netsec-sig - RE: [Security-WG] I2 - Rate Limiting BGP Draft
Subject: Internet2 Network Security SIG
List archive
- From: Michael Hare <>
- To: "" <>
- Subject: RE: [Security-WG] I2 - Rate Limiting BGP Draft
- Date: Thu, 27 Apr 2017 15:33:05 +0000
- Accept-language: en-US
- Ironport-phdr: 9a23:U2mJChWb0357zfNrZYtzTvd3+YvV8LGtZVwlr6E/grcLSJyIuqrYbROEt8tkgFKBZ4jH8fUM07OQ6PG+HzBeqsbe+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG3oAnLucQbgIRuJ6UzxxDUvnZGZuNayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnDVhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0jioMKjg0+3zVhMNtlqJWuByvqRxizYHWYYGbKvlwfr/Tfd4BX2VNQtpdVyhdDo+gbYYCCfcKM+ZCr4n6olsDtRywBQiwC+Pv0DBHmHv21rA43es7CwHJwhErEtULsHTVsNr1NL0dXv6xzKXSzTXMdelW1inm5YnGcxAhuu2DUahufsXM1EkiDgXIhUiep4ziOjOazOUNs26D4upiSOKvjW8nqxlvrTi13MssjJfGhp4NxlDZ+yR524Y0JcaiRE59f9GkDINctyCCN4dsTMMiQnlkuCc8yr0ap5G7Zi4Kx4o7xxLBcfCIbZWH4g/7WOmKOzd4g25qd6iiiBms60Sv1ur8Vsys3FlWrypFicXDtncX2xPP7ciHT/1w9Vqi1zaXzw3f9+5JLE8umaffNZIt2KM8m54RvEjZACP6hlv6gLeLekgr9eWk8eDqbqv8qpKdNYJ4kADzP6c2lsChHeg1MBICUmea9OimybHu/EP0TK9XgvA2lKTSrYrUKt4BpqGjBg9YyoYj5Ai7DzehyNkYhnwHLE5deB2dkojpJ1HOLO7iAfaxglSsiytkx/XcMb3gBpXBNHbCkLb6fblh8UJT1hc8zc1H65JVDLEOPu7zV1fsuNHXARI1KQi5z/j9BNlg0o4TW3iDDrGHPK/MqVOI4/ggI+iIZI8bojb9LP0l6ubrjX84hVAdfbOm0oUTaHyiHvRpOV+ZbmT3j9YPEGcKpRYxQPb0h1KfTD5ff2yyUL4k5jEnFIKmCp/ORpuzj7OdwSe7BJxWZnxGC1yVH3boeJ6JW/MNaCKJPs9hiSIIWaKgS48nyRGhqhX6y7x5IerI5CEUr4zs28Vo576bqRZnvyd5BNmH0n2cCn57tmIOWzIs2q1j+wpwxkrJmfxjjvdFD91P9rZWXS87M4LR1ep3F4q0Vw7cKISnUlGjF/CnCjE4Q9Z549YUbg4pHtSpjhnO22yqCqUYv6OKH5dy/67BiSuib/1hwmrLgfFyx2ItRdFCYDWr
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
If running JunOS I'd personally advise against the JunOS lo0 filter policer approach mentioned below [just the policer part, the prefix-list approach is spot
on]. Using that approach a single looped peer will cause packet loss on your iBGP sessions. In our small network (AS3128) our DFZ speakers commonly see bursts above 1Mbps. graph: https://stats.uwsys.net/cgi-bin/genstatspage.fcgi?end_time=4%2F27%2F2017&rrdfunc=MAX&rrdlist=b796b317137b5a50630bed554a333b70&stack=2&stack_by=Everything&start_time=1%2F1%2F2017&time=CUSTOM Juniper's ddos-protection features are probably where best to focus efforts in that it has the ability to automatically police (or drop) effectively on an IFL
basis. The ddos-protection subsystem has the added benefit of supporting PPS whereas JunOS firewall filters do not support PPS filtering until 16.X. In addition to looking at the O Reilly Juniper MX Series v2 book I recommend Saku Ytti's many public postings on this topic with the following being a good (technical)
entry. He explains well the problem/limitations of the ddos-protection subsystem including it's flow based tracking. http://blog.ip.fi/2014/03/quick-look-at-trio-ddos-protection-with.html I took Saku's approach to heart, stored "show ddos-protection protocols statistics" max arrival, drop pps and current pps into RRD file and set values on our
systems after collecting data for a few months. I'd be happy to share our settings but they cannot be deployed blindly on any other production network. In short I have many stanzas hand tuned, and they look like this.
m7h@r-uwmadison-hub-re0# show groups sync_ddos-protection-mx2010 system ddos-protection protocols bgp
aggregate { bandwidth 5000; burst 500; flow-level-bandwidth { logical-interface XXXX; } flow-level-detection { subscriber off; logical-interface on; } } -Michael
From: [mailto:]
On Behalf Of gcbrowni Folks, Here’s the latest draft, on Rate-Limiting BGP. I also included a little information on the DDOS protections the platforms have built in. The comments about it being more trouble than its worth, especially in light of targeted BGP-speaker ACL’s, border spoofing protections, and GTSM, resonated a lot as I wrote this. As always, I appreciate you comments, -G Rate-limiting, in the context RFC 7454, is discussed in the context of protecting the RE from BGP events received at a high rate. The goal
being the protection of the control plane of the router and not letting "bad" control traffic impact your desired BGP updates. The RFC also points to RFC 6954 for more information on general control plane protections, but in the words of the RFC:
The topic contains significant complexity. Setting the limit too low may impact convergence and stability. Setting the limits too high can effectively eliminates the benefits. Complicating
this is a lack of good material on what effective settings, or guidelines in general. In other words, while there is academic agreement that this should be an effective tool, pragmatically there is little advice available on what settings to use in which situations.
If a device is already blocking unauthorized BGP speakers, say through the use of a dynamic filter, in combination with other techniques such as GTSM and internal border spoofing protections,
then the issue may be moot as the other techniques offer significantly more protections. Newer router code from vendors also includes some protection schemes, on by default, that help protect the control plane from becoming overloaded.
Juniper Example
A Juniper example follows. A term is defined in the loopback ingress filter that allows specifies that only certain traffic types from BGP peers (and MSDP peers in this case) through
at a 500k drop limit, which is defined in a separately configured policer policy. Note that the 500k limit is only a placeholder; there's no assertion that this is the correct setting.
Juniper has an entire series of articles available that details the (default) internal DDOS protections for their RE's. It's worth becoming familiar with the default RE protections
Juniper provides. It is at:
Cisco Example
The Cisco example uses IOS-XR for Local Packet Transport Services. Hardware policers on the line cards limit traffic sent up the stack. Packets per second are defined for three types
of BGP traffic. bgp-cfg-peer are new sessions and sessions that are not yet 'Established.' bgp-know are established sessions and bgp-default is the 'default' entry for bgp traffic; things not falling in to other buckets, etc.
Cisco has a feature set called Control Plane Policing, or COPP, as well as Control Plane Protection, CPPr.
There are also articles about LPTS, such as:
Cisco has several good summary article of DDOS that describes various DDOS and protection techniques.
http://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
http://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html
Brocade Example
Brocade has a variety of solutions for filtering traffic via ACL's to the local CPU, as well as protecting the CPU from various Layer-2 events, but it has no specific abilities with
regard to BGP rates. There are some built in protections against SMURF and TCP SYN attacks. |
- [Security-WG] I2 - Rate Limiting BGP Draft, gcbrowni, 04/27/2017
- Re: [Security-WG] I2 - Rate Limiting BGP Draft, Brad Fleming, 04/27/2017
- RE: [Security-WG] I2 - Rate Limiting BGP Draft, Michael Hare, 04/27/2017
- Re: [Security-WG] I2 - Rate Limiting BGP Draft, gcbrowni, 04/28/2017
- RE: [Security-WG] I2 - Rate Limiting BGP Draft, Michael Hare, 04/30/2017
- RE: [Security-WG] I2 - Rate Limiting BGP Draft, Garrett, Seth B, 04/30/2017
- RE: [Security-WG] I2 - Rate Limiting BGP Draft, Michael Hare, 04/30/2017
- Re: [Security-WG] I2 - Rate Limiting BGP Draft, gcbrowni, 04/28/2017
Archive powered by MHonArc 2.6.19.