Prevent DoS attacks on MPLS VPN common services
[LEFT][CODE]http://wiki.nil.com/Prevent_DoS_attacks_on_MPLS_VPN_common_services[/CODE][COLOR=Red][B]
Business issue[/B][/COLOR]
Customer sites connected to common services through an MPLS VPN network can start DoS flooding attacks toward the central servers. The Service Provider would like to prevent these attacks as one of the measures to ensure high service availability. [B]
[COLOR=Red]Technical problem[/COLOR][/B]
It’s hard to limit per-customer-site traffic entering the central services segment on the PE-router; it’s much easier to limit ingress traffic from the customer site. However, the mechanism used on the PE-CE link should be scalable and not require specific access lists that would require configuration modification when the central services addressing changes. [B]
[COLOR=Red]
Solution[/COLOR][/B]
Qos Policy Propagation with BGP (QPPB) can be used to classify ingress traffic on PE-CE VRF link. Once the traffic toward common services segment is classified, modular QoS policies can be used to rate-limit it.
[B] QPPB limitations [/B]
The following limitations apply to QPPB used in MPLS VPN environment:
[LIST][*] QPPB can be used to classify CEF-switched IP packets. It can thus only be used on ingress traffic entering PE router through a PE-CE interface. Egress (PE-to-CE) MPLS VPN traffic is label-switched and thus not classified by QPPB.[/LIST]
[LIST][*] QPPB can also be used on ingress interfaces of Inter-AS option-A links (autonomous systems linked with numerous VRFs), but not when option-B or option-C are used (these options use label switching between ASBR PE-routers).[/LIST]
[LIST][*] QPPB was developed before MPLS VPN functionality and its route-map processing was never upgraded to support extended BGP communities. The [B]match extcommunity[/B] statement cannot be used in the [B]route-map[/B] specified in the [B]table-map[/B] BGP router configuration command; you have to use standard BGP communities.[/LIST]
[B] Configure QPPB in MPLS VPN environment [/B]
To configure QPPB in MPLS VPN environment, perform the following steps:
[LIST=1][*] Configure propagation of standard BGP communities between PE-routers in the VPNv4 address family.[*] Mark target networks with BGP communities when inserting them in the VPNv4 BGP table on the egress PE-router.[*] Configure a QPPB route-map that sets QoS groups based on BGP attributes on the ingress PE-router.[*] Apply QPPB route-map to BGP routes in individual VRFs.[*] Configure ingress QPPB on VRF interfaces.[*] Configure MQC class maps and policy maps.[*] Apply inbound MQC service policy to VRF interfaces.[/LIST]
[B] Sample network [/B]
A simple MPLS VPN network with two PE-routers and two sites (see Figure 1) was used to test the QPPB functionality. [I]Site-A[/I] is the common services site that will be protected with the help of QPPB; [I]Site-B[/I] is a customer site. The detailed router configurations can be found in the Complete router configurations section
[URL="http://wiki.nil.com/File:QPPB_MPLS_VPN.png"][IMG]http://wiki.nil.com/wk/images/thumb/0/0a/QPPB_MPLS_VPN.png/650px-QPPB_MPLS_VPN.png[/IMG][/URL] [URL="http://wiki.nil.com/File:QPPB_MPLS_VPN.png"]
[/URL]
Figure 1: Sample network diagram
[B] Configuring DoS attack prevention for MPLS VPN common services [/B]
The following changes have been made to the simple site-to-site MPLS VPN setup to implement QPPB-based DoS attack prevention.
[B] Configure standard BGP community propagation [/B]
[COLOR=Red][B]PE-A[/B][/COLOR]
[CODE]router bgp 65000
address-family vpnv4
neighbor 10.0.1.2 activate
neighbor 10.0.1.2 send-community both
exit-address-family [/CODE][COLOR=Red][B]PE-B[/B][/COLOR]
[CODE]router bgp 65000
address-family vpnv4
neighbor 10.0.1.1 activate
neighbor 10.0.1.1 send-community both
exit-address-family [/CODE][B] Mark target networks with BGP communities [/B]
[COLOR=Red][B]PE-A[/B][/COLOR]
[CODE]vrf definition Cust_A
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
address-family ipv4
exit-address-family
!
router bgp 65000
address-family ipv4 vrf Cust_A
no synchronization
redistribute ospf 1 vrf Cust_A match internal external 1 external 2 route-map IntoVPNv4
exit-address-family
!
ip bgp-community new-format
!
ip prefix-list Loopbacks seq 5 permit 0.0.0.0/0 ge 32
!
route-map IntoVPNv4 permit 10
match ip address prefix-list Loopbacks
set community 65000:100 additive
!
route-map IntoVPNv4 permit 20 [/CODE][B] Configure QPPB route-map [/B]
[COLOR=Red][B]PE-B[/B][/COLOR]
[CODE]ip bgp-community new-format
ip community-list standard QPPB_S permit 65000:100
!
route-map QPPB permit 20
match community QPPB_S
set ip qos-group 5 [/CODE][B] Apply QPPB route-map to VRF BGP routes [/B]
[COLOR=Red][B]PE-B[/B][/COLOR]
[CODE]router bgp 65000
address-family ipv4 vrf Cust_A
no synchronization
table-map QPPB [/CODE][B] Configure ingress QPPB on VRF interfaces. [/B]
[COLOR=Red][B]PE-B[/B][/COLOR]
[CODE]interface Serial1/4
description Link to Site-A(ROUTER) s1/0
vrf forwarding Cust_A
bgp-policy destination ip-qos-map [/CODE][B] Configure MQC class maps and policy maps. [/B]
[COLOR=Red][B]PE-B[/B][/COLOR]
[CODE]class-map match-all Q5
match qos-group 5
!
policy-map QPPB
class Q5
police 128000
class class-default
set ip dscp default [/CODE][B] Apply inbound MQC service policy to VRF interfaces. [/B]
[COLOR=Red][B]PE-B[/B][/COLOR]
[CODE]interface Serial1/4
description Link to Site-A(ROUTER) s1/0
service-policy input QPPB [/CODE][B] Complete router configurations [/B]
[COLOR=Red][B]Configuration of PE-A[/B][/COLOR]
[CODE]version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE-A
!
vrf definition Cust_A
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
address-family ipv4
export map Cust_A_Export
exit-address-family
!
logging buffered 4096
!
no aaa new-model
ip subnet-zero
ip source-route
!
ip cef
no ip domain lookup
!
interface Loopback0
ip address 10.0.1.1 255.255.255.255
!
interface Serial1/0
description Link to P(ROUTER) s1/0
ip address 10.0.7.9 255.255.255.252
encapsulation ppp
mpls ip
serial restart-delay 0
!
interface Serial1/4
description Link to Site-A(ROUTER) s1/0
vrf forwarding Cust_A
ip address 10.2.7.5 255.255.255.252
encapsulation ppp
serial restart-delay 0
!
router ospf 1 vrf Cust_A
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
default-information originate always
!
router ospf 2
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 10.0.1.2 remote-as 65000
neighbor 10.0.1.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.0.1.2 activate
neighbor 10.0.1.2 send-community both
exit-address-family
!
address-family ipv4 vrf Cust_A
no synchronization
redistribute ospf 1 vrf Cust_A match internal external 1 external 2 route-map IntoVPNv4
exit-address-family
!
ip classless
!
ip bgp-community new-format
!
ip http server
no ip http secure-server
!
!
ip prefix-list Loopbacks seq 5 permit 0.0.0.0/0 ge 32
!
route-map IntoVPNv4 permit 10
match ip address prefix-list Loopbacks
set community 65000:100 additive
!
route-map IntoVPNv4 permit 20
!
route-map Cust_A_Export permit 10
match ip address prefix-list Loopbacks
set extcommunity rt 65000:100 additive
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
no login
transport preferred none
!
ntp logging
end [/CODE][COLOR=Red][B]Configuration of PE-B[/B][/COLOR]
[CODE]version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE-B
!
vrf definition Cust_A
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
address-family ipv4
exit-address-family
!
logging buffered 4096
!
no aaa new-model
ip subnet-zero
ip source-route
!
ip cef
no ip domain lookup
!
class-map match-all Q5
match qos-group 5
!
policy-map QPPB
class Q5
police 128000
class class-default
set ip dscp default
!
interface Loopback0
ip address 10.0.1.2 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
description Link to P(ROUTER) s1/1
ip address 10.0.7.25 255.255.255.252
encapsulation ppp
mpls ip
serial restart-delay 0
!
interface Serial1/4
description Link to Site-A(ROUTER) s1/0
vrf forwarding Cust_A
ip address 10.2.7.17 255.255.255.252
encapsulation ppp
serial restart-delay 0
service-policy input QPPB
bgp-policy destination ip-qos-map
!
router ospf 1 vrf Cust_A
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
default-information originate always
!
router ospf 2
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 10.0.1.1 remote-as 65000
neighbor 10.0.1.1 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.0.1.1 activate
neighbor 10.0.1.1 send-community both
exit-address-family
!
address-family ipv4 vrf Cust_A
no synchronization
table-map QPPB
redistribute ospf 1 vrf Cust_A match internal external 1 external 2
exit-address-family
!
ip classless
!
ip bgp-community new-format
ip community-list standard QPPB_S permit 65000:100
!
ip http server
no ip http secure-server
!
!
route-map QPPB permit 20
match community QPPB_S
set ip qos-group 5
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
no login
transport preferred none
!
ntp logging
end [/CODE][COLOR=Red][B]Configuration of Site-A[/B][/COLOR]
[CODE]version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site-A
!
logging buffered 4096
!
no aaa new-model
ip subnet-zero
ip source-route
!
ip cef
no ip domain lookup
!
interface Loopback0
ip address 10.0.1.3 255.255.255.255
!
interface FastEthernet0/0
description LAN 1 (stub)
ip address 10.2.1.1 255.255.255.0
speed auto
duplex auto
!
interface Serial1/0
description Link to PE-A(ROUTER) s1/4
ip address 10.2.7.6 255.255.255.252
encapsulation ppp
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
no login
transport preferred none
!
ntp logging
end [/CODE][COLOR=Red][B]Configuration of Site-B[/B][/COLOR]
[CODE]version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site-B
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
ip subnet-zero
ip source-route
!
ip cef
no ip domain lookup
!
interface Loopback0
ip address 10.0.1.4 255.255.255.255
!
interface FastEthernet0/0
description LAN 2 (stub)
ip address 10.2.3.1 255.255.255.0
speed auto
duplex auto
!
interface Serial1/0
description Link to PE-B(ROUTER) s1/4
ip address 10.2.7.18 255.255.255.252
ip access-group Test in
encapsulation ppp
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip classless
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
no login
transport preferred none
!
ntp logging
end [/CODE][/LEFT]