Prevent DoS attacks on MPLS VPN common services

From CT3

Jump to: navigation, search

By Joe Cozzupoli and Ivan Pepelnjak

Business issue Customer sites connected to common services through an MPLS VPN network can start DoS flooding attacks toward the central servers. The Service Provider would like to prevent these attacks as one of the measures to ensure high service availability.
Technical problem It’s hard to limit per-customer-site traffic entering the central services segment on the PE-router; it’s much easier to limit ingress traffic from the customer site. However, the mechanism used on the PE-CE link should be scalable and not require specific access lists that would require configuration modification when the central services addressing changes.
Solution Qos Policy Propagation with BGP (QPPB) can be used to classify ingress traffic on PE-CE VRF link. Once the traffic toward common services segment is classified, modular QoS policies can be used to rate-limit it.

Contents

QPPB limitations

The following limitations apply to QPPB used in MPLS VPN environment:

  • QPPB can be used to classify CEF-switched IP packets. It can thus only be used on ingress traffic entering PE router through a PE-CE interface. Egress (PE-to-CE) MPLS VPN traffic is label-switched and thus not classified by QPPB.
  • QPPB can also be used on ingress interfaces of Inter-AS option-A links (autonomous systems linked with numerous VRFs), but not when option-B or option-C are used (these options use label switching between ASBR PE-routers).
  • QPPB was developed before MPLS VPN functionality and its route-map processing was never upgraded to support extended BGP communities. The match extcommunity statement cannot be used in the route-map specified in the table-map BGP router configuration command; you have to use standard BGP communities.

Configure QPPB in MPLS VPN environment

To configure QPPB in MPLS VPN environment, perform the following steps:

  1. Configure propagation of standard BGP communities between PE-routers in the VPNv4 address family.
  2. Mark target networks with BGP communities when inserting them in the VPNv4 BGP table on the egress PE-router.
  3. Configure a QPPB route-map that sets QoS groups based on BGP attributes on the ingress PE-router.
  4. Apply QPPB route-map to BGP routes in individual VRFs.
  5. Configure ingress QPPB on VRF interfaces.
  6. Configure MQC class maps and policy maps.
  7. Apply inbound MQC service policy to VRF interfaces.

Sample network

A simple MPLS VPN network with two PE-routers and two sites (see Figure 1) was used to test the QPPB functionality. Site-A is the common services site that will be protected with the help of QPPB; Site-B is a customer site. The detailed router configurations can be found in the Complete router configurations section.

Figure 1: Sample network diagram

Configuring DoS attack prevention for MPLS VPN common services

The following changes have been made to the simple site-to-site MPLS VPN setup to implement QPPB-based DoS attack prevention.

Configure standard BGP community propagation

PE-A

router bgp 65000
 address-family vpnv4
  neighbor 10.0.1.2 activate
  neighbor 10.0.1.2 send-community both
 exit-address-family

PE-B

router bgp 65000
 address-family vpnv4
  neighbor 10.0.1.1 activate
  neighbor 10.0.1.1 send-community both
 exit-address-family

Mark target networks with BGP communities

PE-A

vrf definition Cust_A
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:1
 !
 address-family ipv4
 exit-address-family
!
router bgp 65000
 address-family ipv4 vrf Cust_A
  no synchronization
  redistribute ospf 1 vrf Cust_A match internal external 1 external 2 route-map IntoVPNv4
 exit-address-family
!
ip bgp-community new-format
!
ip prefix-list Loopbacks seq 5 permit 0.0.0.0/0 ge 32
!
route-map IntoVPNv4 permit 10
 match ip address prefix-list Loopbacks
 set community 65000:100 additive
!
route-map IntoVPNv4 permit 20

Configure QPPB route-map

PE-B

ip bgp-community new-format
ip community-list standard QPPB_S permit 65000:100
!
route-map QPPB permit 20
 match community QPPB_S
 set ip qos-group 5

Apply QPPB route-map to VRF BGP routes

PE-B

router bgp 65000
 address-family ipv4 vrf Cust_A
  no synchronization
  table-map QPPB

Configure ingress QPPB on VRF interfaces.

PE-B

interface Serial1/4
 description Link to Site-A(ROUTER) s1/0
 vrf forwarding Cust_A
 bgp-policy destination ip-qos-map

Configure MQC class maps and policy maps.

PE-B

class-map match-all Q5
  match qos-group 5
!
policy-map QPPB
  class Q5
   police 128000
  class class-default
   set ip dscp default

Apply inbound MQC service policy to VRF interfaces.

PE-B

interface Serial1/4
 description Link to Site-A(ROUTER) s1/0
 service-policy input QPPB

Complete router configurations

Configuration of PE-A

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE-A
!
vrf definition Cust_A
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:1
 !
 address-family ipv4
 export map Cust_A_Export
 exit-address-family
!
logging buffered 4096
!
no aaa new-model
ip subnet-zero
ip source-route
!
ip cef
no ip domain lookup
!
interface Loopback0
 ip address 10.0.1.1 255.255.255.255
!
interface Serial1/0
 description Link to P(ROUTER) s1/0
 ip address 10.0.7.9 255.255.255.252
 encapsulation ppp
 mpls ip
 serial restart-delay 0
!
interface Serial1/4
 description Link to Site-A(ROUTER) s1/0
 vrf forwarding Cust_A
 ip address 10.2.7.5 255.255.255.252
 encapsulation ppp
 serial restart-delay 0
!
router ospf 1 vrf Cust_A
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
 default-information originate always
!
router ospf 2
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.0.1.2 remote-as 65000
 neighbor 10.0.1.2 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 10.0.1.2 activate
  neighbor 10.0.1.2 send-community both
 exit-address-family
 !
 address-family ipv4 vrf Cust_A
  no synchronization
  redistribute ospf 1 vrf Cust_A match internal external 1 external 2 route-map IntoVPNv4
 exit-address-family
!
ip classless
!
ip bgp-community new-format
!
ip http server
no ip http secure-server
!
!
ip prefix-list Loopbacks seq 5 permit 0.0.0.0/0 ge 32
!
route-map IntoVPNv4 permit 10
 match ip address prefix-list Loopbacks
 set community 65000:100 additive
!
route-map IntoVPNv4 permit 20
!
route-map Cust_A_Export permit 10
 match ip address prefix-list Loopbacks
 set extcommunity rt  65000:100 additive
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 transport preferred none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
 transport preferred none
!
ntp logging
end

Configuration of PE-B

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE-B
!
vrf definition Cust_A
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:1
 !
 address-family ipv4
 exit-address-family
!
logging buffered 4096
!
no aaa new-model
ip subnet-zero
ip source-route
!
ip cef
no ip domain lookup
!
class-map match-all Q5
  match qos-group 5
!
policy-map QPPB
  class Q5
   police 128000
  class class-default
   set ip dscp default
!
interface Loopback0
 ip address 10.0.1.2 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 description Link to P(ROUTER) s1/1
 ip address 10.0.7.25 255.255.255.252
 encapsulation ppp
 mpls ip
 serial restart-delay 0
!
interface Serial1/4
 description Link to Site-A(ROUTER) s1/0
 vrf forwarding Cust_A
 ip address 10.2.7.17 255.255.255.252
 encapsulation ppp
 serial restart-delay 0
 service-policy input QPPB
 bgp-policy destination ip-qos-map
!
router ospf 1 vrf Cust_A
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
 default-information originate always
!
router ospf 2
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.0.1.1 remote-as 65000
 neighbor 10.0.1.1 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 10.0.1.1 activate
  neighbor 10.0.1.1 send-community both
 exit-address-family
 !
 address-family ipv4 vrf Cust_A
  no synchronization
  table-map QPPB
  redistribute ospf 1 vrf Cust_A match internal external 1 external 2
 exit-address-family
!
ip classless
!
ip bgp-community new-format
ip community-list standard QPPB_S permit 65000:100
!
ip http server
no ip http secure-server
!
!
route-map QPPB permit 20
 match community QPPB_S
 set ip qos-group 5
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 transport preferred none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
 transport preferred none
!
ntp logging
end

Configuration of Site-A

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site-A
!
logging buffered 4096
!
no aaa new-model
ip subnet-zero
ip source-route
!
ip cef
no ip domain lookup
!
interface Loopback0
 ip address 10.0.1.3 255.255.255.255
!
interface FastEthernet0/0
 description LAN 1 (stub)
 ip address 10.2.1.1 255.255.255.0
 speed auto
 duplex auto
!
interface Serial1/0
 description Link to PE-A(ROUTER) s1/4
 ip address 10.2.7.6 255.255.255.252
 encapsulation ppp
 serial restart-delay 0
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 transport preferred none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
 transport preferred none
!
ntp logging
end

Configuration of Site-B

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site-B
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
ip subnet-zero
ip source-route
!
ip cef
no ip domain lookup
!
interface Loopback0
 ip address 10.0.1.4 255.255.255.255
!
interface FastEthernet0/0
 description LAN 2 (stub)
 ip address 10.2.3.1 255.255.255.0
 speed auto
 duplex auto
!
interface Serial1/0
 description Link to PE-B(ROUTER) s1/4
 ip address 10.2.7.18 255.255.255.252
 ip access-group Test in
 encapsulation ppp
 serial restart-delay 0
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 transport preferred none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
 transport preferred none
!
ntp logging
end

Additional Resources  

Implementing Cisco MPLS (MPLS) course:

Configuring BGP on Cisco Routers (BGP) course:

Other links

Did you know?

  • NIL developed the first commercially available MPLS/VPN traning.
  • This training was for several years the only course available to Cisco's internal audiences and its Service Provider customers in Europe.
  • The MPLS/VPN course developed by NIL later became part of Cisco's Service Provider training curriculum and the basis for the Implementing Cisco MPLS (MPLS) course that is part of the CCIP curriculum.
  • NIL's experts have worked as part of Cisco's Professional Services team supporting early adopters of MPLS VPN technology in Europe.
  • NIL has provided several large Service Providers with MPLS/VPN design and deployment support.
Retrieved from "http://wiki.nil.com/Prevent_DoS_attacks_on_MPLS_VPN_common_services"