Scribd
Upload
53 views

BRKSEC-3172 Advanced IOS XR Security

Uploaded by

referenceref31
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views

BRKSEC-3172 Advanced IOS XR Security

Uploaded by

referenceref31
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 70

Advanced IOS XR Security

BRKSEC-3172
ACHTUNG

 This session is about IOS XR, which runs on:


CRS-1
CRS-3
XR12000
ASR9000
 This session will not cover IOS, IOS XE, or NXOS
 If you wish to learn about security on other systems, please attend:
 <insert breakouts here>

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda
 Overview
 Control Plane Protection – Local Packet Transport Services (LPTS)
LPTS Overview
Configuring LPTS
Monitoring LPTS
Troubleshooting LPTS

 Data Plane Protection


Receive traffic not processed by LPTS
Access Control Lists (ACL)
Traditional Methods

 Management Plane Protection (MPP)


MPP Overview
Configuring MPP
Troubleshooting MPP

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Overview

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Why are we here?

 To talk about protecting router aka “device” level


resources from being compromised
 How IOS XR implements protection for control,
data, and management planes
 How to configure these features in IOS XR
 How to troubleshoot and validate operation of
protection in IOS XR
 Explain how IOS XR implementation compares to
traditional CoPP based solutions for IOS

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Router level Control, Management, and
Data Plane Attack methods

 Remote attacks
Typically multiple hops away from the router
Sent to some destination IP on the device under attack
 Directly connected attacks
1 hop away from device under attack
Sent to destination IP on the device under attack
 Inline attacks
Some inline tool to become “man in the middle”
Requires physical access to something on the wire
Manipulation of packets or data gathering
 Goal of all attacks are to compromise device resources
or redirect flows for data gathering purposes

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Types of Attacks
 Pipe Cloggers
TTL attacks
ICMP: unreachables, redirects, subnet pings
Ping of death – ping with size > 64 Kbyte
 State Overflowers/Resource Hogs
Unauthorized route injection (routing protocols)
Buffer overflow – attacker has to know the specific vulnerability within
the code and protocol.
TCP SYN Flood
 Unauthorized Access Gainers
Dictionary attacks
SNMP attack
Unauthorized access (Telnet, SSH, HTTPS, SNMP)
Spoofing valid protocol packets
 And plenty more ways to wreak havoc

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Control Plane Management Plane
• TTL Security – BGP, OSPF, BFD • Instance limit – Telnet, SSH, VTY
• Authentication – BGP, OSPF, ISIS, EIGRP, • Peer Filtering – HTTP, Telnet, SSH, SNMP
LDP, MSDP, RSVP • AAA – tacacs, radius
• Resource Limits – OSPF, ISIS, EIGRP, • MPP – Management Plane Protection
BGP, RIB, PIM, IGMP, MSDP
• Hardware and Software policers via LPTS

IOS XR Security at
a glance

Data Plane Operating System


• uRPF • Process restart ability
• ACLs • Protected memory
• Ucode punt path policing • Critical resource monitoring and throttling
(CPU hog, mem leak, fdmon aka
wdsysmon
• IPC rate limits
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
10000 ft view of “Receive” packet path
Ingress Line Card (LC) Route
Processor CPU
LC-CPU

F Distributed
RP (dRP)
A CPU

B
PIFIB Egress LC
ucode
(TCAM, dynamic) R
I
Ingress Packet Switching Engine For-us traffic such as
C L2, BFD, ARP
For-us traffic processed
ucode
by LPTS – mgmt, L3
control plane, ICMP
Transit traffic

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Control Plane Protection

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Local Packet Transport Services:
High-level view for protection Control Plane

Application1
Received Traffic on RP
Transit Traffic

Application1
LPTS
on RP
Forwarding Internal
Information FIB (IFIB)
Base (FIB)
Bad packets Local Stack
on LC

 LPTS enables applications to reside on any or all RPs, DRPs, or LCs


Active/Standby, Distributed Applications, Local processing
 IFIB forwarding is based on matching control plane flows
Built in “firewall” for control plane traffic
 LPTS is transparent and automatic
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Local Packet Transport Service
LPTS Overview
 There is no longer a single RP
 IOS XR is a fully distributed operating system with
applications running in multiple physical locations
 LPTS enables distributed applications to reside on any
or all RPs, DRPs, or LCs
 Filters and polices local „receive‟ packets and sends
them only to the nodes that need them
 Packet rate correlates with trust
 Handles fragments, also checks TTL/hop count
 High Availability for NSR (Non-Stop Routing)

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Local Packet Transport Service
LPTS implementation in Hardware
 LPTS has Hardware policers on line cards to limit traffic
sent to local or remote nodes
 LPTS entries in TCAM classifies packets to select a
policer to apply
 The policer value can be tuned to 0 (to drop all packet
matching classification criteria)
 Polices on protocol (BGP, OSPF, SSH) and flow state
(BGP established, BGP configured, and BGP listen)
 Policing done on the LC Hardware ASIC before packets
hit RP/LC CPU
 All filters are automatically and dynamically installed by
the IOS XR infrastructure
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
How Local Packet Transport Services
Works

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IOS XR LPTS in action
 LPTS is an automatic, built in “firewall” for
control plane traffic. Router bgp
 Every Control and Management packet from neighbor 202.4.48.99
the line card is rate limited in hardware to …
ttl_security
!
protect RP and LC CPU from attacks mpls ldp

!
LC 1 IFIB TCAM HW Entries
Local port Remote port Rate Priority

Any ICMP ANY ANY 1000 low


any 179 any any 100 medium

Socket
LPTS
any 179 202.4.48.99 any 1000 medium ttl BGP
202.4.48.1 179 202.4.48.99 2223 10000 medium 255
200.200.0.2 13232 200.200.0.1 646 100 medium
LDP

SSH
LC 2 IFIB TCAM HW Entries …

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public
TCP Handshake
15
“Receive” Packet Flow
Execute a sweep range ping
For LC CPU to a CRS-1 and you will see
packets dropping

Port 0

PreIFIB INGRESSQ SPONGE


RX PSE FABRICQ
Reass.
L3 Engine
There are multiple queues towards
LC-CPU with different priority (bfd,
critical, high, medium, low, netflow):
• L2 control is sent to critical queue
• CDP, ICMP echo to high priority
CPU queue
CPU
• Fragments, TTL expired, to
medium priority queue
• BFD is enqueued to a BFD
dedicated queue – processed by
SPONGE high priority thread (prio = 40)
EGRESSQ TX PSE FABRICQ
Reass.
L3 Engine
ICMP Echo req
Layer 2 pkts
Port 0 L3 Line Card Fabric RP

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Inside the LC CPU
LC-CPU

BFD Netflow HDLC CDP ICMP

raw UDP TCP

NetIO

CPU Queues
from IngressQ
Critical High Med Low
Prio Prio Prio

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Locally Destined Packet Flow CPU
Queues
RP CPU
Port 0
PreIFIB
SPONGE
RX PSE INGRESSQ Reass.
L3 Engine FABRICQ

There are multiple queues towards RP-CPU netio


processing with different priorities (high, medium, low):
• IGP, BGP and LDP established to high priority queue
• BGP and LDP configured to med priority queue, RSVP,
AAA, PIM CPU
CPU
• SNMP, Telnet, SSH, ICMP echo reply, Unknown BGP CPU
and others to low priority queue

SPONGE
EGRESSQ TX PSE Reass.
L3 Engine FABRICQ
Control packet path

Port 0 L3 Line Card Fabric RP

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Inside RP-CPU
RP-CPU

IS-IS OSPF SNMP SSH BGP LDP

raw UDP TCP

NetIO

CPU Queues
from FabricQ

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
LPTS data structures

 IFIB „slices‟ are distributed across (D)RPs


Secondary look-up table when Pre-IFIB is incomplete
Distributed into slices – TCP slice, UDP slice, IS-IS slice, etc

 Software Pre-IFIB on each LC and (D)RP


More complex packet inspection and operations
Hashing fragments to different (D)RPs based on src/dst.

 Pre-IFIB (Pifib) in LC Ingress PSE TCAM Hardware

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
LPTS PIFIB Key Fields
show lpts pifib
RP/0/RP0/CPU0:RTPTME-CRS#
hardware entry location 0/0/CPU0
Sample LPTS Entry ----------------------------------------
V - Vital; M - Fabric Multicast;
C - Moose Congestion Flag; L - Listener Tag; T -
Min TTL;
F - Flow Type;
DestNode - Destination Node;
L4 Protocol : TCP DestAddr - Destination Fabric Address;
VRF ID : default Sq - Ingress Shaping Queue; Dq - Destination Queue;
Po - Policer; Ct - Stats Counter;
Source IP : 10.8.8.5 Lp - Lookup priority; Sp - Storage Priority;
Port/Type : Port:28043 Ar - Average rate limit; Bu - Burst;
Source Port : 179 HAr - Hardware Average rate limit; HBu - Hardware
Burst;
Is Fragment : 0 Rsp - Relative sorting position;
Is SYN : any Rtp - Relative TCAM position;
Interface : any na - Not Applicable or Not Available
V/M/C/L/T/F : 1/0/1/IPv4_STACK/0/BGP-known
DestNode : 0/RP0/CPU0
DestAddr : 30
Sq/Dq/Ct : 24/6/0x7ff60
Accepted/Dropped : 6305/0
Lp/Sp : 1/255
# of TCAM entries : 1
Po/Ar/Bu : 113/25000pps/100ms
HPo/HAr/HBu : 113/25000pps/100ms
State : Entry in TCAM
Rsp/Rtp : 35/35
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
LPTS PIFIB Lookup Results
show lpts pifib hardware
RP/0/RP0/CPU0:RTPTME-CRS#
entry location 0/0/CPU0
Sample LPTS Entry ----------------------------------------
V - Vital; M - Fabric Multicast;
C - Moose Congestion Flag; L - Listener Tag; T - Min TTL;
F - Flow Type;
DestNode - Destination Node;
DestAddr - Destination Fabric Address;
L4 Protocol : TCP Sq - Ingress Shaping Queue; Dq - Destination Queue;
VRF ID : default Po - Policer; Ct - Stats Counter;
Source IP : 10.8.8.5 Lp - Lookup priority; Sp - Storage Priority;
Port/Type : Port:28043 Ar - Average rate limit; Bu - Burst;
Source Port : 179 HAr - Hardware Average rate limit; HBu - Hardware Burst;
Is Fragment : 0 Rsp - Relative sorting position;
Is SYN : any Rtp - Relative TCAM position;
Interface : any na - Not Applicable or Not Available
V/M/C/L/T/F : 1/0/1/IPv4_STACK/0/BGP-known
DestNode : 0/RP0/CPU0
DestAddr : 30
Sq/Dq/Ct : 24/6/0x7ff60
Accepted/Dropped : 6305/0
Lp/Sp : 1/255
# of TCAM entries : 1
Po/Ar/Bu : 113/25000pps/100ms
HPo/HAr/HBu : 113/25000pps/100ms
State : Entry in TCAM
Rsp/Rtp : 35/35
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
LPTS Software Entries (summary view)
RP/0/RP0/CPU0:CRS1-4#show lpts pifib brief location 0/7/CPU0
* - Any VRF; I - Local Interest;
X - Drop; R - Reassemble;

Type VRF-ID Local, Remote Address.Port L4 Interface Deliver


---------- -------- -------------------------- ----- ------------ -------------
ISIS * - - - any 0/2/CPU0
IPv4_frag * any any any any R
IPv4 default 224.0.0.1 any IGMP Gi0/7/1/0 0/RP0/CPU0
IPv4 default 224.0.0.2 any IGMP Gi0/7/1/0 0/RP0/CPU0
IPv4 default 224.0.0.22 any IGMP Gi0/7/1/0 0/RP0/CPU0
IPv4 default any any IGMP Gi0/7/1/0 0/RP0/CPU0
IPv4 default any.23 any TCP Gi0/7/1/0 0/RP0/CPU0
IPv4 default 224.0.0.13 any PIM Gi0/7/1/0 0/RP0/CPU0
IPv4 default 224.0.0.1 any IGMP Gi0/7/1/1 0/RP0/CPU0
IPv4 default 224.0.0.2 any IGMP Gi0/7/1/1 0/RP0/CPU0
IPv4 default 224.0.0.22 any IGMP Gi0/7/1/1 0/RP0/CPU0
IPv4 default any any IGMP Gi0/7/1/1 0/RP0/CPU0
IPv4 default 224.0.0.13 any PIM Gi0/7/1/1 0/RP0/CPU0

IPv4 default 10.8.8.4.20244 10.8.8.5.17 TCP any 0/RP0/CPU0
IPv4 default any.179 10.8.8.5 TCP any 0/RP0/CPU0
IPv4 default 10.10.20.34.23 10.10.20.10 TCP any 0/RP0/CPU0
IPv4 default 10.10.20.34.23 10.10.20.10 TCP any 0/RP0/CPU0
IPv4 default 90.90.91.1.23 90.90.91.3.5 TCP any 0/RP0/CPU0
IPv4 default 192.168.254.4.49716 192.16 TCP any 0/RP0/CPU0
IPv4 default any.10001 any TCP any 0/RP0/CPU0

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
LPTS entries for BGP
router bgp 100
nsr
address-family ipv4 unicast
!
neighbor 172.30.255.3
remote-as 100
update-source Loopback0
address-family ipv4 unicast

L4 Protocol : TCP L4 Protocol : TCP


VRF ID : default VRF ID : default
Source IP : 172.30.255.3 Source IP : 172.30.255.3
Port/Type : Port:11013 Port/Type : Port:179
Source Port : 179 Source Port : any
Is Fragment : 0 Is Fragment : 0
Is SYN : any Is SYN : any
Interface : any Interface : any
V/M/C/L/T/F : 1/1/1/IPv4_STACK/0/BGP-known V/M/C/L/T/F :
1/0/1/IPv4_LISTENER/0/BGP-cfg-peer
DestNode : FGID 11775 DestNode : 0/RP0/CPU0
DestAddr : 11775 DestAddr : 62
Sq/Dq/Ct : 24/5/0x7ff32 Sq/Dq/Ct : 24/6/0x7ff34
Accepted/Dropped : 15344/0 Accepted/Dropped : 1/0
Lp/Sp : 1/255 Lp/Sp : 1/255
# of TCAM entries : 1 # of TCAM entries : 1
Po/Ar/Bu : 113/25000pps/100ms Po/Ar/Bu : 114/10000pps/100ms
HPo/HAr/HBu : 113/25000pps/100ms HPo/HAr/HBu : 114/10000pps/100ms
State : Entry in TCAM State : Entry in TCAM
Rsp/Rtp : 33/33 Rsp/Rtp : 40/40
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
LPTS entries for IS-IS
router isis test RP/0/RP0/CPU0:CRS1-4#show placement program all | i isis
net 44.4444.4444.4444.4444.00 isis instance test 0/2/CPU0
interface Loopback4444
address-family ipv4 unicast RP/0/RP0/CPU0:CRS1-4#show placement program all | i bgp
! bgp instance 0 0/RP0/CPU0 [0/RP1/CPU0]
!
interface TenGigE0/0/0/1
circuit-type level-1
address-family ipv4 unicast

L4 Protocol : -
Destination IP : any
Source IP : any
Port/Type : any
Source Port : any
Is Fragment : 0
Is SYN : any
Interface : TenGigE0/0/0/1 (0x1080040)/3
V/M/C/L/T/F : 1/0/1/CLNS_STACK/0/ISIS-known
DestNode : 0/2/CPU0
DestAddr : 8
Sq/Dq/Ct : 24/6/0x7ffac
Accepted/Dropped : 0/0
Lp/Sp : 0/255
# of TCAM entries : 1
Po/Ar/Bu : 108/20000pps/100ms
HPo/HAr/HBu : 108/20000pps/100ms
State : Entry in TCAM
Rsp/Rtp : 0/0
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Configuring Local Packet Transport
Services

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
LPTS policers are configurable globally
or per linecard from 3.5.1 and up
 Users can set rate values for each type of traffic
lpts pifib hardware police
flow fragment rate 0
flow bgp default rate 0

fragment icmp-local ipsec-known rsh-known


ospf-mc-known icmp-app ipsec-default rsh-default
ospf-mc_default icmp-default msdp-known udp-known
ospf-uc-known icmp-control msdp-cfg-peer udp-listen
ospf-uc-default ldp-tcp-known msdp-default udp-cfg-peer
isis-known ldp-tcp-cfg-peer snmp udp-default
isis-default ldp-tcp-defalut ntp tcp-known
eigrp ldp-udp ssh-known tcp-listen
rip lmp-tcp-known ssh-default tcp-cfg-peer
bgp-known lmp-tcp-cfg-peer http-known tcp-default
bgp-cfg-peer lmp-tcp-defalut http-default mc-known
bgp-default lmp-udp shttp-known mc-default
pim-mc all-routers shhtp-default raw-listen
pim-uc rsvp telnet-known raw-default
Igmp rsvp-udp telnet-default ip-sla
ike css-known
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Verifying LPTS policer values
RP/0/RP0/CPU0:CRS1-4#show lpts pifib hardware police location 0/7/CPU0
-------------------------------------------------------------
Node 0/7/CPU0: lpts pifib hardware police
------------------------------------------------------------- flow fragment rate 0
Burst = 100ms for all flow types flow bgp default rate 0
-------------------------------------------------------------
FlowType Policer Type Cur. Rate Def. Rate Accepted Dropped
---------------------- ------- ------- ---------- ---------- ---------- ----------
unconfigured-default 100 Static 500 500 0 0
Fragment 106 Global 0 1000 0 0
OSPF-mc-known 107 Static 20000 20000 0 0
OSPF-mc-default 111 Static 5000 5000 0 0
OSPF-uc-known 161 Static 5000 5000 0 0
OSPF-uc-default 162 Static 1000 1000 0 0
ISIS-known 108 Static 20000 20000 0 0
ISIS-default 112 Static 5000 5000 0 0
BGP-known 113 Static 25000 25000 18263 0
BGP-cfg-peer 114 Static 10000 10000 6 0
BGP-default 115 Global 0 10000 0 2
PIM-mcast 116 Static 23000 23000 19186 0
PIM-ucast 117 Static 10000 10000 0 0
IGMP 118 Static 3500 3500 9441 0
ICMP-local 119 Static 2500 2500 1020 0
ICMP-app 120 Static 2500 2500 0 0
na 164 Static 2500 2500 72 0
ICMP-default 121 Static 2500 2500 0 0
LDP-TCP-known 122 Static 25000 25000 0 0
LDP-TCP-cfg-peer 152 Static 10000 10000 0 0
LDP-TCP-default 154 Static 10000 10000 0 0
……cut……
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Tightening LPTS
 If you can use only p2p OSPF network type
flow ospf-uc-known rate 0
flow ospf-uc-default rate 0
 Note that OSPF p2p network type is the recommended setting even on
Ethernet interfaces unless you have multiple routers on the same
segment.
 Do we really need BGP, LDP-TCP, MSDP default…for unconfigured
sessions?
flow bgp-default rate 0
flow ldp-tcp-default rate 0
flow msdp-default rate 0
 Further investigation needed for these (change at your own risk!)
flow udp-default rate 0
flow tcp-default rate 0
flow raw-default rate 0

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Monitoring Local Packet Transport
Services

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Monitoring methods for LPTS

 CLI based show commands (previous slides)


Does not have SNMP MIB

 EEM Scripting for LPTS Alerting


http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=172
1

event manager environment EEM_LPTS_CHECK_INTERVAL 300


event manager environment EEM_LPTS_CHECK_FLOWTYPES BGP-known *
event manager environment EEM_LPTS_CHECK_LOCATIONS 0/0/CPU0 0/4/CPU0
event manager environment EEM_LPTS_CHECK_THRESHOLD 1 50%
event manager directory user policy disk0:/scripts/
event manager policy lpts-threshold-alerting.tcl username scripts

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Troubleshooting Local Packet Transport
Services

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Verifying table entries and counters
 Verify the bindings
show lpts binding brief - Individual client requests
show lpts clients - Is there a client for every node configured for traffic?
show lpts flows brief - Arbitrated, resolved requests turned into flows for ifib.
 Verify the lpts entries in RP netio
sh lpts ifib slices all - Useful if slice location migrates due to extra RP/DRP
resources.
sh lpts ifib entry brief - Verify final software fib entry.
sh lpts ifib statistics location r/s/m – Valid only on RPs and DRPs*.
 Verify the linecard pifib software and hardware entries
==pre-ifib in LC/RP (Netio)==
sh lpts pifib entry brief location r/s/m – Summary view
sh lpts pifib entry location r/s/m – Gives software stats.
==TCAM in LC Only==
sh lpts pifib hardware entry brief location r/s/m – Summary view
sh lpts pifib hardware entry statistics location r/s/m -- Counters
sh lpts pifib hardware usage location r/sm – TCAM resource utilization
sh lpts pifib hardware police location r/sm – Policer values
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
LPTS Debugs
 debug lpts packet location <r/s/m>
On LC, shows LC CPU activity only (not PSE)
On RP/DRP, shows secondary look-ups and packet delivery
One message per layer per packet.

 debug lpts packet {ipv4acl | ipv6acl} <name>


Limit to packets matching an ACL.

 debug lpts packet snapshot-size <n>


Display <n> packets, then stop.
 debug lpts packet drops
Packets dropped by LPTS.
 debug lpts pa {irib | ifib | error}
IFIB generation information.
 debug lpts pifibm {events | errors} location <r/s/m>
What‟s getting into the Pre-IFIB.

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
“debug lpts packet” example
RP/0/0/CPU0:Jul 16 18:12:19.035 : netio[64]: lpts ifib
[0xda3159b4/104 if 0x02000400 IP4 10.0.2.1 -> 10.0.2.2
ICMP 0 0] to local stack
RP/0/0/CPU0:Jul 16 18:12:28.294 : netio[64]: lpts decaps
[0xda314bb4/4474 if 0x02000400 CLNS] to local stack
RP/0/0/CPU0:Jul 16 18:12:28.697 : netio[64]: lpts decaps
[0xda3159b4/32 if 0x02000400 IP4 10.0.2.1 -> 224.0.1.9
IGMP 22 0] to local stack
RP/0/0/CPU0:Jul 16 18:12:29.898 : netio[64]: lpts pifib
[0xda3159b4/62 Mg0/0/CPU0/0 IP4 10.91.36.2.1985 ->
224.0.0.2.1985 UDP] to local MCAST4_FM
RP/0/0/CPU0:Jul 16 18:12:29.899 : netio[64]: lpts ifib
[0xda3159b4/62 Mg0/0/CPU0/0 IP4 10.91.36.2.1985 ->
224.0.0.2.1985 UDP] no matching entry in MCAST4_FM slice,
dropping

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
LPTS always on debugs

Traces

 Global Traces
show lpts trace global
Captures process starts, slice assignments, dependencies

 Per-Process Traces
show lpts trace {pa | fm | ff | platf}
Transactions, errors, and platform-specific information.

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
LPTS Demo – impact on CPU Utilization

ATTAAAA
AAAAAA
AAAACK!

l33t Hax0rs
(played by Agilent)
CRS

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Data Plane Protection Methods

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Data Plane Exceptions
“Receive” traffic not processed by LPTS
Type Policer Queue  Most traffic directly processed by
(pps) priority LC CPU is handled by LC
CDP 1000 High microcode without LPTS (no
ARP 1000 High dynamic state)
L2 control 1000 Critical  Different priority queues towards
the CPU
IPv4 options 2500 Medium

IPv4 TTL expire 1000 Low  Each traffic type is policed


IPv6 Link Local 10000 Medium  Eg.
IPv6 TTL expire 500 Low BFD uses its own queue which

BFD asynch 7000 BFD Has the highest priority

BFD echo 7000 BFD  BFD with TTL<254 is dropped


BFD TTL error drop na  Use “show controller pse
stats” to get stats
Sampled Netflow Varies* Netflow
*Depends on platform/HW
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
show controller pse stats ingress loc
r/s/m

RP/0/RP0/CPU0:CRS1-4#show controllers pse statistics ingress location 0/7/CPU0

Node 0/7/CPU0 Ingress PSE Stats


--------------------------------

Punt Stats Punted Policed & Dropped


---------- ------ -----------------
L2 control 285049 0
CDP 125624 0
ARP 252 0
IPv4 TTL expiration 13562720 17668788471
IPv4 BFD echo 262338 4890440
IPv6 link local 4326 0

Drop Stats Dropped


---------- -------
L2 unknown 896912
IPv4 not enabled 38342
IPv4 BFD TTL error 933027779

Debug Stats Count


----------- -----
PPE idle counter 46869398697124

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Data Plane protection with ACLs

 Considerations of points to have ACLs for containment


Think region or logical segmentation of the network should an
attack occur that needs limiting

 Ability to filter on TTL, packet length, fragments, EHs


 Interface level statistics in hardware
 Interface ACL processing happens before LPTS
processing
 Logging gives ability for forensics and is rate limited on
number of packets sent to the CPU to avoid over
running CPU resources
 New in 3.9.2,4.0.1: Nested infrastructure ACLs
ipv4/ipv6 access-group common <name>
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Other traditional methods for protecting
Data Plane

 Control plane brute force


Honey Pots
Remote black hole triggers via BGP

 QoS via MQC matching similar to ACL method


 Unicast RPF both loose and strict
 IPv6 EH filtering within ACLs
*No length limitations, but performance decrease if more
than 86 bytes of IPv6 headers

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Management Plane Protection

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
MPP Overview
Management Protocols are secured at various levels
By default Management
protocols are off if MPP is
configured

MPP limits the interfaces


exposed for management
access

MPP Peer filtering

LPTS Rate Limits

Feature specific Rate/Session


Limits

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
MPP Overview

 Management Plane Protection allows network operator to reserve a


set of interfaces for management traffic either exclusively (ie, out-of-
band) or along with transit traffic (ie, in-band)
 MPP is supported on all IOS XR platforms and there is no difference
in terms of detailed MPP feature support
 IOS XR Management Plane protection offers the below features
– In-band Interface support
– Out-of-band Interface support
– Per interface and per protocol filtering
– Peer Filtering
•IPv4/IPv6 Host based
•IPv4/IPv6 Subnet based
 Management Protocols supported
- TFTP, TELNET, SSH (v1 & v2), SNMP and HTTP/HTTPS

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
How Management Plane Protection
Works

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
IOS XR behavior before MPP Management Traffic

Transit Traffic
NOC
 Management Services are
off by default DCN
 When management
services are enabled, they
are enabled on all
interfaces I/F 1

 LPTS rate limits


LPTS
management plane traffic
to RP CPU from LCs R I
 RP Ethernet/Console/Aux P RP /
CPU F
provide out-of-band
E
management 3
t
h

I/F 2
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
IOS XR with In-band MPP Management Traffic

Transit Traffic
NOC
 I/F 1 is configured as MPP
in-band interface. I/F 1 is DCN
also part of global IP/MPLS
routing/forwarding.
In-band MPP
 Management traffic to RP
from all non-MPP I/F 1
interfaces is dropped (I/F 2
and I/F 3). LPTS
Out-of-band
 RP Eth/Console/Aux R I
continues to operate as P RP /
dedicated out-of-band. CPU F
E
 MPP integrates with LPTS 3
t
to provide HW-based h
filtering!

I/F 2
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
MPP In-band Support

 In-band Interface selection


– Network Operator can select specific interfaces for in-band
– Granularity of allowing different management protocols on different in-
band interfaces
 In-band interface allows transit traffic along with management traffic
 Option of choosing all available interfaces as in-band using keyword
“all”
 Option of enabling all supported management protocols on a
particular interface using keyword “all”
 IPv4/IPv6 Peer filtering per protocol and per interface
 Support for dynamic routing protocols on in-band interfaces
 In-band interface support per SDR
 In-band interface support for VRF aware management protocols
(SSH/SNMP)

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
IOS XR with out-of-band MPP Management Traffic

Transit Traffic

 I/F 1 and 3 are NOC Transit Traffic


in OOB VRF
configured as MPP out-
of-band interface. I/F 1 DCN
and 3 are no longer part
of global Out-of-band
routing/forwarding
 Management traffic to I/F 1
RP from all non-MPP
interfaces is dropped
(I/F 2) LPTS
 RP Eth interfaces R I
continues to operate as P RP /
dedicated out-of-band. CPU F
 Routing/Forwarding E
Out-of-band t 3
allowed between OOB
interfaces h
 LPTS provides rate
limiting
I/F 2
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
MPP Out-of-band Support

 Uses the VRF concept for out-of-band interface support


– Requests received on out-of-band interfaces are only
acknowledged on out-of-band interfaces
– No need for management protocols to be VRF aware
– VRF for out-of-band network is configurable, default VRF is
“MPP_OUTBAND_VRF”
 Routing/Forwarding can be enabled on out-of-band interfaces
- RP Ethernet will not participate in routing in the out-of-band VRF
 RP/DRP Ethernet Interfaces are default out-of-band interfaces
 Keyword “all” for protocol and interface is supported
 IPv4/IPv6 Peer filtering per protocol
 Out-of-band interfaces support per SDR

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Restrictions

 Currently MPP doesn’t keep track of the denied or dropped


protocol requests
 The management protocols need to be enabled explicitly
– MPP configuration doesn’t enable the protocol services.
– MPP is only responsible for making the services available on
different interfaces
 Management requests received on in-band interfaces may
not be acknowledged on in-band interfaces
 RP/DRP Ethernet interfaces are by default out-of-band
interfaces and cannot be configured under MPP
 MPP configuration changes doesn’t affect active sessions
established before the changes
 No MIB Support

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Management Plane Protection
Configuration

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Before Configuring MPP

Warning! – make sure you will not lock yourself out

 The RP‟s dedicated mgmt ports automatically become


Out-Of-Band access for MPP and allows all mgmt
traffic towards the RP.
 RP mgmt intf will not shown as out-of-band intf in
“show-run” even though they are active.
 All mgmt traffic to any other intf will be dropped unless
the intf is configured either as In-band or Out-of-band
intf under MPP for specific protocols
 Use commit confirmed to prevent lockout!

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
MPP In-band Configuration Tasks

1. Enable the protocol services


- Protocols supported by MPP are SSH, Telnet, TFTP, HTTP and SNMP
2. Enable MPP for specific interfaces
- Specify protocols on specific interfaces
3. Specify the source peers/subnets of the incoming management traffic
for
– Each protocol
– Each specific interface
4. Apply management plane protection configuration
5. If management services are required in a particular VRF
– For VRF aware management protocols (Telnet and SNMP)
– Enable protocol services for the VRF and place the in-band
interface under the same VRF
– Non-VRF aware management services cannot be configured for MPP

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Sample Config - 1
RP/0/RP1/CPU0:akki#show running-config | inc (ssh|snmp)
ssh server
snmp-server community PUBLIC SystemOwner Protocols
RP/0/RP1/CPU0:akki#show running-config control-plane Enabled
control-plane
management-plane
inband In-band
interface GigabitEthernet0/2/0/1 Interface
allow SSH
allow SNMP peer
address ipv4 1.1.1.1 All Peers
address ipv4 192.168.0.0/16 allowed for SSH
address ipv6 2000:21:1:1::1
address ipv6 2000:20::/64

Peer Filtering
for SNMP

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
MPP Out-of-band Configuration Tasks

1. Enable the protocol services


- Protocols supported by MPP are SSH, Telnet, TFTP, HTTP and SNMP
2. Choose the interfaces for OOB
- Choose specific protocols on specific interfaces
3. Place the interfaces under the MPP default VRF or the
configured MPP VRF
4. Choose specific allowed peers/subnets for each
protocol and for each specific interface
5. Apply management-plane protection configuration

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Sample Config

RP/0/RP1/CPU0:akki#show running-config interface gigabitEthernet 0/2/0/2


interface GigabitEthernet0/2/0/2
ipv4 address 1.1.1.2 255.255.255.0
ipv6 address 2000:20::1/64
vrf my_out_of_band VRF definition
negotiation auto

RP/0/RP0/CPU0:akki#show running-config vrf *


vrf my_out_of_band
address-family ipv4 unicast
address-family ipv6 unicast

RP/0/RP0/CPU0:akki#show running-config | inc ssh


ssh server
SSH server config

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Sample Config (contd..)

RP/0/RP1/CPU0:akki#show running-config control-plane


Changing
control-plane
OOB VRF
management-plane
out-of-band
vrf my_out_of_band
interface GigabitEthernet0/2/0/2 Out-of-band
allow SSH peer Interface
address ipv4 1.1.1.1
address ipv4 192.168.0.0/16
address ipv6 2000:0:1:1::1
RP/0/RP1/CPU0:akki#show running-config router ospf Peer Filtering
router ospf 100 for SSH
vrf my_out_of_band
area 0
interface gigabitEthernet 0/2/0/2
Routing in
OOB VRF

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Troubleshooting Management Plane
Protection (MPP)

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Troubleshooting MPP -- LPTS
RP/0/RP0/CPU0:CRS1-4#show lpts bindings brief | i (any.23 )
0/RP0/CPU0 TCP LR IPV4 TCP default any.23 any Mg0/RP0/CPU0/0
0/RP0/CPU0 TCP LR IPV4 TCP default any.23 any Gi0/7/1/0
0/RP0/CPU0 TCP LR IPV4 TCP default any.23 3.3.3.3 Gi0/7/1/3
0/RP0/CPU0 TCP LR IPV4 TCP default any.23 5.5.5.0/28 Gi0/7/1/3
RP/0/RP0/CPU0:CRS1-4#
RP/0/RP0/CPU0:CRS1-4#show lpts bindings brief | i (any.161 )
0/RP0/CPU0 UDP LR IPV4 UDP default any.161 any Mg0/RP0/CPU0/0
0/RP0/CPU0 UDP LR IPV4 UDP default any.161 any Lo87
RP/0/RP0/CPU0:CRS1-4#
RP/0/RP0/CPU0:CRS1-4#show lpts bindings brief | i (any.22 )
control-plane
management-plane
inband
interface Loopback87
allow SNMP
!
interface GigabitEthernet0/7/1/0
allow SSH
allow Telnet
!
interface GigabitEthernet0/7/1/3
allow Telnet peer
address ipv4 3.3.3.3
address ipv4 5.5.5.0/28
!
!

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Troubleshooting MPP -- LPTS
RP/0/RP0/CPU0:CRS1-4#show lpts pifib hardware entry bri location 0/7/cpu0 | i (.23 )
(def).23 3.3.3.3 TCP GigabitEthernet0/7/1/3 0/RP0/CPU0 24
7
(def).23 5.5.5.0/28 TCP GigabitEthernet0/7/1/3 0/RP0/CPU0 24
7
(def).23 any TCP GigabitEthernet0/7/1/0 0/RP0/CPU0 24
7
(def).23 10.10.20.100.33732 TCP any 0/RP0/CPU0 24 6
(def).23 10.10.20.100.53964 TCP any 0/RP0/CPU0 24 6
RP/0/RP0/CPU0:CRS1-4#
RP/0/RP0/CPU0:CRS1-4#
RP/0/RP0/CPU0:CRS1-4#show lpts pifib hardware entry bri location 0/0/cpu0 | i (.23 )
(def).23 10.10.20.100.33732 TCP any 0/RP0/CPU0 24 6
(def).23 10.10.20.100.53964 TCP any 0/RP0/CPU0 24 6
RP/0/RP0/CPU0:CRS1-4#
control-plane
management-plane
inband
interface Loopback87
allow SNMP
!
interface GigabitEthernet0/7/1/0
allow SSH
allow Telnet
!
interface GigabitEthernet0/7/1/3
allow Telnet peer
address ipv4 3.3.3.3
address ipv4 5.5.5.0/28
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
MPP show commands

 show mgmt-plane inband <interface>


- This command is used to view the information of a particular
in-band interface.
 show mgmt-plane out-of-band <interface>
- This command is used to view the information of a particular
out-of-band interface.
 show mgmt-plane out-of-band vrf
- This command is used to view the out-of-band VRF.
 show mgmt-plane interface <interface>
- This command is used to view in-band/out-of-band interface
information.

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
MPP debug commands

 debug management-plane details


- To enable MPP detail debugs
 debug management-plane errors
- To enable MPP error debugs
 debug management-plane events
- To enable MPP event debugs
 debug management-plane details job <jobid>
- To enable MPP detail debugs for a particular MPP enabled process.
 debug management-plane errors job <jobid>
- To enable MPP error debugs for a particular MPP enabled process.
 debug management-plane events job <jobid>
- To enable MPP event debugs for a particular MPP enabled process.

Note: detail option would output verbose information.

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Monitoring commands

show lpts ifib entry brief statistics


show lpts ifib stats
show lpts pifib statistics location <r/s/m>
show lpts pifib hardware entry statistics location
<r/s/m>

 Check if there are LPTS drops on RP, LC-SW, or LC-HW


 LPTS policer drops could be due to higher incoming rate than the
configured or default policer value – due to:
misconfigured policer (too low rate)
misbehaving device sending higher rate of management traffic
malicious attack – getting blocked

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Summary – IOS XR Security FTW!

 Uptime depends on more than defects or high availability


features
Device security is a critical piece of network reliability
Data plane can handle way more packets/second than control plane

 IOS XR security features enable “Self-Defending Network”


Sophisticated hardware enables high-performance filtering
LPTS provides all the benefits of CoPP with minimal configuration
MPP builds on LPTS to secure infrastructure

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Complete Your Online
Session Evaluation

 Give us your feedback and you


could win fabulous prizes.
Winners announced daily.
 Receive 20 Cisco Preferred
Access points for each session
evaluation you complete.
 Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal)
or visit one of the Internet Don‟t forget to activate your
stations throughout the Cisco Live and Networkers Virtual
Convention Center. account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Enter to Win a 12-Book Library
of Your Choice from Cisco Press

Visit the Cisco Store in the


World of Solutions, where
you will be asked to enter
this Session ID code

Check the Recommended Reading brochure for


suggested products available at the Cisco Store

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Glossary
 FIB: Forwarding Information Base
 RIB: Routing Information Base
 RP: Route Processor
 dRP: Distributed Route Processor
 LC: Line Card
 LPTS: Local Packet Transport Service
 MPP: Management Plane Protection
 CoPP: Control Plane Protection
 PSE: Packet Switching Engine
 IngressQ: Input queuing chip on LCs
 FabricQ: Output fabric queuing chip on LCs

Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

You might also like