Upload
vokien
View
354
Download
12
Embed Size (px)
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Advanced IOS XR Security BRKSEC-3172
2
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
ACHTUNG This session is about IOS XR, which runs on:
CRS-1 CRS-3 XR12000 ASR9000
This session will not cover IOS, IOS XE, or NXOS If you wish to learn about security on other systems, please attend: BRKSEC-2202 Understanding and Preventing Layer 2 Attacks in IPv4 and IPv6 networks BRKSEC-2145 MPLS VPN Security BRKSEC-2345 Critical Infrastructure Protection BRKSEC-3007 Advanced Cisco IOS Security Features
3
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions and Meet the Engineer
Visit the Cisco Store to purchase your recommended readings
Please switch off your mobile phones
After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com
4
Overview
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Agenda
Overview Control Plane Protection – Local Packet Transport Services (LPTS)
‒ LPTS Overview ‒ Configuring LPTS
‒ Monitoring LPTS
‒ Troubleshooting LPTS
Data Plane Protection ‒ Receive traffic not processed by LPTS
‒ Access Control Lists (ACL)
‒ Traditional Methods
Management Plane Protection (MPP) ‒ MPP Overview ‒ Configuring MPP
‒ Troubleshooting MPP
6
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Why are we here?
To talk about protecting router aka “device” level resources from being compromised
How IOS XR implements protection for control, data, and management planes
How to configure these features in IOS XR
How to troubleshoot and validate operation of protection in IOS XR
Explain how IOS XR implementation compares to traditional CoPP based solutions for IOS
7
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Router level Control, Management, and Data Plane Attack methods Remote attacks
‒Typically multiple hops away from the router ‒Sent to some destination IP on the device under attack
Directly connected attacks ‒1 hop away from device under attack ‒Sent to destination IP on the device under attack
Inline attacks ‒Some inline tool to become “man in the middle” ‒Requires physical access to something on the wire ‒Manipulation of packets or data gathering
Goal of all attacks are to compromise device resources or redirect flows for data gathering purposes
8
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Types of Attacks Pipe Cloggers
‒ TTL attacks ‒ ICMP: unreachables, redirects, subnet pings ‒ Ping of death – ping with size > 64 Kbyte
State Overflowers/Resource Hogs ‒ Unauthorized route injection (routing protocols) ‒ Buffer overflow – attacker has to know the specific vulnerability within the code and protocol. ‒ TCP SYN Flood ‒ IPv6 ICMP: ND, RD, etc.
Unauthorized Access Gainers ‒ Dictionary attacks ‒ SNMP attack ‒ Unauthorized access (Telnet, SSH, HTTPS, SNMP) ‒ Spoofing valid protocol packets
And plenty more ways to wreak havoc
9
Control Plane • TTL Security – BGP, OSPF, BFD • Authentication – BGP, OSPF, ISIS, EIGRP, LDP,
MSDP, RSVP • Resource Limits – OSPF, ISIS, EIGRP, BGP, RIB,
PIM, IGMP, MSDP • Hardware and Software policers via LPTS
Management Plane • Instance limit – Telnet, SSH, VTY • Peer Filtering – HTTP, Telnet, SSH, SNMP • AAA – tacacs, radius • MPP – Management Plane Protection
Data Plane • uRPF • ACLs • Ucode punt path policing
Operating System • Process restart ability • Protected memory • Critical resource monitoring and throttling (CPU hog,
mem leak, wdsysmon) • IPC rate limits • Code signing
IOS XR Security at a glance
10
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
10000 ft view of “Receive” packet path
Ingress Line Card (LC)
Ingress Packet Switching Engine
LC-CPU FABRIC
Route Processor CPU
Egress LC
Distributed RP (dRP) CPU
For-us traffic such as L2, BFD, ARP For-us traffic processed by LPTS – mgmt, L3 control plane, ICMP Transit traffic
PIFIB (TCAM, dynamic)
ucode
ucode
11
Control Plane Protection
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Local Packet Transport Services: High-level view for protection Control Plane
Application1 on RP
Transit Traffic
Received Traffic Application1
on RP
Local Stack on LC
Forwarding Information Base (FIB)
LPTS Internal
FIB (IFIB)
Bad packets
LPTS enables applications to reside on any or all RPs, DRPs, or LCs Active/Standby, Distributed Applications, Local processing
IFIB forwarding is based on matching control plane flows Built in “firewall” for control plane traffic
LPTS is transparent and automatic 13
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Local Packet Transport Service
There is no longer a single RP
IOS XR is a fully distributed operating system with applications running in multiple physical locations
LPTS enables distributed applications to reside on any or all RPs, DRPs, or LCs
Filters and polices local ‘receive’ packets and sends them only to the nodes that need them
Packet rate correlates with trust
Handles fragments, also checks TTL/hop count
High Availability for NSR (Non-Stop Routing)
LPTS Overview
14
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Local Packet Transport Service
LPTS has Hardware policers on line cards to limit traffic sent to local or remote nodes
LPTS entries in TCAM classifies packets to select a policer to apply The policer value can be tuned to 0 (to drop all packet matching
classification criteria)
Polices on protocol (BGP, OSPF, SSH) and flow state (BGP established, BGP configured, and BGP listen)
Policing done on the LC Hardware ASIC before packets hit RP/LC CPU All filters are automatically and dynamically installed by the IOS XR
infrastructure
LPTS implementation in Hardware
15
How Local Packet Transport Services Works
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
IOS XR LPTS in action
Local port Remote port Rate Priority
Any ICMP ANY ANY 1000 low
any 179 any any 100 medium
Router bgp neighbor 2010::4:48:99 … !
any 179 2010::4:48:99 any 1000 medium
2010::4:48:1 179 2010::4:48:99 2223 10000 medium
2010::200:0::2 13232 2010:200:0::1 646 100 medium
LC 1 IFIB TCAM HW Entries LP
TS
So
cket
BGP
LDP
SSH
LC 2 IFIB TCAM HW Entries …
mpls ldp … !
TCP Handshake
ttl_security
ttl 255
LPTS is an automatic, built in “firewall” for control plane traffic.
Every Control and Management packet from the line card is rate limited in hardware to protect RP and LC CPU from attacks
17
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
SPONGE Reass.
INGRESSQ RX PSE L3 Engine
CPU
FABRICQ
TX PSE L3 Engine
EGRESSQ
SPONGE Reass. FABRICQ
CPU
L3 Line Card RP Fabric
PreIFIB
ICMP Echo req Layer 2 pkts
Port 0
Port 0
Execute a sweep range ping to a CRS-1 and you will see packets dropping
There are multiple queues towards LC-CPU with different priority (bfd, critical, high, medium, low, netflow): • L2 control is sent to critical queue • CDP, ICMP echo to high priority queue • Fragments, TTL expired, to medium priority queue • BFD is enqueued to a BFD dedicated queue – processed by high priority thread (prio = 40)
“Receive” Packet Flow For LC CPU
18
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Inside the LC CPU
CPU Queues from IngressQ
BFD
NetIO
raw UDP TCP
CDP HDLC Netflow
Critical High Prio
Med Prio
Low Prio
ICMP
19
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
CPU
SPONGE Reass.
INGRESSQ
RX PSE L3 Engine
CPU
FABRICQ TX PSE L3 Engine
EGRESSQ
SPONGE Reass. FABRICQ
CPU
L3 Line Card RP Fabric
PreIFIB
CPU Queues
Control packet path
Port 0
Port 0
There are multiple queues towards RP-CPU netio processing with different priorities (high, medium, low): • IGP, BGP and LDP established to high priority queue • BGP and LDP configured to med priority queue, RSVP, AAA, PIM • SNMP, Telnet, SSH, ICMP echo reply, Unknown BGP and others to low priority queue
Locally Destined Packet Flow RP CPU
20
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Inside RP-CPU
CPU Queues from FabricQ
NetIO
raw UDP TCP
IS-IS OSPF SNMP SSH BGP LDP
21
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
LPTS data structures
IFIB ‘slices’ are distributed across (D)RPs
‒ Secondary look-up table when Pre-IFIB is incomplete
‒ Distributed into slices – TCP slice, UDP slice, IS-IS slice, etc
Software Pre-IFIB on each LC and (D)RP
‒ More complex packet inspection and operations
‒ Hashing fragments to different (D)RPs based on src/dst.
Pre-IFIB (Pifib) in LC Ingress PSE TCAM Hardware
22
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
LPTS PIFIB Key Fields
L4 Protocol : TCP VRF ID : default Source IP : 2010:8:8::5 Port/Type : Port:28043 Source Port : 179 Is Fragment : 0 Is SYN : any Interface : any V/M/C/L/T/F : 1/0/1/IPv6_STACK/0/BGP-known DestNode : 0/RP0/CPU0 DestAddr : 30 Sq/Dq/Ct : 24/6/0x7ff60 Accepted/Dropped : 6305/0 Lp/Sp : 1/255 # of TCAM entries : 1 Po/Ar/Bu : 113/25000pps/100ms HPo/HAr/HBu : 113/25000pps/100ms State : Entry in TCAM Rsp/Rtp : 35/35
Sample LPTS Entry RP/0/RP0/CPU0:RTPTME-CRS# show lpts pifib hardware entry location 0/0/CPU0 ---------------------------------------- V - Vital; M - Fabric Multicast; C - Moose Congestion Flag; L - Listener Tag; T - Min TTL; F - Flow Type; DestNode - Destination Node; DestAddr - Destination Fabric Address; Sq - Ingress Shaping Queue; Dq - Destination Queue; Po - Policer; Ct - Stats Counter; Lp - Lookup priority; Sp - Storage Priority; Ar - Average rate limit; Bu - Burst; HAr - Hardware Average rate limit; HBu - Hardware Burst; Rsp - Relative sorting position; Rtp - Relative TCAM position; na - Not Applicable or Not Available
23
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
LPTS PIFIB Lookup Results RP/0/RP0/CPU0:RTPTME-CRS# show lpts pifib hardware entry location 0/0/CPU0 ---------------------------------------- V - Vital; M - Fabric Multicast; C - Moose Congestion Flag; L - Listener Tag; T - Min TTL; F - Flow Type; DestNode - Destination Node; DestAddr - Destination Fabric Address; Sq - Ingress Shaping Queue; Dq - Destination Queue; Po - Policer; Ct - Stats Counter; Lp - Lookup priority; Sp - Storage Priority; Ar - Average rate limit; Bu - Burst; HAr - Hardware Average rate limit; HBu - Hardware Burst; Rsp - Relative sorting position; Rtp - Relative TCAM position; na - Not Applicable or Not Available
Sample LPTS Entry L4 Protocol : TCP VRF ID : default Source IP : 2010:8:8::5 Port/Type : Port:28043 Source Port : 179 Is Fragment : 0 Is SYN : any Interface : any
V/M/C/L/T/F : 1/0/1/IPv6_STACK/0/BGP-known DestNode : 0/RP0/CPU0 DestAddr : 30 Sq/Dq/Ct : 24/6/0x7ff60 Accepted/Dropped : 6305/0 Lp/Sp : 1/255 # of TCAM entries : 1
Po/Ar/Bu : 113/25000pps/100ms HPo/HAr/HBu : 113/25000pps/100ms State : Entry in TCAM Rsp/Rtp : 35/35
24
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
LPTS Software Entries (summary view) RP/0/RP0/CPU0:CRS1-4#show lpts pifib brief location 0/7/CPU0 Type VRF-ID Local, Remote Address.Port L4 Interface Deliver ---------- -------- -------------------------- ----- ------------ ------------- ISIS * - - - any 0/2/CPU0 IPv4_frag * any any any any R IPv4 default 224.0.0.1 any IGMP Gi0/7/1/0 0/RP0/CPU0 IPv4 default any.23 any TCP Gi0/7/1/0 0/RP0/CPU0 IPv4 default 224.0.0.22 any IGMP Gi0/7/1/1 0/RP0/CPU0 IPv4 default 224.0.0.13 any PIM Gi0/7/1/1 0/RP0/CPU0 … IPv4 default 10.8.8.4.20244 10.8.8.5.17 TCP any 0/RP0/CPU0 IPv4 default any.179 10.8.8.5 TCP any 0/RP0/CPU0 IPv4 default 10.10.20.34.23 10.10.20.10 TCP any 0/RP0/CPU0 IPv4 default 192.168.254.4.49716 192.16 TCP any 0/RP0/CPU0 … IPv6 * any.ECHOREQ any ICMP6 any XI IPv6 * any.NDRTRSLCT any ICMP6 any XI IPv6 * any.NDRTRADV any ICMP6 any XI IPv6 * any.NDNBRSLCT any ICMP6 any XI IPv6 * any.NDNBRADV any ICMP6 any XI IPv6 * any.NDREDIRECT any ICMP6 any XI IPv6 * ff02::5 any OSPF any 0/RP0/CPU0 IPv6 * ff02::6 any OSPF any 0/RP0/CPU0
25
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
LPTS entries for BGP router bgp 100
nsr address-family ipv4 unicast ! neighbor 172.30.255.3 remote-as 100 update-source Loopback0 address-family ipv4 unicast
L4 Protocol : TCP VRF ID : default Source IP : 172.30.255.3 Port/Type : Port:179 Source Port : any Is Fragment : 0 Is SYN : any Interface : any V/M/C/L/T/F : 1/0/1/IPv4_LISTENER/0/BGP-cfg-peer DestNode : 0/RP0/CPU0 DestAddr : 62 Sq/Dq/Ct : 24/6/0x7ff34 Accepted/Dropped : 1/0 Lp/Sp : 1/255 # of TCAM entries : 1 Po/Ar/Bu : 114/10000pps/100ms HPo/HAr/HBu : 114/10000pps/100ms State : Entry in TCAM Rsp/Rtp : 40/40
L4 Protocol : TCP VRF ID : default Source IP : 172.30.255.3 Port/Type : Port:11013 Source Port : 179 Is Fragment : 0 Is SYN : any Interface : any
V/M/C/L/T/F : 1/1/1/IPv4_STACK/0/BGP-known DestNode : FGID 11775 DestAddr : 11775 Sq/Dq/Ct : 24/5/0x7ff32 Accepted/Dropped : 15344/0 Lp/Sp : 1/255 # of TCAM entries : 1 Po/Ar/Bu : 113/25000pps/100ms HPo/HAr/HBu : 113/25000pps/100ms State : Entry in TCAM Rsp/Rtp : 33/33
26
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
LPTS entries for IS-IS
L4 Protocol : - Destination IP : any Source IP : any Port/Type : any Source Port : any Is Fragment : 0 Is SYN : any Interface : TenGigE0/0/0/1 (0x1080040)/3 V/M/C/L/T/F : 1/0/1/CLNS_STACK/0/ISIS-known
DestNode : 0/2/CPU0 DestAddr : 8 Sq/Dq/Ct : 24/6/0x7ffac Accepted/Dropped : 0/0 Lp/Sp : 0/255 # of TCAM entries : 1 Po/Ar/Bu : 108/20000pps/100ms HPo/HAr/HBu : 108/20000pps/100ms State : Entry in TCAM Rsp/Rtp : 0/0
router isis test net 44.4444.4444.4444.4444.00 interface Loopback4444 address-family ipv4 unicast ! ! interface TenGigE0/0/0/1 circuit-type level-1 address-family ipv4 unicast
RP/0/RP0/CPU0:CRS1-4#show placement program all | i isis
isis instance test 0/2/CPU0 RP/0/RP0/CPU0:CRS1-4#show placement program all | i bgp bgp instance 0 0/RP0/CPU0 [0/RP1/CPU0]
27
Configuring Local Packet Transport Services
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
LPTS policers are configurable globally or per linecard
Users can set rate values for each type of traffic lpts pifib hardware police
flow fragment rate 0 flow bgp default rate 0
fragment
ospf-mc-known
ospf-mc_default
ospf-uc-known
ospf-uc-default
isis-known
isis-default
eigrp
rip
bgp-known
bgp-cfg-peer
bgp-default
pim-mc
pim-uc
Igmp
ipsec-known
ipsec-default
msdp-known
msdp-cfg-peer
msdp-default
snmp
ntp
ssh-known
ssh-default
http-known
http-default
shttp-known
shhtp-default
telnet-known
telnet-default
css-known
rsh-known
rsh-default
udp-known
udp-listen
udp-cfg-peer
udp-default
tcp-known
tcp-listen
tcp-cfg-peer
tcp-default
mc-known
mc-default
raw-listen
raw-default
ip-sla
icmp-local
icmp-app
icmp-default
icmp-control
ldp-tcp-known
ldp-tcp-cfg-peer
ldp-tcp-defalut
ldp-udp
lmp-tcp-known
lmp-tcp-cfg-peer
lmp-tcp-defalut
lmp-udp
all-routers
rsvp
rsvp-udp
ike 29
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Verifying LPTS policer values RP/0/RP0/CPU0:CRS1-4#show lpts pifib hardware police location 0/7/CPU0 ------------------------------------------------------------- Node 0/7/CPU0: ------------------------------------------------------------- FlowType Policer Type Cur. Rate Def. Rate Accepted Dropped ---------------------- ------- ------- ---------- ---------- ---------- ---------- unconfigured-default 100 Static 500 500 0 0 Fragment 106 Global 0 1000 0 0 OSPF-mc-known 107 Static 20000 20000 0 0 OSPF-mc-default 111 Static 5000 5000 0 0 OSPF-uc-known 161 Static 5000 5000 0 0 OSPF-uc-default 162 Static 1000 1000 0 0 BGP-known 113 Static 25000 25000 18263 0 BGP-cfg-peer 114 Static 10000 10000 6 0 BGP-default 115 Global 0 10000 0 2 PIM-mcast 116 Static 23000 23000 19186 0 PIM-ucast 117 Static 10000 10000 0 0 IGMP 118 Static 3500 3500 9441 0 ICMP-local 119 Static 2500 2500 1020 0 ICMP-default 121 Static 2500 2500 0 0 LDP-TCP-known 122 Static 25000 25000 0 0 LDP-TCP-cfg-peer 152 Static 10000 10000 0 0 LDP-TCP-default 154 Static 10000 10000 0 0 ……cut……
lpts pifib hardware police flow fragment rate 0 flow bgp default rate 0
30
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Tightening LPTS If you can use only p2p OSPF network type
lpts pifib hardware police flow ospf multicast known rate 0 flow ospf multicast default rate 0
Note that OSPF p2p network type is the recommended setting even on Ethernet interfaces unless you have multiple (>2) routers on the same segment
Do we really need BGP, LDP-TCP, MSDP default…for unconfigured sessions? ‒ flow bgp-default rate 0 ‒ flow ldp-tcp-default rate 0 ‒ flow msdp-default rate 0
Further investigation needed for these (change at your own risk!) ‒ flow udp-default rate 0 ‒ flow tcp-default rate 0 ‒ flow raw-default rate 0
31
Monitoring Local Packet Transport Services
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Monitoring methods for LPTS
CLI based show commands (previous slides)
‒ Does not have SNMP MIB
EEM Scripting for LPTS Alerting
‒ http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=1721
event manager environment EEM_LPTS_CHECK_INTERVAL 300 event manager environment EEM_LPTS_CHECK_FLOWTYPES BGP-known * event manager environment EEM_LPTS_CHECK_LOCATIONS 0/0/CPU0 0/4/CPU0 event manager environment EEM_LPTS_CHECK_THRESHOLD 1 50% event manager directory user policy disk0:/scripts/ event manager policy lpts-threshold-alerting.tcl username scripts
33
Troubleshooting Local Packet Transport Services
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Verifying table entries and counters Verify the bindings
‒ show lpts binding brief - Individual client requests ‒ show lpts clients - Is there a client for every node configured for traffic? ‒ show lpts flows brief - Arbitrated, resolved requests turned into flows for ifib.
Verify the lpts entries in RP netio ‒ sh lpts ifib slices all - Useful if slice location migrates due to extra RP/DRP
resources. ‒ sh lpts ifib entry brief - Verify final software fib entry. ‒ sh lpts ifib statistics location r/s/m – Valid only on RPs and DRPs*.
Verify the linecard pifib software and hardware entries ‒ sh lpts pifib entry brief location r/s/m – Summary view ‒ sh lpts pifib entry location r/s/m – Gives software stats. ‒ sh lpts pifib hardware entry brief location r/s/m – Summary view ‒ sh lpts pifib hardware entry statistics location r/s/m -- Counters ‒ sh lpts pifib hardware usage location r/sm – TCAM resource utilization ‒ sh lpts pifib hardware police location r/sm – Policer values 35
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
LPTS Debugs debug lpts packet location <r/s/m>
‒ On LC, shows LC CPU activity only (not PSE) ‒ On RP/DRP, shows secondary look-ups and packet delivery ‒ One message per layer per packet.
debug lpts packet {ipv4acl | ipv6acl} <name> ‒ Limit to packets matching an ACL.
debug lpts packet snapshot-size <n> ‒ Display <n> packets, then stop.
debug lpts packet drops ‒ Packets dropped by LPTS.
debug lpts pa {irib | ifib | error} ‒ IFIB generation information.
debug lpts pifibm {events | errors} location <r/s/m> ‒ What’s getting into the Pre-IFIB.
36
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
“debug lpts packet” example RP/0/0/CPU0:Jul 16 18:12:19.035 : netio[64]: lpts ifib [0xda3159b4/104 if 0x02000400 IP4 10.0.2.1 -> 10.0.2.2 ICMP 0 0] to local stack
RP/0/0/CPU0:Jul 16 18:12:28.294 : netio[64]: lpts decaps [0xda314bb4/4474 if 0x02000400 CLNS] to local stack
RP/0/0/CPU0:Jul 16 18:12:28.697 : netio[64]: lpts decaps [0xda3159b4/32 if 0x02000400 IP4 10.0.2.1 -> 224.0.1.9 IGMP 22 0] to local stack
RP/0/0/CPU0:Jul 16 18:12:29.898 : netio[64]: lpts pifib [0xda3159b4/62 Mg0/0/CPU0/0 IP4 10.91.36.2.1985 -> 224.0.0.2.1985 UDP] to local MCAST4_FM
RP/0/0/CPU0:Jul 16 18:12:29.899 : netio[64]: lpts ifib [0xda3159b4/62 Mg0/0/CPU0/0 IP4 10.91.36.2.1985 -> 224.0.0.2.1985 UDP] no matching entry in MCAST4_FM slice, dropping
37
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
LPTS always on debugs
Global Traces ‒ show lpts trace global
‒ Captures process starts, slice assignments, dependencies
Per-Process Traces ‒ show lpts trace {pa | fm | ff | platf}
‒ Transactions, errors, and platform-specific information.
Traces
38
Data Plane Protection Methods
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Data Plane Exceptions “Receive” traffic not processed by LPTS Type Policer (pps) Queue
priority
CDP 1000 High
ARP 1000 High
L2 control 1000 Critical
IPv4 options 2500 Medium
IPv4 TTL expire 1000 Low
IPv6 Link Local 10000 Medium
IPv6 TTL expire 500 Low
BFD asynch 7000 BFD
BFD echo 7000 BFD
BFD TTL error drop na
Sampled Netflow Varies* Netflow
Most traffic directly processed by LC CPU is handled by LC microcode without LPTS (no dynamic state)
Different priority queues towards the CPU
Each traffic type is policed Eg.
BFD uses its own queue which Has the highest priority
BFD with TTL<254 is dropped Use “show controller pse stats” to get stats
*Depends on platform/HW 41
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
show controller pse stats ingress loc r/s/m RP/0/RP0/CPU0:CRS1-4#show controllers pse statistics ingress location 0/7/CPU0 Punt Stats Punted Policed & Dropped ---------- ------ ----------------- L2 control 285049 0 CDP 125624 0 ARP 252 0 IPv4 TTL expiration 13562720 17668788471 IPv4 BFD echo 262338 4890440 IPv6 link local 4326 0 Drop Stats Dropped ---------- ------- L2 unknown 896912 IPv4 not enabled 38342 IPv4 BFD TTL error 933027779 Debug Stats Count ----------- ----- PPE idle counter 46869398697124
42
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Data Plane protection with ACLs
Considerations of points to have ACLs for containment
‒ Think region or logical segmentation of the network should an attack occur that needs limiting
Ability to filter on TTL, packet length, fragments, EHs
Interface level statistics in hardware
Interface ACL processing happens before LPTS processing
Logging gives ability for forensics and is rate limited on number of packets sent to the CPU to avoid over running CPU resources
Nested infrastructure ACLs (ACL Chaining)
‒ ipv4/ipv6 access-group common <name>
43
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
ACL Chaining Example Configuration ipv6 access-list acl-common-v6 10 permit ipv6 host 2001:db8::202:202:202:202 host 2001:db8::204:175:175:1 log-input 15 deny ipv6 any host 2001:db8::204:175:175:1 20 permit ipv6 host 2001:db8::202:202:202:202 host 2001:db8::205:175:175:1 log-input 25 deny ipv6 any host 2001:db8::205:175:175:1 30 permit ipv6 host 2001:db8::202:202:202:202 host 2001:db8::206:175:175:1 log-input 35 deny ipv6 any host 2001:db8::206:175:175:1 ipv6 access-list acl-unique1-v6 10 permit ipv6 host 2001:db8::202:202:202:202 host 2001:db8::207:175:175:1 log-input 15 deny ipv6 any host 2001:db8::207:175:175:1 20 permit ipv6 any any Interface GigabitEthernet 0/1/1/1 ipv6 access-group common acl-common-v6 acl-unique1-v6 ingress
44
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Other traditional methods for protecting Data Plane Blunt control-plane-mediated sinkholing
‒ Honey Pots
‒ Remote-triggered black hole (RTBH) via BGP
QoS via MQC matching similar to ACL method
Unicast RPF both loose and strict
IPv6 EH filtering within ACLs
‒ *No length limitations, but performance decrease (~20%) if more than 86 bytes of IPv6 headers on CRS
45
Management Plane Protection
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
MPP Overview Management Protocols are secured at various levels
MPP limits the interfaces exposed for management access
By default Management protocols are off if MPP is configured
MPP Peer filtering
LPTS Rate Limits
Feature specific Rate/Session Limits
47
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
MPP Overview Management Plane Protection allows network operator to reserve a
set of interfaces for management traffic either exclusively (ie, out-of-band) or along with transit traffic (ie, in-band)
MPP is supported on all IOS XR platforms and there is no difference in terms of detailed MPP feature support
IOS XR Management Plane protection offers many features – In-band Interface support
– Out-of-band Interface support
– Per interface and per protocol filtering
– Peer Filtering • IPv4/IPv6 Host based
• IPv4/IPv6 Subnet based
Management Protocols supported - TFTP, TELNET, SSH (v1 & v2), SNMP and HTTP/HTTPS
48
How Management Plane Protection Works
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
IOS XR with In-band MPP
I/F 1 is configured as MPP in-band interface. I/F 1 is also part of global routing/forwarding.
Management traffic to RP from all non-MPP interfaces is dropped (I/F 2 and I/F 3).
RP Eth/Console/Aux continues to operate as dedicated out-of-band.
MPP integrates with LPTS to provide HW-based filtering!
IP/MPLS
I/F 1
I/F 3
CPU
RP Eth
RP
I/F 2
LPTS
Management Traffic
Transit Traffic NOC
DCN
In-band MPP
Out-of-band
50
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
MPP In-band Support In-band Interface selection
– Network Operator can select specific interfaces for in-band – Granularity of allowing different management protocols on different in-band
interfaces
In-band interface allows transit traffic along with management traffic Option of choosing all available interfaces as in-band using keyword “all” Option of enabling all supported management protocols on a particular
interface using keyword “all” IPv4/IPv6 Peer filtering per protocol and per interface Support for dynamic routing protocols on in-band interfaces In-band interface support per SDR In-band interface support for VRF aware management protocols
(SSH/SNMP)
51
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
IOS XR with out-of-band MPP
I/F 1 and 3 are configured as MPP out-of-band interface. I/F 1 and 3 are no longer part of global routing/forwarding
Management traffic to RP from all non-MPP interfaces is dropped (I/F 2)
RP Eth interfaces continues to operate as dedicated out-of-band.
Routing/Forwarding allowed between OOB interfaces
LPTS provides rate limiting
I/F 1
I/F 3
CPU RP Eth
RP
I/F 2
LPTS
Management
Transit
DCN
NOC Transit in OOB VRF
Out-of-band
Out-of-band
52
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
MPP Out-of-band Support Uses the VRF concept for out-of-band interface support
– Requests received on out-of-band interfaces are only acknowledged on out-of-band interfaces
– No need for management protocols to be VRF aware
– VRF for out-of-band network is configurable, default VRF is “MPP_OUTBAND_VRF”
Routing/Forwarding can be enabled on out-of-band interfaces ‒RP Ethernet will not participate in routing in the out-of-band VRF
RP/DRP Ethernet Interfaces are default out-of-band interfaces Keyword “all” for protocol and interface is supported IPv4/IPv6 Peer filtering per protocol Out-of-band interfaces support per SDR
53
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Restrictions Currently MPP doesn’t keep track of the denied or dropped
protocol requests The management protocols need to be enabled explicitly
– MPP configuration doesn’t enable the protocol services.
– MPP is only responsible for making the services available on different interfaces
RP/DRP Ethernet interfaces are by default out-of-band interfaces and cannot be configured under MPP
MPP configuration changes doesn’t affect active sessions established before the changes
No MIB Support
54
Management Plane Protection Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Before Configuring MPP
The RP’s dedicated mgmt ports automatically become Out-Of-Band access for MPP and allows all mgmt traffic towards the RP.
RP mgmt intf will not shown as out-of-band intf in “show-run” even though they are active.
All mgmt traffic to any other intf will be dropped unless the intf is configured either as In-band or Out-of-band intf under MPP for specific protocols
Use commit confirmed to prevent lockout!
Warning! – make sure you will not lock yourself out
56
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
MPP In-band Configuration Tasks 1. Enable the protocol services
- Protocols supported by MPP are SSH, Telnet, TFTP, HTTP and SNMP 2. Enable MPP for specific interfaces
- Specify protocols on specific interfaces 3. Specify the source peers/subnets of the incoming
management traffic for – Each protocol – Each specific interface
4. Apply management plane protection configuration 5. If management services are required in a particular VRF
– For VRF aware management protocols (Telnet and SNMP) – Enable protocol services for the VRF and place the in-band interface
under the same VRF – Non-VRF aware management services cannot be configured for MPP
57
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Sample Config - 1 RP/0/RP1/CPU0:akki#show running-config | inc
(ssh|snmp) ssh server snmp-server community PUBLIC SystemOwner RP/0/RP1/CPU0:akki#show running-config control-plane control-plane management-plane inband interface GigabitEthernet0/2/0/1 allow SSH allow SNMP peer address ipv4 1.1.1.1 address ipv4 192.168.0.0/16 address ipv6 2000:21:1:1::1 address ipv6 2000:20::/64
In-band Interface
Peer Filtering for SNMP
All Peers allowed for SSH
Protocols Enabled
58
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
MPP Out-of-band Configuration Tasks
1. Enable the protocol services
- Protocols supported by MPP are SSH, Telnet, TFTP, HTTP and SNMP
2. Choose the interfaces for OOB
- Choose specific protocols on specific interfaces
3. Place the interfaces under the MPP default VRF or the configured MPP VRF
4. Choose specific allowed peers/subnets for each protocol and for each specific interface
5. Apply management-plane protection configuration
59
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Sample Config RP/0/RP1/CPU0:akki#show running-config interface
gigabitEthernet 0/2/0/2 interface GigabitEthernet0/2/0/2 ipv4 address 1.1.1.2 255.255.255.0 ipv6 address 2000:20::1/64 vrf my_out_of_band negotiation auto RP/0/RP0/CPU0:akki#show running-config vrf * vrf my_out_of_band address-family ipv4 unicast address-family ipv6 unicast RP/0/RP0/CPU0:akki#show running-config | inc ssh ssh server
VRF definition
SSH server config
60
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Sample Config (contd..) RP/0/RP1/CPU0:akki#show running-config control-plane control-plane management-plane out-of-band vrf my_out_of_band interface GigabitEthernet0/2/0/2 allow SSH peer address ipv4 1.1.1.1 address ipv4 192.168.0.0/16 address ipv6 2000:0:1:1::1 RP/0/RP1/CPU0:akki#show running-config router ospf router ospf 100 vrf my_out_of_band area 0 interface gigabitEthernet 0/2/0/2
Routing in OOB VRF
Out-of-band Interface
Peer Filtering for SSH
Changing OOB VRF
61
Troubleshooting Management Plane Protection (MPP)
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
RP/0/RP0/CPU0:CRS1-4#show lpts bindings brief | i (any.23 ) 0/RP0/CPU0 TCP LR IPV4 TCP default any.23 any Mg0/RP0/CPU0/0 0/RP0/CPU0 TCP LR IPV6 TCP default any.23 any Mg0/RP0/CPU0/0 0/RP0/CPU0 TCP LR IPV4 TCP default any.23 any Gi0/7/1/0 0/RP0/CPU0 TCP LR IPV6 TCP default any.23 any Gi0/7/1/0 0/RP0/CPU0 TCP LR IPV4 TCP default any.23 3.3.3.3 Gi0/7/1/3 0/RP0/CPU0 TCP LR IPV6 TCP default any.23 3:3:3::3 Gi0/7/1/3 0/RP0/CPU0 TCP LR IPV6 TCP default any.23 5:5:5::0/64 Gi0/7/1/3 RP/0/RP0/CPU0:CRS1-4# RP/0/RP0/CPU0:CRS1-4#show lpts bindings brief | i (any.161 ) 0/RP0/CPU0 UDP LR IPV4 UDP default any.161 any Mg0/RP0/CPU0/0 0/RP0/CPU0 UDP LR IPV4 UDP default any.161 any Lo87 0/RP0/CPU0 UDP LR IPV6 UDP default any.161 any Mg0/RP0/CPU0/0 0/RP0/CPU0 UDP LR IPV6 UDP default any.161 any Lo87 RP/0/RP0/CPU0:CRS1-4# RP/0/RP0/CPU0:CRS1-4#show lpts bindings brief | i (any.22 )
Troubleshooting MPP -- LPTS
control-plane management-plane inband interface Loopback87 allow SNMP ! interface GigabitEthernet0/7/1/0 allow SSH allow Telnet ! interface GigabitEthernet0/7/1/3 allow Telnet peer address ipv4 3.3.3.3 address ipv6 3:3:3::3 address ipv6 5:5:5::0/64 ! !
63
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Troubleshooting MPP -- LPTS
control-plane management-plane inband interface Loopback87 allow SNMP ! interface GigabitEthernet0/7/1/0 allow SSH allow Telnet ! interface GigabitEthernet0/7/1/3 allow Telnet peer address ipv4 3.3.3.3 address ipv6 3:3:3::3 address ipv6 5:5:5::0/64 ! !
RP/0/RP0/CPU0:CRS1-4#show lpts pifib hardware entry bri location 0/7/cpu0 | i (.23 ) (def).23 3.3.3.3 TCP GigabitEthernet0/7/1/3 0/RP0/CPU0 24 7 (def).23 3:3:3::3 TCP GigabitEthernet0/7/1/3 0/RP0/CPU0 24 7 (def).23 5:5:5::0/64 TCP GigabitEthernet0/7/1/3 0/RP0/CPU0 24 7 (def).23 any TCP GigabitEthernet0/7/1/0 0/RP0/CPU0 24 7 (def).23 any TCP GigabitEthernet0/7/1/0 0/RP0/CPU0 24 7 (def).23 10.10.20.100.33732 TCP any 0/RP0/CPU0 24 6 (def).23 2001:23:11::16.53964 TCP any 0/RP0/CPU0 24 6 RP/0/RP0/CPU0:CRS1-4# RP/0/RP0/CPU0:CRS1-4#show lpts pifib hardware entry bri location 0/0/cpu0 | i (.23 ) (def).23 10.10.20.100.33732 TCP any 0/RP0/CPU0 24 6 (def).23 2001:23:11::16.53964 TCP any 0/RP0/CPU0 24 6 RP/0/RP0/CPU0:CRS1-4#
64
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
MPP show commands
show mgmt-plane inband <interface> ‒ View the information of a particular in-band interface
show mgmt-plane out-of-band <interface> ‒ View the information of a particular out-of-band interface
show mgmt-plane out-of-band vrf ‒ View the out-of-band VRF
show mgmt-plane interface <interface> ‒ View in-band/out-of-band interface information
65
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
MPP debug commands debug management-plane details
‒ To enable MPP detail debugs
debug management-plane errors ‒ To enable MPP error debugs
debug management-plane events ‒ To enable MPP event debugs
debug management-plane details job <jobid> ‒ To enable MPP detail debugs for a particular MPP enabled process.
debug management-plane errors job <jobid> ‒ To enable MPP error debugs for a particular MPP enabled process.
debug management-plane events job <jobid> - To enable MPP event debugs for a particular MPP enabled process.
Note: detail option outputs verbose information.
66
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Monitoring commands show lpts ifib entry brief statistics show lpts ifib stats show lpts pifib statistics location <r/s/m> show lpts pifib hardware entry statistics location <r/s/m>
Check if there are LPTS drops on RP, LC-SW, or LC-HW
LPTS policer drops could be due to higher incoming rate than the configured or default policer value – due to:
misconfigured policer (too low rate)
misbehaving device sending higher rate of management traffic
malicious attack – getting blocked 67
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Summary – IOS XR Security FTW!
Uptime depends on more than defects or high availability features
‒ Device security is a critical piece of network reliability
‒ Data plane can handle way more packets/second than control plane
IOS XR security features enable “Self-Defending Network”
‒ Sophisticated hardware enables high-performance filtering
‒ LPTS provides all the benefits of CoPP with minimal configuration
‒ MPP builds on LPTS to secure infrastructure
68
Questions?
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Recommended Reading
Cisco IOS XR Fundamentals http://www.ciscopress.com/title/1587052717
Router Security Strategies: Securing IP Network Traffic Planes
http://www.ciscopress.com/title/1587053365
70
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Check the Recommended Reading brochure for suggested products available at the Cisco Store
Enter to Win a 12-Book Library of Your Choice from Cisco Press
Visit the Cisco Store in the World of Solutions, where you will be asked to enter this Session ID code
71
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Complete Your Online Session Evaluation Give us your feedback and you
could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Preferred Access points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
72
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-demand session videos, networking, and more!
Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
73
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public
Glossary
FIB: Forwarding Information Base RIB: Routing Information Base RP: Route Processor dRP: Distributed Route Processor LC: Line Card LPTS: Local Packet Transport Service MPP: Management Plane Protection CoPP: Control Plane Protection PSE: Packet Switching Engine IngressQ: Input queuing chip on LCs FabricQ: Output fabric queuing chip on LCs
75