1 / 16

Peering Activities and Network Security Measures at Nanog 14 in Atlanta

Explore intriguing peering activities and security scenarios discussed at Nanog 14 conference in Atlanta, including BGP configurations, ACLs, and preventive measures for network protection.

abigail-ewing
Télécharger la présentation

Peering Activities and Network Security Measures at Nanog 14 in Atlanta

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interesting Peering Activities at the Exchange Points Naiming Shen Cisco Systems 1 Nanog 14, Atlanta

  2. Peering Activities at NAPs • During the Summer of 1997 • Pointing default • Rewrite eBGP nexthop • Passing third party nexthop • Misconfiguration Nanog 14, Atlanta

  3. Case#1: Rewrite eBGP Nexthop ACLs ISP 3 cpe2 Mae-East NAP ISP 2 iMCI ISP 1 Private Peering Nanog 14, Atlanta

  4. Case#1: Continue... • Netflow shown 15% extra traffic from a single subnet • traceroute -g shown the traffic coming to us • Install a static route of 212.x.x.x pointing to this router and traceroute stopped at ISP1 • Install the route in BGP, traceroute shown it coming back to us • Thus this router of ISP3 had to rewrite the eBGP nexthop base on the AS numbers • This could not be misconfiguration or a simple pointing default. Also this was not just used towards iMCI. Nanog 14, Atlanta

  5. Case#1: Continue... • Install a packet filter on one of the links • Install the packet filter on both links, which forced the traffic going to ISP2 • After the filter was removed, it came back • A New packet filter was applied Nanog 14, Atlanta

  6. Case #1: Continue... • ACL 123access-list 123 permit icmp x.x.x.0 0.0.31.255 anyaccess-list 123 permit udp x.x.x.0 0.0.31.255 any gt 32000access-list 123 permit udp x.x.x.0 0.0.31.255 any eq 53access-list 123 deny ip x.x.x.0 0.0.31.255 anyaccess-list permit ip any any • The new filter was there for four days Nanog 14, Atlanta

  7. Case#2: Passing 3rd Party Nexthop NAP LAN ISP 5 traffic iMCI Peering/customer Peering ISP 4 Nanog 14, Atlanta

  8. Case#2: Continue... • Netflow did not find this case • Even you can rewrite the nexthop to your peer’s address, you can’t stop your peer passing your nexthop to the 3rd party • route-map commandset ip next-hop peer-address • Use “next-hop-self” Nanog 14, Atlanta

  9. Case#3: Pointing Default ISP 6 iMCI internetMCI.net ISP 7 Nanog 14, Atlanta

  10. Case#3: Continue... • It first pointing to ISP6, then to iMCI • reverse DNS lookup was xxx.internetmci.net • SNMP query had default route MIB value:ip.ipRouteTable.ipRouteEntry.ipRouteNexthop.0.0.0.0 = IpAddress:192.41.177.180 • After we exchanged some email, they pointed to someone else Nanog 14, Atlanta

  11. Case#4: Tunneling GRE ISP 9 NAP1 ISP 8 NAP2 ISP 9 Nanog 14, Atlanta

  12. Case#4: Continue... ISP 10 Upstream Provider NAP3 E1 E3 ISP 11 Nanog 14, Atlanta

  13. Other Activities • Run IGP at the NAPs • Run Native Multicast • Inconsistent route announcement at different peering points • Run CDP Nanog 14, Atlanta

  14. Detection • Netflow stats for reverse route lookup and traffic matrix • traceroute -g • If LSR is disabled, use Ping-Pong trace • MAC address accounting Nanog 14, Atlanta

  15. Filtering • Packet level filtering • MAC address filtering/rate-limit, sometimes combined with WRED • Null out offender’s routes within your domain Nanog 14, Atlanta

  16. Preventive Measures • NAP GIGAswitch L2 filtering • NAP ATM PVCs • Use “next-hop-self” and reset peer-address • Remove non-customer routes from NAP routers • Do not carry NAP subnets in the backbone • Enforce consistent route announcements Nanog 14, Atlanta

More Related