bgp persistence

Cisco Confidential 1© 2013 Cisco and/or its affiliates. All rights reserved.

BGP flowspec phase 2:BGP persistenceBertrand Duvivier (bduvivie@cisco.com)Sr Product Manager

September, 2014

DDOS impact on customer Business

GOOD

DDOS

DDOS impact on customer Business

• Enterprise customer can’t defend themselve, when DDOS hit the FW… it’s already too late.

• SP could protect enterprise by cleaning DDOS traffic at ingress peering point.

• New revenue for SP.

2014 DDoS trends (Nanog source)

• Any Internet Operator Can Be a Target for DDoS

Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS attacks are the most commonly identified attack motivations

• Size and Scope of Attacks Continue to Grow at an Alarming Pace

High-bandwidth DDoS attacks are the ‘new normal’ as over 40% of respondents report attacks greater than 1 Gbps and 13% report attacks greater than 10Gbps

Increased sophistication and complexity of layer-7 DDoS attacks, multi-vector DDoS attacks becoming more common

• IPv6 DDoS Attacks 'in the Wild' on Production Networks

https://www.nanog.org/sites/default/files/tuesday_general_sockrider_infrastructure_3.pdf

DDoS mitigation architecture1. Detection (no DDOS)

DDOSscruber

Security Controller

DDOSAnalyser

Sample Netflow

Scan Netflow data to detect DDOS attacks

DDoS mitigation architecture2. Detection (DDOS)

DDOSscruber

Security Controller

DDOSAnalyser

Sample Netflow

Scan Netflow dataFind DDOS signature

DDoS mitigation architecture3. Redirect traffic to DDOS scruber

DDOSscruber

Security Controller

DDOSAnalyser

Scan Netflow dataFind DDOS signature

BGP flowspecFlow: DDOS flowAction: redirect to DDOS scruber

Next-Gen BGP flowspec phase 1 is

• BGP flowspec baseline (RFC-5575)

• IPv6 support (draft-ietf-idr-flow-spec-v6)

• Flowspec origin check relax (draft-ietf-idr-bgp-flowspec-oid)

• Extra redirection options  (draft-ietf-idr-flowspec-redirect-ip & draft-ietf-idr-flowspec-redirect-rt-bis)

• Internet in VPN use-case (Wireless SP)

• Optimized flow based forwarding plane.

• BGP FS client / route-reflector / controller

• IOS-XR 5.2.0: June 2014

XR 5.2.0

Next-Gen BGP flowspec phase 2 is

• BGP persistence (draft-uttaro-idr-bgp-persistence)

XR 5.2.2

BGP persistence

Problem we try to resolve:

• BGP flowspec policies are distributed from controller to route-reflector then to all BGP flowspec client; Border-Router’s or Provider Edge’s.

• If ever the route-reflector or BGP flowspec controller died, like required by BGP standard all updates are then withdraw… and thus all filters/polices protecting the network are then drop. opening the network to future DDoS attacks.

• BGP persistence will allow long live graceful restart, in another will allow to keep filters/policies for a while. Could be hours or days or until the route-reflector or controller come back alive.

• Time is configurable per address family and also supported for IP, L3VPN and L2VPN addresse famillies.

User Interface - ConfigurationConfiguring persistence on neighbor AF

RP/0/RSP0/CPU0:RA03_R1#show run router bgp | be 3.3.3.3 neighbor 3.3.3.3 remote-as 30813 update-source Loopback0 graceful-restart stalepath-time 150 address-family ipv4 unicast route-policy pass in route-policy pass out ! address-family vpnv4 unicast route-policy pass in route-policy pass out long-lived-graceful-restart capable long-lived-graceful-restart stale-time send 16777215 accept 16777215 ! address-family vpnv6 unicast route-policy pass in route-policy pass out long-lived-graceful-restart capable long-lived-graceful-restart stale-time send 16777215 accept 16777215

in sec = 194 days

Question: ask-bgp-flowspec@cisco.com

Thank you.