Presentation - Cisco Knowledge Network

More documents

Recommendations

Info

Distribution Automation of Security Profiles• The problem:• Providers have limited options for mitigating DDoS attacks intra-AS as well as inter-AS• BGP destination black-holes: Portects against the attack butrequires static configuration• BGP src/uRP: difficult for some spoofed attacks and/or supportlarge numbers of sources• Access-Lists: difficult to maintain and occasionally dangerous toinstall• Need dynamic way of conveying info about threat and attack• The Basic IdeaUse BGP to distribute flow specification filters anddynamically filter on routes© 2012 <strong>Cisco</strong> and/or its affiliates. All rights reserved. 32
Distribution Automation of Security Profiles• The Operational Principle• Encode flow specification rules as a new BGPNLRI address family• BGP itself treats the FlowSpec NLRI as anopaque key to an entry in its database• Use extended communities to specify action(accept, discard, rate-limit, sample, redirect)• Match on combination of source/dest prefix,source/dest port, ICMP type/code, packet size,DSCP, TCP flag, fragment encoding, etc.• Example: all TCP port 80..90 packets to 192.168.0/24© 2012 <strong>Cisco</strong> and/or its affiliates. All rights reserved. 33
Page 1 and 2: Routing SecurityAn Holistic Overvie
Page 3 and 4: • Objectives of this talk:• Pre
Page 5 and 6: © 2012 Cisco and/or its affiliates
Page 7 and 8: Biggest Bandwidth• Largest monito
Page 9 and 10: ThreatsAttack on device control pla
Page 13 and 14: Utilizing routing technology in the
Page 15 and 16: • Implementing blackholing requir
Page 17 and 18: Active/Active FirewallPre-2010 Oper
Page 19 and 20: Sink Hole RoutingIPS/IDS Enhancemen
Page 21 and 22: Hardening the infrastructureOlder S
Page 23 and 24: CoPP Enhancements for Routing• At
Page 25 and 26: • Main function is to forwards fo
Page 27 and 28: • LPTS has HW policers on line ca
Page 29 and 30: Enhanced Router Authentication / Co
Page 31: Securing Inter-AS VPN Confidentiali
Page 37 and 38: Malformed BGP UpdatesInvalidAttribu
Page 39 and 40: • Comes into play after attribute
Page 43 and 44: 20Source: NANOG 46: Tom Daly et al.
Page 45 and 46: BeforeAfter© 2012 Cisco and/or its
Page 47 and 48: • http://www.networkworld.com/new
Page 49 and 50: • The goal of the RPKI is to cryp
Page 51 and 52: • Each AS publishes a cryptograph
Page 53 and 54: CA ToolsetPublicationpoint (can beh
Page 55 and 56: EBGP updateRouterCheck and markorig
Page 57 and 58: The “One Behind” Attack• AS65
Page 59 and 60: The “Shorter Prefix” Problem•
Page 61 and 62: Future• Start Here• AS65000 adv
Page 63 and 64: Advertisement vs. Path Validation
Page 65 and 66: • What are Bogons?A bogon is a bo
Page 67 and 68: • Multi-Instance / Multi-AS BGP

Presentation - Cisco Knowledge Network

Create successful ePaper yourself

Delete template?

Save as template?