bgp persistence
DESCRIPTION
BGP persistenceTRANSCRIPT
Cisco Confidential 1© 2013 Cisco and/or its affiliates. All rights reserved.
BGP flowspec phase 2:BGP persistenceBertrand Duvivier ([email protected])Sr Product Manager
September, 2014
DDOS impact on customer Business
GOOD
DDOS
DDOS impact on customer Business
• Enterprise customer can’t defend themselve, when DDOS hit the FW… it’s already too late.
• SP could protect enterprise by cleaning DDOS traffic at ingress peering point.
• New revenue for SP.
2014 DDoS trends (Nanog source)
• Any Internet Operator Can Be a Target for DDoS
Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS attacks are the most commonly identified attack motivations
• Size and Scope of Attacks Continue to Grow at an Alarming Pace
High-bandwidth DDoS attacks are the ‘new normal’ as over 40% of respondents report attacks greater than 1 Gbps and 13% report attacks greater than 10Gbps
Increased sophistication and complexity of layer-7 DDoS attacks, multi-vector DDoS attacks becoming more common
• IPv6 DDoS Attacks 'in the Wild' on Production Networks
https://www.nanog.org/sites/default/files/tuesday_general_sockrider_infrastructure_3.pdf
DDoS mitigation architecture1. Detection (no DDOS)
DDOSscruber
Security Controller
DDOSAnalyser
Sample Netflow
Scan Netflow data to detect DDOS attacks
DDoS mitigation architecture2. Detection (DDOS)
DDOSscruber
Security Controller
DDOSAnalyser
Sample Netflow
Scan Netflow dataFind DDOS signature
DDoS mitigation architecture3. Redirect traffic to DDOS scruber
DDOSscruber
Security Controller
DDOSAnalyser
Scan Netflow dataFind DDOS signature
BGP flowspecFlow: DDOS flowAction: redirect to DDOS scruber
Next-Gen BGP flowspec phase 1 is
• BGP flowspec baseline (RFC-5575)
• IPv6 support (draft-ietf-idr-flow-spec-v6)
• Flowspec origin check relax (draft-ietf-idr-bgp-flowspec-oid)
• Extra redirection options (draft-ietf-idr-flowspec-redirect-ip & draft-ietf-idr-flowspec-redirect-rt-bis)
• Internet in VPN use-case (Wireless SP)
• Optimized flow based forwarding plane.
• BGP FS client / route-reflector / controller
• IOS-XR 5.2.0: June 2014
XR 5.2.0
Next-Gen BGP flowspec phase 2 is
• BGP persistence (draft-uttaro-idr-bgp-persistence)
XR 5.2.2
BGP persistence
Problem we try to resolve:
• BGP flowspec policies are distributed from controller to route-reflector then to all BGP flowspec client; Border-Router’s or Provider Edge’s.
• If ever the route-reflector or BGP flowspec controller died, like required by BGP standard all updates are then withdraw… and thus all filters/polices protecting the network are then drop. opening the network to future DDoS attacks.
• BGP persistence will allow long live graceful restart, in another will allow to keep filters/policies for a while. Could be hours or days or until the route-reflector or controller come back alive.
• Time is configurable per address family and also supported for IP, L3VPN and L2VPN addresse famillies.
User Interface - ConfigurationConfiguring persistence on neighbor AF
RP/0/RSP0/CPU0:RA03_R1#show run router bgp | be 3.3.3.3 neighbor 3.3.3.3 remote-as 30813 update-source Loopback0 graceful-restart stalepath-time 150 address-family ipv4 unicast route-policy pass in route-policy pass out ! address-family vpnv4 unicast route-policy pass in route-policy pass out long-lived-graceful-restart capable long-lived-graceful-restart stale-time send 16777215 accept 16777215 ! address-family vpnv6 unicast route-policy pass in route-policy pass out long-lived-graceful-restart capable long-lived-graceful-restart stale-time send 16777215 accept 16777215
in sec = 194 days
Question: [email protected]
Thank you.