification



Similar documents
Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

Scalable DDoS mitigation using BGP Flowspec

Introduction Inter-AS L3VPN

Enterprise Network Simulation Using MPLS- BGP

The Complete IS-IS Routing Protocol

MPLS VPN Services. PW, VPLS and BGP MPLS/IP VPNs

Introducing Basic MPLS Concepts

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

Tackling the Challenges of MPLS VPN Testing. Todd Law Product Manager Advanced Networks Division

IPv6 over IPv4/MPLS Networks: The 6PE approach

Overlay Networks and Tunneling Reading: 4.5, 9.4

IP/MPLS-Based VPNs Layer-3 vs. Layer-2

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

Moonv6 Test Suite. MPLS Provider Edge Router (6PE) Interoperablility Test Suite. Technical Document. Revision 0.1

SEC , Cisco Systems, Inc. All rights reserved.

Implementing MPLS VPN in Provider's IP Backbone Luyuan Fang AT&T

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

UNDERSTANDING JUNOS OS NEXT-GENERATION MULTICAST VPNS

Building MPLS VPNs with QoS Routing Capability i

RFC 2547bis: BGP/MPLS VPN Fundamentals

Inter-domain Routing. Outline. Border Gateway Protocol

Virtual Private Networks. Juha Heinänen Song Networks

Implementing VPN over MPLS

For internal circulation of BSNLonly

PRASAD ATHUKURI Sreekavitha engineering info technology,kammam

MP PLS VPN MPLS VPN. Prepared by Eng. Hussein M. Harb

MPLS VPN. Agenda. MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) L86 - MPLS VPN

--BGP 4 White Paper Ver BGP-4 in Vanguard Routers

Quidway MPLS VPN Solution for Financial Networks

How To Protect Your Network From Attack

Configuring MPLS Hub-and-Spoke Layer 3 VPNs

MPLS/BGP Network Simulation Techniques for Business Enterprise Networks

To Add Paths or not to Add Paths

DD2491 p BGP-MPLS VPNs. Olof Hagsand KTH/CSC

Analyzing Capabilities of Commercial and Open-Source Routers to Implement Atomic BGP

Versatile Routing and Services with BGP. Understanding and Implementing BGP in SR-OS

Introduction to MPLS-based VPNs

KT The Value Networking Company

Addressing Inter Provider Connections With MPLS-ICI

How To Make A Network Secure

MPLS Security Considerations

Firewall-on-Demand. GRNET s approach to advanced network security services management via bgp flow-spec and NETCONF. Leonidas Poulopoulos

How Routers Forward Packets

Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand

Cisco Network Foundation Protection Overview

WHITE PAPER. Addressing Inter Provider Connections with MPLS-ICI CONTENTS: Introduction. IP/MPLS Forum White Paper. January Introduction...

MPLS over Various IP Tunnels. W. Mark Townsley

F5 Silverline DDoS Protection Onboarding: Technical Note

Exterior Gateway Protocols (BGP)

BGP Terminology, Concepts, and Operation. Chapter , Cisco Systems, Inc. All rights reserved. Cisco Public

WHITE PAPER. Understanding IP Addressing: Everything You Ever Wanted To Know

MPLS VPN Security BRKSEC-2145

Why Is MPLS VPN Security Important?

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Transition to IPv6 in Service Providers

BGP Routing. Course Description. Students Will Learn. Target Audience. Hands-On

DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

MPLS VPN Security in Service Provider Networks. Peter Tomsu Michael Behringer Monique Morrow

MPLS-based Virtual Private Network (MPLS VPN) The VPN usually belongs to one company and has several sites interconnected across the common service

ETHERNET VPN (EVPN) NEXT-GENERATION VPN FOR ETHERNET SERVICES

FLAG s IPv6 Implementation

Inter-Autonomous Systems for MPLS VPNs

Security of the MPLS Architecture

HP Networking BGP and MPLS technology training

Regaining MPLS VPN WAN Visibility with Route Analytics. Seeing through the MPLS VPN Cloud

802.1Qbv: Dynamic Configuration of Scheduling Windows

Chapter 3 LAN Configuration

Computer Networks. Introduc)on to Naming, Addressing, and Rou)ng. Week 09. College of Information Science and Engineering Ritsumeikan University

MPLS WAN Explorer. Enterprise Network Management Visibility through the MPLS VPN Cloud

Internet Addresses (You should read Chapter 4 in Forouzan)

BGP overview BGP operations BGP messages BGP decision algorithm BGP states

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:

Introduction to ISIS. ISP/IXP Workshops

How To Understand Bg

Junos MPLS and VPNs (JMV)

NETWORK TO NETWORK INTERFACE PLAN

Increasing Path Diversity using Route Reflector

NetFlow & BGP multi-path: quo vadis?

MPLS Basics. For details about MPLS architecture, refer to RFC 3031 Multiprotocol Label Switching Architecture.

Introduction to Routing

Active measurements: networks. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis Georgios Smaragdakis, Ph.D.

Implementing Cisco MPLS

MPLS VPNs: Layer 2 or Layer 3? Understanding the Choice

How Cisco IT Protects Against Distributed Denial of Service Attacks

State of Texas. TEX-AN Next Generation. NNI Plan

CGN Deployment with MPLS/VPNs

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Routing in Small Networks. Internet Routing Overview. Agenda. Routing in Large Networks

Transcription:

IS-IS Extensions for Flow Specification draft-you-isis-flowspec-extensions-01 Jianjie You (youjianjie@huawei.com) Qiandeng Liang (liangqiandeng@huawei.com) Keyur Patel (keyupate@cisco.com) Peng Fan (fanpeng@chinamobile.com)

Motivation FlowSpec rules are used to distribute traffic filtering rules that are used to filter Denial-of-Service (DoS) attacks. For the networks only deploying IGP (Interior Gateway Protocol) (e.g. IS-IS), it is expected to extend IGP to distribute FlowSpec info. The IS-IS FlowSpec extensions defined in this document can be used to mitigate the impacts of DoS attacks. 2

Use Case Campus Network +--------+ Traffic +---+Analyzer +--------+ FlowSpec +--+-------+ +----------+ +--------+ Router A +-----------+ Router B +--------+Attacker +----------+ +----------+ +--------+ IS-IS FlowSpec Attack Traffic For networks not deploying BGP, for example, the campus network using IS-IS, it is expected to extend IS-IS to distribute FlowSpec rules as shown in Figure 1. 3

Use Case BGP/MPLS VPN (1) +--------+ Traffic +---+Analyzer ----------- +--------+ //- -\\ /// \\\ FlowSpec / \ // \\ +--+--+ +-----+ +-----+ +--------+ PE1 +-------+ PE2 +-------+--+ CE2 +-------+Attacker +-----+ +-----+ +-----+ +--------+ BGP FlowSpec IS-IS FlowSpec Attack Traffic \\ // \ / \\\ VPN1 /// \\-- --// --------- The traffic analyzer (also acting as the traffic policy center) could be deployed in the provider network as shown in Figure 2. If the traffic analyzer detects attack traffic from the customer network VPN1, it would generate the FlowSpec rules for preventing DoS attacks. 4

Use Case BGP/MPLS VPN (2) +--------+ Traffic +---+Analyzer +--------+ -------- //-- --\\ FlowSpec // \\ / \ // \\ +--+--+ +-----+ +-----+ +-----+ +--------+ CE1 +--------+ PE1 +-------+ PE2 +--------+-+ CE2 +-------+Attacker +-----+ +-----+ +-----+ +-----+ +--------+ IS-IS FlowSpec BGP FlowSpec IS-IS FlowSpec Attack Traffic \\ // \ VPN1 Site1 / \\ // \\-- --// -------- The traffic analyzer (also acting as the traffic policy center) could be deployed in the customer network as shown in Figure 3. If the traffic analyzer detects attack traffic, it would generate FlowSpec rules to prevent associated DoS attacks. 5

IS-IS Extensions for FlowSpec This document defines a new IS-IS TLV, i.e. the FlowSpec reachability TLV (TLV type: TBD1), which would be carried in an LSP (Link State Protocol) Data Unit [ISO-10589], to describe the FlowSpec rules. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type (TBD1) Length Flags +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Length 1 FlowSpec Entry 1 (variable) +-+-+-+-+-+-+-+-+ + ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Length 2 FlowSpec Entry 2 (variable) +-+-+-+-+-+-+-+-+ + ~ ~ + + Flags: One octet Field identifying Flags. The least significant bit L is defined as a Leaking enable bit. If set, the FlowSpec Reachability TLV SHOULD be flooded across the entire routing domain. If the L flag is not set, the FlowSpec Reachability TLV MUST NOT be leaked between levels. FlowSpec Entry: Each FlowSpec entry consists of FlowSpec filters (FlowSpec filters sub-tlvs) and corresponding FlowSpec actions (FlowSpec Action sub-tlvs). 6

IS-IS Extensions for FlowSpec: FlowSpec Filters sub-tlv The FlowSpec Reachability TLV carries one or more FlowSpec entries. Each FlowSpec entry consists of FlowSpec filters (FlowSpec filters sub-tlvs) and corresponding FlowSpec actions (FlowSpec Action sub-tlvs). 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type(TBD2/TBD3) Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Flags +-+-+-+-+-+-+-+-+ + ~ Filters (variable) ~ + +... Flags: One octet Field identifying Flags. The least significant bit S is defined as a strict filter check bit. If set, strict validation rules outlined in the validation section (Section 4.1.2) need to be enforced. Filters: the same as flow-spec NLRI value defined in [RFC5575] and [I-D.ietf-idr-flowspec-v6]. Type: the TLV type (TBD2 for IPv4 FlowSpec filters, TBD3 for IPv6 FlowSpec filters) 7

IS-IS Extensions for FlowSpec: FlowSpec Action sub-tlv There are one or more FlowSpec Action TLVs associated with a FlowSpec Filters TLV. Different FlowSpec Filters TLV could have the same FlowSpec Action TLVs. Table 2: Traffic Filtering Actions in [RFC5575], etc. +-------+-----------------+---------------------------------------+ type FlowSpec Action RFC/WG draft +-------+-----------------+---------------------------------------+ 0x8006 traffic-rate RFC5575 0x8007 traffic-action RFC5575 0x8108 redirect-to-ipv4 I-D.ietf-idr-flowspec-redirect-rt-bis 0x800b redirect-to-ipv6 I-D.ietf-idr-flow-spec-v6 0x8009 traffic-marking RFC5575 +-------+-----------------+---------------------------------------+ 8

Next Step This document proposes to extend IS-IS to support FlowSpec. It is an equivalent draft to https://tools.ietf.org/html/draft-ietf-ospf-flowspecextensions-00 Accepted as WG doc? 9

Thank You!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information