IOS XR - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKSEC-3172.pdf · How IOS XR implements protection for control, data, and management planes How to

© 2012 Cisco and/or its affiliates. All rights reserved. BRKSEC-3172 Cisco Public

Advanced IOS XR Security BRKSEC-3172

2


ACHTUNG This session is about IOS XR, which runs on:

CRS-1 CRS-3 XR12000 ASR9000

This session will not cover IOS, IOS XE, or NXOS If you wish to learn about security on other systems, please attend: BRKSEC-2202 Understanding and Preventing Layer 2 Attacks in IPv4 and IPv6 networks BRKSEC-2145 MPLS VPN Security BRKSEC-2345 Critical Infrastructure Protection BRKSEC-3007 Advanced Cisco IOS Security Features

3


Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions and Meet the Engineer

Visit the Cisco Store to purchase your recommended readings

Please switch off your mobile phones

After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com

4

Overview


Agenda

Overview Control Plane Protection – Local Packet Transport Services (LPTS)

‒ LPTS Overview ‒ Configuring LPTS

‒ Monitoring LPTS

‒ Troubleshooting LPTS

Data Plane Protection ‒ Receive traffic not processed by LPTS

‒ Access Control Lists (ACL)

‒ Traditional Methods

Management Plane Protection (MPP) ‒ MPP Overview ‒ Configuring MPP

‒ Troubleshooting MPP

6


Why are we here?

To talk about protecting router aka “device” level resources from being compromised

How IOS XR implements protection for control, data, and management planes

How to configure these features in IOS XR

How to troubleshoot and validate operation of protection in IOS XR

Explain how IOS XR implementation compares to traditional CoPP based solutions for IOS

7


Router level Control, Management, and Data Plane Attack methods Remote attacks

‒Typically multiple hops away from the router ‒Sent to some destination IP on the device under attack

Directly connected attacks ‒1 hop away from device under attack ‒Sent to destination IP on the device under attack

Inline attacks ‒Some inline tool to become “man in the middle” ‒Requires physical access to something on the wire ‒Manipulation of packets or data gathering

Goal of all attacks are to compromise device resources or redirect flows for data gathering purposes

8


Types of Attacks Pipe Cloggers

‒ TTL attacks ‒ ICMP: unreachables, redirects, subnet pings ‒ Ping of death – ping with size > 64 Kbyte

State Overflowers/Resource Hogs ‒ Unauthorized route injection (routing protocols) ‒ Buffer overflow – attacker has to know the specific vulnerability within the code and protocol. ‒ TCP SYN Flood ‒ IPv6 ICMP: ND, RD, etc.

Unauthorized Access Gainers ‒ Dictionary attacks ‒ SNMP attack ‒ Unauthorized access (Telnet, SSH, HTTPS, SNMP) ‒ Spoofing valid protocol packets

And plenty more ways to wreak havoc

9

Control Plane • TTL Security – BGP, OSPF, BFD • Authentication – BGP, OSPF, ISIS, EIGRP, LDP,

MSDP, RSVP • Resource Limits – OSPF, ISIS, EIGRP, BGP, RIB,

PIM, IGMP, MSDP • Hardware and Software policers via LPTS

Management Plane • Instance limit – Telnet, SSH, VTY • Peer Filtering – HTTP, Telnet, SSH, SNMP • AAA – tacacs, radius • MPP – Management Plane Protection

Data Plane • uRPF • ACLs • Ucode punt path policing

Operating System • Process restart ability • Protected memory • Critical resource monitoring and throttling (CPU hog,

mem leak, wdsysmon) • IPC rate limits • Code signing

IOS XR Security at a glance

10


10000 ft view of “Receive” packet path

Ingress Line Card (LC)

Ingress Packet Switching Engine

LC-CPU FABRIC

Route Processor CPU

Egress LC

Distributed RP (dRP) CPU

For-us traffic such as L2, BFD, ARP For-us traffic processed by LPTS – mgmt, L3 control plane, ICMP Transit traffic

PIFIB (TCAM, dynamic)

ucode

ucode

11

Control Plane Protection


Local Packet Transport Services: High-level view for protection Control Plane

Application1 on RP

Transit Traffic

Received Traffic Application1

on RP

Local Stack on LC

Forwarding Information Base (FIB)

LPTS Internal

FIB (IFIB)

Bad packets

LPTS enables applications to reside on any or all RPs, DRPs, or LCs Active/Standby, Distributed Applications, Local processing

IFIB forwarding is based on matching control plane flows Built in “firewall” for control plane traffic

LPTS is transparent and automatic 13


Local Packet Transport Service

There is no longer a single RP

IOS XR is a fully distributed operating system with applications running in multiple physical locations

LPTS enables distributed applications to reside on any or all RPs, DRPs, or LCs

Filters and polices local ‘receive’ packets and sends them only to the nodes that need them

Packet rate correlates with trust

Handles fragments, also checks TTL/hop count

High Availability for NSR (Non-Stop Routing)

LPTS Overview

14


Local Packet Transport Service

LPTS has Hardware policers on line cards to limit traffic sent to local or remote nodes

LPTS entries in TCAM classifies packets to select a policer to apply The policer value can be tuned to 0 (to drop all packet matching

classification criteria)

Polices on protocol (BGP, OSPF, SSH) and flow state (BGP established, BGP configured, and BGP listen)

Policing done on the LC Hardware ASIC before packets hit RP/LC CPU All filters are automatically and dynamically installed by the IOS XR

infrastructure

LPTS implementation in Hardware

15

How Local Packet Transport Services Works


IOS XR LPTS in action

Local port Remote port Rate Priority

Any ICMP ANY ANY 1000 low

any 179 any any 100 medium

Router bgp neighbor 2010::4:48:99 … !

any 179 2010::4:48:99 any 1000 medium

2010::4:48:1 179 2010::4:48:99 2223 10000 medium

2010::200:0::2 13232 2010:200:0::1 646 100 medium

LC 1 IFIB TCAM HW Entries LP

TS

So

cket

BGP

LDP

SSH

LC 2 IFIB TCAM HW Entries …

mpls ldp … !

TCP Handshake

ttl_security

ttl 255

LPTS is an automatic, built in “firewall” for control plane traffic.

Every Control and Management packet from the line card is rate limited in hardware to protect RP and LC CPU from attacks

17


SPONGE Reass.

INGRESSQ RX PSE L3 Engine

CPU

FABRICQ

TX PSE L3 Engine

EGRESSQ

SPONGE Reass. FABRICQ

CPU

L3 Line Card RP Fabric

PreIFIB

ICMP Echo req Layer 2 pkts

Port 0

Port 0

Execute a sweep range ping to a CRS-1 and you will see packets dropping

There are multiple queues towards LC-CPU with different priority (bfd, critical, high, medium, low, netflow): • L2 control is sent to critical queue • CDP, ICMP echo to high priority queue • Fragments, TTL expired, to medium priority queue • BFD is enqueued to a BFD dedicated queue – processed by high priority thread (prio = 40)

“Receive” Packet Flow For LC CPU

18


Inside the LC CPU

CPU Queues from IngressQ

BFD

NetIO

raw UDP TCP

CDP HDLC Netflow

Critical High Prio

Med Prio

Low Prio

ICMP

19


CPU

SPONGE Reass.

INGRESSQ

RX PSE L3 Engine

CPU

FABRICQ TX PSE L3 Engine

EGRESSQ

SPONGE Reass. FABRICQ

CPU

L3 Line Card RP Fabric

PreIFIB

CPU Queues

Control packet path

Port 0

Port 0

There are multiple queues towards RP-CPU netio processing with different priorities (high, medium, low): • IGP, BGP and LDP established to high priority queue • BGP and LDP configured to med priority queue, RSVP, AAA, PIM • SNMP, Telnet, SSH, ICMP echo reply, Unknown BGP and others to low priority queue

Locally Destined Packet Flow RP CPU

20


Inside RP-CPU

CPU Queues from FabricQ

NetIO

raw UDP TCP

IS-IS OSPF SNMP SSH BGP LDP

21


LPTS data structures

IFIB ‘slices’ are distributed across (D)RPs

‒ Secondary look-up table when Pre-IFIB is incomplete

‒ Distributed into slices – TCP slice, UDP slice, IS-IS slice, etc

Software Pre-IFIB on each LC and (D)RP

‒ More complex packet inspection and operations

‒ Hashing fragments to different (D)RPs based on src/dst.

Pre-IFIB (Pifib) in LC Ingress PSE TCAM Hardware

22


LPTS PIFIB Key Fields

L4 Protocol : TCP VRF ID : default Source IP : 2010:8:8::5 Port/Type : Port:28043 Source Port : 179 Is Fragment : 0 Is SYN : any Interface : any V/M/C/L/T/F : 1/0/1/IPv6_STACK/0/BGP-known DestNode : 0/RP0/CPU0 DestAddr : 30 Sq/Dq/Ct : 24/6/0x7ff60 Accepted/Dropped : 6305/0 Lp/Sp : 1/255 # of TCAM entries : 1 Po/Ar/Bu : 113/25000pps/100ms HPo/HAr/HBu : 113/25000pps/100ms State : Entry in TCAM Rsp/Rtp : 35/35

Sample LPTS Entry RP/0/RP0/CPU0:RTPTME-CRS# show lpts pifib hardware entry location 0/0/CPU0 ---------------------------------------- V - Vital; M - Fabric Multicast; C - Moose Congestion Flag; L - Listener Tag; T - Min TTL; F - Flow Type; DestNode - Destination Node; DestAddr - Destination Fabric Address; Sq - Ingress Shaping Queue; Dq - Destination Queue; Po - Policer; Ct - Stats Counter; Lp - Lookup priority; Sp - Storage Priority; Ar - Average rate limit; Bu - Burst; HAr - Hardware Average rate limit; HBu - Hardware Burst; Rsp - Relative sorting position; Rtp - Relative TCAM position; na - Not Applicable or Not Available

23


LPTS PIFIB Lookup Results RP/0/RP0/CPU0:RTPTME-CRS# show lpts pifib hardware entry location 0/0/CPU0 ---------------------------------------- V - Vital; M - Fabric Multicast; C - Moose Congestion Flag; L - Listener Tag; T - Min TTL; F - Flow Type; DestNode - Destination Node; DestAddr - Destination Fabric Address; Sq - Ingress Shaping Queue; Dq - Destination Queue; Po - Policer; Ct - Stats Counter; Lp - Lookup priority; Sp - Storage Priority; Ar - Average rate limit; Bu - Burst; HAr - Hardware Average rate limit; HBu - Hardware Burst; Rsp - Relative sorting position; Rtp - Relative TCAM position; na - Not Applicable or Not Available

Sample LPTS Entry L4 Protocol : TCP VRF ID : default Source IP : 2010:8:8::5 Port/Type : Port:28043 Source Port : 179 Is Fragment : 0 Is SYN : any Interface : any

V/M/C/L/T/F : 1/0/1/IPv6_STACK/0/BGP-known DestNode : 0/RP0/CPU0 DestAddr : 30 Sq/Dq/Ct : 24/6/0x7ff60 Accepted/Dropped : 6305/0 Lp/Sp : 1/255 # of TCAM entries : 1

Po/Ar/Bu : 113/25000pps/100ms HPo/HAr/HBu : 113/25000pps/100ms State : Entry in TCAM Rsp/Rtp : 35/35

24


LPTS Software Entries (summary view) RP/0/RP0/CPU0:CRS1-4#show lpts pifib brief location 0/7/CPU0 Type VRF-ID Local, Remote Address.Port L4 Interface Deliver ---------- -------- -------------------------- ----- ------------ ------------- ISIS * - - - any 0/2/CPU0 IPv4_frag * any any any any R IPv4 default 224.0.0.1 any IGMP Gi0/7/1/0 0/RP0/CPU0 IPv4 default any.23 any TCP Gi0/7/1/0 0/RP0/CPU0 IPv4 default 224.0.0.22 any IGMP Gi0/7/1/1 0/RP0/CPU0 IPv4 default 224.0.0.13 any PIM Gi0/7/1/1 0/RP0/CPU0 … IPv4 default 10.8.8.4.20244 10.8.8.5.17 TCP any 0/RP0/CPU0 IPv4 default any.179 10.8.8.5 TCP any 0/RP0/CPU0 IPv4 default 10.10.20.34.23 10.10.20.10 TCP any 0/RP0/CPU0 IPv4 default 192.168.254.4.49716 192.16 TCP any 0/RP0/CPU0 … IPv6 * any.ECHOREQ any ICMP6 any XI IPv6 * any.NDRTRSLCT any ICMP6 any XI IPv6 * any.NDRTRADV any ICMP6 any XI IPv6 * any.NDNBRSLCT any ICMP6 any XI IPv6 * any.NDNBRADV any ICMP6 any XI IPv6 * any.NDREDIRECT any ICMP6 any XI IPv6 * ff02::5 any OSPF any 0/RP0/CPU0 IPv6 * ff02::6 any OSPF any 0/RP0/CPU0

25


LPTS entries for BGP router bgp 100

nsr address-family ipv4 unicast ! neighbor 172.30.255.3 remote-as 100 update-source Loopback0 address-family ipv4 unicast

L4 Protocol : TCP VRF ID : default Source IP : 172.30.255.3 Port/Type : Port:179 Source Port : any Is Fragment : 0 Is SYN : any Interface : any V/M/C/L/T/F : 1/0/1/IPv4_LISTENER/0/BGP-cfg-peer DestNode : 0/RP0/CPU0 DestAddr : 62 Sq/Dq/Ct : 24/6/0x7ff34 Accepted/Dropped : 1/0 Lp/Sp : 1/255 # of TCAM entries : 1 Po/Ar/Bu : 114/10000pps/100ms HPo/HAr/HBu : 114/10000pps/100ms State : Entry in TCAM Rsp/Rtp : 40/40

L4 Protocol : TCP VRF ID : default Source IP : 172.30.255.3 Port/Type : Port:11013 Source Port : 179 Is Fragment : 0 Is SYN : any Interface : any

V/M/C/L/T/F : 1/1/1/IPv4_STACK/0/BGP-known DestNode : FGID 11775 DestAddr : 11775 Sq/Dq/Ct : 24/5/0x7ff32 Accepted/Dropped : 15344/0 Lp/Sp : 1/255 # of TCAM entries : 1 Po/Ar/Bu : 113/25000pps/100ms HPo/HAr/HBu : 113/25000pps/100ms State : Entry in TCAM Rsp/Rtp : 33/33

26


LPTS entries for IS-IS

L4 Protocol : - Destination IP : any Source IP : any Port/Type : any Source Port : any Is Fragment : 0 Is SYN : any Interface : TenGigE0/0/0/1 (0x1080040)/3 V/M/C/L/T/F : 1/0/1/CLNS_STACK/0/ISIS-known

DestNode : 0/2/CPU0 DestAddr : 8 Sq/Dq/Ct : 24/6/0x7ffac Accepted/Dropped : 0/0 Lp/Sp : 0/255 # of TCAM entries : 1 Po/Ar/Bu : 108/20000pps/100ms HPo/HAr/HBu : 108/20000pps/100ms State : Entry in TCAM Rsp/Rtp : 0/0

router isis test net 44.4444.4444.4444.4444.00 interface Loopback4444 address-family ipv4 unicast ! ! interface TenGigE0/0/0/1 circuit-type level-1 address-family ipv4 unicast

RP/0/RP0/CPU0:CRS1-4#show placement program all | i isis

isis instance test 0/2/CPU0 RP/0/RP0/CPU0:CRS1-4#show placement program all | i bgp bgp instance 0 0/RP0/CPU0 [0/RP1/CPU0]

27

Configuring Local Packet Transport Services


LPTS policers are configurable globally or per linecard

Users can set rate values for each type of traffic lpts pifib hardware police

flow fragment rate 0 flow bgp default rate 0

fragment

ospf-mc-known

ospf-mc_default

ospf-uc-known

ospf-uc-default

isis-known

isis-default

eigrp

rip

bgp-known

bgp-cfg-peer

bgp-default

pim-mc

pim-uc

Igmp

ipsec-known

ipsec-default

msdp-known

msdp-cfg-peer

msdp-default

snmp

ntp

ssh-known

ssh-default

http-known

http-default

shttp-known

shhtp-default

telnet-known

telnet-default

css-known

rsh-known

rsh-default

udp-known

udp-listen

udp-cfg-peer

udp-default

tcp-known

tcp-listen

tcp-cfg-peer

tcp-default

mc-known

mc-default

raw-listen

raw-default

ip-sla

icmp-local

icmp-app

icmp-default

icmp-control

ldp-tcp-known

ldp-tcp-cfg-peer

ldp-tcp-defalut

ldp-udp

lmp-tcp-known

lmp-tcp-cfg-peer

lmp-tcp-defalut

lmp-udp

all-routers

rsvp

rsvp-udp

ike 29


Verifying LPTS policer values RP/0/RP0/CPU0:CRS1-4#show lpts pifib hardware police location 0/7/CPU0 ------------------------------------------------------------- Node 0/7/CPU0: ------------------------------------------------------------- FlowType Policer Type Cur. Rate Def. Rate Accepted Dropped ---------------------- ------- ------- ---------- ---------- ---------- ---------- unconfigured-default 100 Static 500 500 0 0 Fragment 106 Global 0 1000 0 0 OSPF-mc-known 107 Static 20000 20000 0 0 OSPF-mc-default 111 Static 5000 5000 0 0 OSPF-uc-known 161 Static 5000 5000 0 0 OSPF-uc-default 162 Static 1000 1000 0 0 BGP-known 113 Static 25000 25000 18263 0 BGP-cfg-peer 114 Static 10000 10000 6 0 BGP-default 115 Global 0 10000 0 2 PIM-mcast 116 Static 23000 23000 19186 0 PIM-ucast 117 Static 10000 10000 0 0 IGMP 118 Static 3500 3500 9441 0 ICMP-local 119 Static 2500 2500 1020 0 ICMP-default 121 Static 2500 2500 0 0 LDP-TCP-known 122 Static 25000 25000 0 0 LDP-TCP-cfg-peer 152 Static 10000 10000 0 0 LDP-TCP-default 154 Static 10000 10000 0 0 ……cut……

lpts pifib hardware police flow fragment rate 0 flow bgp default rate 0

30


Tightening LPTS If you can use only p2p OSPF network type

lpts pifib hardware police flow ospf multicast known rate 0 flow ospf multicast default rate 0

Note that OSPF p2p network type is the recommended setting even on Ethernet interfaces unless you have multiple (>2) routers on the same segment

Do we really need BGP, LDP-TCP, MSDP default…for unconfigured sessions? ‒ flow bgp-default rate 0 ‒ flow ldp-tcp-default rate 0 ‒ flow msdp-default rate 0

Further investigation needed for these (change at your own risk!) ‒ flow udp-default rate 0 ‒ flow tcp-default rate 0 ‒ flow raw-default rate 0

31

Monitoring Local Packet Transport Services


Monitoring methods for LPTS

CLI based show commands (previous slides)

‒ Does not have SNMP MIB

EEM Scripting for LPTS Alerting

‒ http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=1721

event manager environment EEM_LPTS_CHECK_INTERVAL 300 event manager environment EEM_LPTS_CHECK_FLOWTYPES BGP-known * event manager environment EEM_LPTS_CHECK_LOCATIONS 0/0/CPU0 0/4/CPU0 event manager environment EEM_LPTS_CHECK_THRESHOLD 1 50% event manager directory user policy disk0:/scripts/ event manager policy lpts-threshold-alerting.tcl username scripts

33

Troubleshooting Local Packet Transport Services


Verifying table entries and counters Verify the bindings

‒ show lpts binding brief - Individual client requests ‒ show lpts clients - Is there a client for every node configured for traffic? ‒ show lpts flows brief - Arbitrated, resolved requests turned into flows for ifib.

Verify the lpts entries in RP netio ‒ sh lpts ifib slices all - Useful if slice location migrates due to extra RP/DRP

resources. ‒ sh lpts ifib entry brief - Verify final software fib entry. ‒ sh lpts ifib statistics location r/s/m – Valid only on RPs and DRPs*.

Verify the linecard pifib software and hardware entries ‒ sh lpts pifib entry brief location r/s/m – Summary view ‒ sh lpts pifib entry location r/s/m – Gives software stats. ‒ sh lpts pifib hardware entry brief location r/s/m – Summary view ‒ sh lpts pifib hardware entry statistics location r/s/m -- Counters ‒ sh lpts pifib hardware usage location r/sm – TCAM resource utilization ‒ sh lpts pifib hardware police location r/sm – Policer values 35


LPTS Debugs debug lpts packet location <r/s/m>

‒ On LC, shows LC CPU activity only (not PSE) ‒ On RP/DRP, shows secondary look-ups and packet delivery ‒ One message per layer per packet.

debug lpts packet {ipv4acl | ipv6acl} <name> ‒ Limit to packets matching an ACL.

debug lpts packet snapshot-size <n> ‒ Display <n> packets, then stop.

debug lpts packet drops ‒ Packets dropped by LPTS.

debug lpts pa {irib | ifib | error} ‒ IFIB generation information.

debug lpts pifibm {events | errors} location <r/s/m> ‒ What’s getting into the Pre-IFIB.

36


“debug lpts packet” example RP/0/0/CPU0:Jul 16 18:12:19.035 : netio[64]: lpts ifib [0xda3159b4/104 if 0x02000400 IP4 10.0.2.1 -> 10.0.2.2 ICMP 0 0] to local stack

RP/0/0/CPU0:Jul 16 18:12:28.294 : netio[64]: lpts decaps [0xda314bb4/4474 if 0x02000400 CLNS] to local stack

RP/0/0/CPU0:Jul 16 18:12:28.697 : netio[64]: lpts decaps [0xda3159b4/32 if 0x02000400 IP4 10.0.2.1 -> 224.0.1.9 IGMP 22 0] to local stack

RP/0/0/CPU0:Jul 16 18:12:29.898 : netio[64]: lpts pifib [0xda3159b4/62 Mg0/0/CPU0/0 IP4 10.91.36.2.1985 -> 224.0.0.2.1985 UDP] to local MCAST4_FM

RP/0/0/CPU0:Jul 16 18:12:29.899 : netio[64]: lpts ifib [0xda3159b4/62 Mg0/0/CPU0/0 IP4 10.91.36.2.1985 -> 224.0.0.2.1985 UDP] no matching entry in MCAST4_FM slice, dropping

37


LPTS always on debugs

Global Traces ‒ show lpts trace global

‒ Captures process starts, slice assignments, dependencies

Per-Process Traces ‒ show lpts trace {pa | fm | ff | platf}

‒ Transactions, errors, and platform-specific information.

Traces

38

Data Plane Protection Methods


Data Plane Exceptions “Receive” traffic not processed by LPTS Type Policer (pps) Queue

priority

CDP 1000 High

ARP 1000 High

L2 control 1000 Critical

IPv4 options 2500 Medium

IPv4 TTL expire 1000 Low

IPv6 Link Local 10000 Medium

IPv6 TTL expire 500 Low

BFD asynch 7000 BFD

BFD echo 7000 BFD

BFD TTL error drop na

Sampled Netflow Varies* Netflow

Most traffic directly processed by LC CPU is handled by LC microcode without LPTS (no dynamic state)

Different priority queues towards the CPU

Each traffic type is policed Eg.

BFD uses its own queue which Has the highest priority

BFD with TTL<254 is dropped Use “show controller pse stats” to get stats

*Depends on platform/HW 41


show controller pse stats ingress loc r/s/m RP/0/RP0/CPU0:CRS1-4#show controllers pse statistics ingress location 0/7/CPU0 Punt Stats Punted Policed & Dropped ---------- ------ ----------------- L2 control 285049 0 CDP 125624 0 ARP 252 0 IPv4 TTL expiration 13562720 17668788471 IPv4 BFD echo 262338 4890440 IPv6 link local 4326 0 Drop Stats Dropped ---------- ------- L2 unknown 896912 IPv4 not enabled 38342 IPv4 BFD TTL error 933027779 Debug Stats Count ----------- ----- PPE idle counter 46869398697124

42


Data Plane protection with ACLs

Considerations of points to have ACLs for containment

‒ Think region or logical segmentation of the network should an attack occur that needs limiting

Ability to filter on TTL, packet length, fragments, EHs

Interface level statistics in hardware

Interface ACL processing happens before LPTS processing

Logging gives ability for forensics and is rate limited on number of packets sent to the CPU to avoid over running CPU resources

Nested infrastructure ACLs (ACL Chaining)

‒ ipv4/ipv6 access-group common <name>

43


ACL Chaining Example Configuration ipv6 access-list acl-common-v6 10 permit ipv6 host 2001:db8::202:202:202:202 host 2001:db8::204:175:175:1 log-input 15 deny ipv6 any host 2001:db8::204:175:175:1 20 permit ipv6 host 2001:db8::202:202:202:202 host 2001:db8::205:175:175:1 log-input 25 deny ipv6 any host 2001:db8::205:175:175:1 30 permit ipv6 host 2001:db8::202:202:202:202 host 2001:db8::206:175:175:1 log-input 35 deny ipv6 any host 2001:db8::206:175:175:1 ipv6 access-list acl-unique1-v6 10 permit ipv6 host 2001:db8::202:202:202:202 host 2001:db8::207:175:175:1 log-input 15 deny ipv6 any host 2001:db8::207:175:175:1 20 permit ipv6 any any Interface GigabitEthernet 0/1/1/1 ipv6 access-group common acl-common-v6 acl-unique1-v6 ingress

44


Other traditional methods for protecting Data Plane Blunt control-plane-mediated sinkholing

‒ Honey Pots

‒ Remote-triggered black hole (RTBH) via BGP

QoS via MQC matching similar to ACL method

Unicast RPF both loose and strict

IPv6 EH filtering within ACLs

‒ *No length limitations, but performance decrease (~20%) if more than 86 bytes of IPv6 headers on CRS

45

Management Plane Protection


MPP Overview Management Protocols are secured at various levels

MPP limits the interfaces exposed for management access

By default Management protocols are off if MPP is configured

MPP Peer filtering

LPTS Rate Limits

Feature specific Rate/Session Limits

47


MPP Overview Management Plane Protection allows network operator to reserve a

set of interfaces for management traffic either exclusively (ie, out-of-band) or along with transit traffic (ie, in-band)

MPP is supported on all IOS XR platforms and there is no difference in terms of detailed MPP feature support

IOS XR Management Plane protection offers many features – In-band Interface support

– Out-of-band Interface support

– Per interface and per protocol filtering

– Peer Filtering • IPv4/IPv6 Host based

• IPv4/IPv6 Subnet based

Management Protocols supported - TFTP, TELNET, SSH (v1 & v2), SNMP and HTTP/HTTPS

48

How Management Plane Protection Works


IOS XR with In-band MPP

I/F 1 is configured as MPP in-band interface. I/F 1 is also part of global routing/forwarding.

Management traffic to RP from all non-MPP interfaces is dropped (I/F 2 and I/F 3).

RP Eth/Console/Aux continues to operate as dedicated out-of-band.

MPP integrates with LPTS to provide HW-based filtering!

IP/MPLS

I/F 1

I/F 3

CPU

RP Eth

RP

I/F 2

LPTS

Management Traffic

Transit Traffic NOC

DCN

In-band MPP

Out-of-band

50


MPP In-band Support In-band Interface selection

– Network Operator can select specific interfaces for in-band – Granularity of allowing different management protocols on different in-band

interfaces

In-band interface allows transit traffic along with management traffic Option of choosing all available interfaces as in-band using keyword “all” Option of enabling all supported management protocols on a particular

interface using keyword “all” IPv4/IPv6 Peer filtering per protocol and per interface Support for dynamic routing protocols on in-band interfaces In-band interface support per SDR In-band interface support for VRF aware management protocols

(SSH/SNMP)

51


IOS XR with out-of-band MPP

I/F 1 and 3 are configured as MPP out-of-band interface. I/F 1 and 3 are no longer part of global routing/forwarding

Management traffic to RP from all non-MPP interfaces is dropped (I/F 2)

RP Eth interfaces continues to operate as dedicated out-of-band.

Routing/Forwarding allowed between OOB interfaces

LPTS provides rate limiting

I/F 1

I/F 3

CPU RP Eth

RP

I/F 2

LPTS

Management

Transit

DCN

NOC Transit in OOB VRF

Out-of-band

Out-of-band

52


MPP Out-of-band Support Uses the VRF concept for out-of-band interface support

– Requests received on out-of-band interfaces are only acknowledged on out-of-band interfaces

– No need for management protocols to be VRF aware

– VRF for out-of-band network is configurable, default VRF is “MPP_OUTBAND_VRF”

Routing/Forwarding can be enabled on out-of-band interfaces ‒RP Ethernet will not participate in routing in the out-of-band VRF

RP/DRP Ethernet Interfaces are default out-of-band interfaces Keyword “all” for protocol and interface is supported IPv4/IPv6 Peer filtering per protocol Out-of-band interfaces support per SDR

53


Restrictions Currently MPP doesn’t keep track of the denied or dropped

protocol requests The management protocols need to be enabled explicitly

– MPP configuration doesn’t enable the protocol services.

– MPP is only responsible for making the services available on different interfaces

RP/DRP Ethernet interfaces are by default out-of-band interfaces and cannot be configured under MPP

MPP configuration changes doesn’t affect active sessions established before the changes

No MIB Support

54

Management Plane Protection Configuration


Before Configuring MPP

The RP’s dedicated mgmt ports automatically become Out-Of-Band access for MPP and allows all mgmt traffic towards the RP.

RP mgmt intf will not shown as out-of-band intf in “show-run” even though they are active.

All mgmt traffic to any other intf will be dropped unless the intf is configured either as In-band or Out-of-band intf under MPP for specific protocols

Use commit confirmed to prevent lockout!

Warning! – make sure you will not lock yourself out

56


MPP In-band Configuration Tasks 1. Enable the protocol services

- Protocols supported by MPP are SSH, Telnet, TFTP, HTTP and SNMP 2. Enable MPP for specific interfaces

- Specify protocols on specific interfaces 3. Specify the source peers/subnets of the incoming

management traffic for – Each protocol – Each specific interface

4. Apply management plane protection configuration 5. If management services are required in a particular VRF

– For VRF aware management protocols (Telnet and SNMP) – Enable protocol services for the VRF and place the in-band interface

under the same VRF – Non-VRF aware management services cannot be configured for MPP

57


Sample Config - 1 RP/0/RP1/CPU0:akki#show running-config | inc

(ssh|snmp) ssh server snmp-server community PUBLIC SystemOwner RP/0/RP1/CPU0:akki#show running-config control-plane control-plane management-plane inband interface GigabitEthernet0/2/0/1 allow SSH allow SNMP peer address ipv4 1.1.1.1 address ipv4 192.168.0.0/16 address ipv6 2000:21:1:1::1 address ipv6 2000:20::/64

In-band Interface

Peer Filtering for SNMP

All Peers allowed for SSH

Protocols Enabled

58


MPP Out-of-band Configuration Tasks

1. Enable the protocol services

- Protocols supported by MPP are SSH, Telnet, TFTP, HTTP and SNMP

2. Choose the interfaces for OOB

- Choose specific protocols on specific interfaces

3. Place the interfaces under the MPP default VRF or the configured MPP VRF

4. Choose specific allowed peers/subnets for each protocol and for each specific interface

5. Apply management-plane protection configuration

59


Sample Config RP/0/RP1/CPU0:akki#show running-config interface

gigabitEthernet 0/2/0/2 interface GigabitEthernet0/2/0/2 ipv4 address 1.1.1.2 255.255.255.0 ipv6 address 2000:20::1/64 vrf my_out_of_band negotiation auto RP/0/RP0/CPU0:akki#show running-config vrf * vrf my_out_of_band address-family ipv4 unicast address-family ipv6 unicast RP/0/RP0/CPU0:akki#show running-config | inc ssh ssh server

VRF definition

SSH server config

60


Sample Config (contd..) RP/0/RP1/CPU0:akki#show running-config control-plane control-plane management-plane out-of-band vrf my_out_of_band interface GigabitEthernet0/2/0/2 allow SSH peer address ipv4 1.1.1.1 address ipv4 192.168.0.0/16 address ipv6 2000:0:1:1::1 RP/0/RP1/CPU0:akki#show running-config router ospf router ospf 100 vrf my_out_of_band area 0 interface gigabitEthernet 0/2/0/2

Routing in OOB VRF

Out-of-band Interface

Peer Filtering for SSH

Changing OOB VRF

61

Troubleshooting Management Plane Protection (MPP)


RP/0/RP0/CPU0:CRS1-4#show lpts bindings brief | i (any.23 ) 0/RP0/CPU0 TCP LR IPV4 TCP default any.23 any Mg0/RP0/CPU0/0 0/RP0/CPU0 TCP LR IPV6 TCP default any.23 any Mg0/RP0/CPU0/0 0/RP0/CPU0 TCP LR IPV4 TCP default any.23 any Gi0/7/1/0 0/RP0/CPU0 TCP LR IPV6 TCP default any.23 any Gi0/7/1/0 0/RP0/CPU0 TCP LR IPV4 TCP default any.23 3.3.3.3 Gi0/7/1/3 0/RP0/CPU0 TCP LR IPV6 TCP default any.23 3:3:3::3 Gi0/7/1/3 0/RP0/CPU0 TCP LR IPV6 TCP default any.23 5:5:5::0/64 Gi0/7/1/3 RP/0/RP0/CPU0:CRS1-4# RP/0/RP0/CPU0:CRS1-4#show lpts bindings brief | i (any.161 ) 0/RP0/CPU0 UDP LR IPV4 UDP default any.161 any Mg0/RP0/CPU0/0 0/RP0/CPU0 UDP LR IPV4 UDP default any.161 any Lo87 0/RP0/CPU0 UDP LR IPV6 UDP default any.161 any Mg0/RP0/CPU0/0 0/RP0/CPU0 UDP LR IPV6 UDP default any.161 any Lo87 RP/0/RP0/CPU0:CRS1-4# RP/0/RP0/CPU0:CRS1-4#show lpts bindings brief | i (any.22 )

Troubleshooting MPP -- LPTS

control-plane management-plane inband interface Loopback87 allow SNMP ! interface GigabitEthernet0/7/1/0 allow SSH allow Telnet ! interface GigabitEthernet0/7/1/3 allow Telnet peer address ipv4 3.3.3.3 address ipv6 3:3:3::3 address ipv6 5:5:5::0/64 ! !

63


Troubleshooting MPP -- LPTS

control-plane management-plane inband interface Loopback87 allow SNMP ! interface GigabitEthernet0/7/1/0 allow SSH allow Telnet ! interface GigabitEthernet0/7/1/3 allow Telnet peer address ipv4 3.3.3.3 address ipv6 3:3:3::3 address ipv6 5:5:5::0/64 ! !

RP/0/RP0/CPU0:CRS1-4#show lpts pifib hardware entry bri location 0/7/cpu0 | i (.23 ) (def).23 3.3.3.3 TCP GigabitEthernet0/7/1/3 0/RP0/CPU0 24 7 (def).23 3:3:3::3 TCP GigabitEthernet0/7/1/3 0/RP0/CPU0 24 7 (def).23 5:5:5::0/64 TCP GigabitEthernet0/7/1/3 0/RP0/CPU0 24 7 (def).23 any TCP GigabitEthernet0/7/1/0 0/RP0/CPU0 24 7 (def).23 any TCP GigabitEthernet0/7/1/0 0/RP0/CPU0 24 7 (def).23 10.10.20.100.33732 TCP any 0/RP0/CPU0 24 6 (def).23 2001:23:11::16.53964 TCP any 0/RP0/CPU0 24 6 RP/0/RP0/CPU0:CRS1-4# RP/0/RP0/CPU0:CRS1-4#show lpts pifib hardware entry bri location 0/0/cpu0 | i (.23 ) (def).23 10.10.20.100.33732 TCP any 0/RP0/CPU0 24 6 (def).23 2001:23:11::16.53964 TCP any 0/RP0/CPU0 24 6 RP/0/RP0/CPU0:CRS1-4#

64


MPP show commands

show mgmt-plane inband <interface> ‒ View the information of a particular in-band interface

show mgmt-plane out-of-band <interface> ‒ View the information of a particular out-of-band interface

show mgmt-plane out-of-band vrf ‒ View the out-of-band VRF

show mgmt-plane interface <interface> ‒ View in-band/out-of-band interface information

65


MPP debug commands debug management-plane details

‒ To enable MPP detail debugs

debug management-plane errors ‒ To enable MPP error debugs

debug management-plane events ‒ To enable MPP event debugs

debug management-plane details job <jobid> ‒ To enable MPP detail debugs for a particular MPP enabled process.

debug management-plane errors job <jobid> ‒ To enable MPP error debugs for a particular MPP enabled process.

debug management-plane events job <jobid> - To enable MPP event debugs for a particular MPP enabled process.

Note: detail option outputs verbose information.

66


Monitoring commands show lpts ifib entry brief statistics show lpts ifib stats show lpts pifib statistics location <r/s/m> show lpts pifib hardware entry statistics location <r/s/m>

Check if there are LPTS drops on RP, LC-SW, or LC-HW

LPTS policer drops could be due to higher incoming rate than the configured or default policer value – due to:

misconfigured policer (too low rate)

misbehaving device sending higher rate of management traffic

malicious attack – getting blocked 67


Summary – IOS XR Security FTW!

Uptime depends on more than defects or high availability features

‒ Device security is a critical piece of network reliability

‒ Data plane can handle way more packets/second than control plane

IOS XR security features enable “Self-Defending Network”

‒ Sophisticated hardware enables high-performance filtering

‒ LPTS provides all the benefits of CoPP with minimal configuration

‒ MPP builds on LPTS to secure infrastructure

68

Questions?


Recommended Reading

Cisco IOS XR Fundamentals http://www.ciscopress.com/title/1587052717

Router Security Strategies: Securing IP Network Traffic Planes

http://www.ciscopress.com/title/1587053365

70


Check the Recommended Reading brochure for suggested products available at the Cisco Store

Enter to Win a 12-Book Library of Your Choice from Cisco Press

Visit the Cisco Store in the World of Solutions, where you will be asked to enter this Session ID code

71


Complete Your Online Session Evaluation Give us your feedback and you

could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Preferred Access points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

72


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-demand session videos, networking, and more!

Follow Cisco Live! using social media:

‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

73



Glossary

FIB: Forwarding Information Base RIB: Routing Information Base RP: Route Processor dRP: Distributed Route Processor LC: Line Card LPTS: Local Packet Transport Service MPP: Management Plane Protection CoPP: Control Plane Protection PSE: Packet Switching Engine IngressQ: Input queuing chip on LCs FabricQ: Output fabric queuing chip on LCs

75

Documents

IOS XR - d2zmdbbm9feqrf.cloudfront.netd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKSEC-3172.pdf · How IOS XR implements protection for control, data, and management planes How to