SlideShare a Scribd company logo

BGP persistence

Download as PPTX, PDF
Bertrand Duvivier
Bertrand Duvivier

This document discusses BGP flow specification phase 2 which focuses on BGP persistence. It describes the problem that current BGP flowspec policies are withdrawn if the route reflector or controller fails, leaving the network vulnerable. BGP persistence aims to keep filters and policies active for a configurable time like hours or days until the route reflector or controller returns. The configuration allows setting a stale time on a per address family basis to control how long policies persist after a failure.

Technology
1 of 13
BGP flowspec phase 2: BGP persistence Bertrand Duvivier (bduvivie@cisco.com) Sr Product Manager September, 2014 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
DDOS impact on customer Business GOOD DDOS
DDOS impact on customer Business • Enterprise customer can’t defend themselve, when DDOS hit the FW… it’s already too late. • SP could protect enterprise by cleaning DDOS traffic at ingress peering point. • New revenue for SP.
2014 DDoS trends (Nanog source) • Any Internet Operator Can Be a Target for DDoS Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS attacks are the most commonly identified attack motivations • Size and Scope of Attacks Continue to Grow at an Alarming Pace High-bandwidth DDoS attacks are the ‘new normal’ as over 40% of respondents report attacks greater than 1 Gbps and 13% report attacks greater than 10Gbps Increased sophistication and complexity of layer-7 DDoS attacks, multi-vector DDoS attacks becoming more common • IPv6 DDoS Attacks 'in the Wild' on Production Networks https://www.nanog.org/sites/default/files/tuesday_general_sockrider_infrastructure_3.pdf
DDoS mitigation architecture 1. Detection (no DDOS) DDOS scruber Security Controller DDOS Analyser Sample Netflow Scan Netflow data to detect DDOS attacks
DDoS mitigation architecture 2. Detection (DDOS) Scan Netflow data Find DDOS signature DDOS scruber Security Controller DDOS Analyser Sample Netflow
DDoS mitigation architecture 3. Redirect traffic to DDOS scruber Scan Netflow data Find DDOS signature DDOS scruber Security Controller DDOS Analyser BGP flowspec Flow: DDOS flow Action: redirect to DDOS scruber
Next-Gen BGP flowspec phase 1 is • BGP flowspec baseline (RFC-5575) • IPv6 support (draft-ietf-idr-flow-spec-v6) • Flowspec origin check relax (draft-ietf-idr-bgp-flowspec-oid) • Extra redirection options (draft-ietf-idr-flowspec-redirect-ip & draft-ietf-idr-flowspec-redirect-rt-bis) • Internet in VPN use-case (Wireless SP) • Optimized flow based forwarding plane. • BGP FS client / route-reflector / controller • IOS-XR 5.2.0: June 2014 XR 5.2.0
Next-Gen BGP flowspec phase 2 is • BGP persistence (draft-uttaro-idr-bgp-persistence) XR 5.2.2
BGP persistence Problem we try to resolve: • BGP flowspec policies are distributed from controller to route-reflector then to all BGP flowspec client; Border-Router’s or Provider Edge’s. • If ever the route-reflector or BGP flowspec controller died, like required by BGP standard all updates are then withdraw… and thus all filters/polices protecting the network are then drop. opening the network to future DDoS attacks. • BGP persistence will allow long live graceful restart, in another will allow to keep filters/policies for a while. Could be hours or days or until the route-reflector or controller come back alive. • Time is configurable per address family and also supported for IP, L3VPN and L2VPN addresse famillies.
User Interface - Configuration Configuring persistence on neighbor AF RP/0/RSP0/CPU0:RA03_R1#show run router bgp | be 3.3.3.3 neighbor 3.3.3.3 remote-as 30813 update-source Loopback0 graceful-restart stalepath-time 150 address-family ipv4 unicast route-policy pass in route-policy pass out ! address-family vpnv4 unicast route-policy pass in route-policy pass out long-lived-graceful-restart capable long-lived-graceful-restart stale-time send 16777215 accept 16777215 ! address-family vpnv6 unicast route-policy pass in route-policy pass out long-lived-graceful-restart capable long-lived-graceful-restart stale-time send 16777215 accept 16777215 in sec = 194 days
Question: ask-bgp-flowspec@cisco.com
Thank you.

Recommended

BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR
Bertrand Duvivier
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Cisco Russia
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
 
pps Matters
pps Matterspps Matters
pps Matters
Bangladesh Network Operators Group
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
MyNOG
 
Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2
Bertrand Duvivier
 

Recommended

BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR BGP Graceful Shutdown - IOS XR
BGP Graceful Shutdown - IOS XR
Bertrand Duvivier
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Cisco Russia
 
BGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesBGP Advance Technique by Steven & James
BGP Advance Technique by Steven & JamesFebrian ‎
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
Bertrand Duvivier
 
pps Matters
pps Matterspps Matters
pps Matters
Bangladesh Network Operators Group
 
RPKI: An Operator’s Implementation
RPKI: An Operator’s ImplementationRPKI: An Operator’s Implementation
RPKI: An Operator’s Implementation
MyNOG
 
Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2Segment routing in ISO-XR 5.2.2
Segment routing in ISO-XR 5.2.2
Bertrand Duvivier
 
ISP core routing project
ISP core routing projectISP core routing project
ISP core routing project
vishal sharma
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
MyNOG
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
Bangladesh Network Operators Group
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN Controller
APNIC
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment Routing
MyNOG
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
Bangladesh Network Operators Group
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
Andy Davidson
 
Migrating to OpenFlow SDNs
Migrating to OpenFlow SDNsMigrating to OpenFlow SDNs
Migrating to OpenFlow SDNs
US-Ignite
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
Cisco Canada
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
 
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof KonkowskiPLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PROIDEA
 
Bgp multihoming
Bgp multihomingBgp multihoming
Bgp multihomingee38sp
 
Subnet Pools and Pluggable IPAM
Subnet Pools and Pluggable IPAMSubnet Pools and Pluggable IPAM
Subnet Pools and Pluggable IPAM
carlbaldwin
 
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Bruno Teixeira
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Jose Liste
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
 
Traffic Engineering for CDNs
Traffic Engineering for CDNsTraffic Engineering for CDNs
Traffic Engineering for CDNs
MyNOG
 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Bruno Teixeira
 
PLNOG16: Usługi w sieciach operatorskich, Marcin Aronowski
PLNOG16: Usługi w sieciach operatorskich, Marcin AronowskiPLNOG16: Usługi w sieciach operatorskich, Marcin Aronowski
PLNOG16: Usługi w sieciach operatorskich, Marcin Aronowski
PROIDEA
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccnaLakshan Perera
 
Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
APNIC
 
Efficient Label Encoding algorithm For Segment Routing (ELEANOR)
Efficient Label Encoding algorithm For Segment Routing (ELEANOR)Efficient Label Encoding algorithm For Segment Routing (ELEANOR)
Efficient Label Encoding algorithm For Segment Routing (ELEANOR)
Rabah GUEDREZ
 

More Related Content

What's hot

ISP core routing project
ISP core routing projectISP core routing project
ISP core routing project
vishal sharma
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
MyNOG
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
Bangladesh Network Operators Group
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN Controller
APNIC
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment Routing
MyNOG
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
Bangladesh Network Operators Group
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
Andy Davidson
 
Migrating to OpenFlow SDNs
Migrating to OpenFlow SDNsMigrating to OpenFlow SDNs
Migrating to OpenFlow SDNs
US-Ignite
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
Cisco Canada
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
Bangladesh Network Operators Group
 
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof KonkowskiPLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PROIDEA
 
Bgp multihoming
Bgp multihomingBgp multihoming
Bgp multihomingee38sp
 
Subnet Pools and Pluggable IPAM
Subnet Pools and Pluggable IPAMSubnet Pools and Pluggable IPAM
Subnet Pools and Pluggable IPAM
carlbaldwin
 
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Bruno Teixeira
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Jose Liste
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
Robb Boyd
 
Traffic Engineering for CDNs
Traffic Engineering for CDNsTraffic Engineering for CDNs
Traffic Engineering for CDNs
MyNOG
 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Bruno Teixeira
 
PLNOG16: Usługi w sieciach operatorskich, Marcin Aronowski
PLNOG16: Usługi w sieciach operatorskich, Marcin AronowskiPLNOG16: Usługi w sieciach operatorskich, Marcin Aronowski
PLNOG16: Usługi w sieciach operatorskich, Marcin Aronowski
PROIDEA
 

What's hot (20)

ISP core routing project
ISP core routing projectISP core routing project
ISP core routing project
 
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaCloud Traffic Engineer – Google Espresso Project by Shaowen Ma
Cloud Traffic Engineer – Google Espresso Project by Shaowen Ma
 
Route Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for OperatorsRoute Origin Validation With Routinator - A MANRS Approach for Operators
Route Origin Validation With Routinator - A MANRS Approach for Operators
 
BGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN ControllerBGP Traffic Engineering with SDN Controller
BGP Traffic Engineering with SDN Controller
 
Introduction to Segment Routing
Introduction to Segment RoutingIntroduction to Segment Routing
Introduction to Segment Routing
 
EVPN Introduction
EVPN IntroductionEVPN Introduction
EVPN Introduction
 
BGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing OptimisationBGP Traffic Engineering / Routing Optimisation
BGP Traffic Engineering / Routing Optimisation
 
Migrating to OpenFlow SDNs
Migrating to OpenFlow SDNsMigrating to OpenFlow SDNs
Migrating to OpenFlow SDNs
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
 
Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South Asia
 
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof KonkowskiPLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
 
Bgp multihoming
Bgp multihomingBgp multihoming
Bgp multihoming
 
Subnet Pools and Pluggable IPAM
Subnet Pools and Pluggable IPAMSubnet Pools and Pluggable IPAM
Subnet Pools and Pluggable IPAM
 
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
Software Defined Network (SDN) using ASR9000 :: BRKSPG-2722 | San Diego 2015
 
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USASegment Routing Advanced Use Cases - Cisco Live 2016 USA
Segment Routing Advanced Use Cases - Cisco Live 2016 USA
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
Traffic Engineering for CDNs
Traffic Engineering for CDNsTraffic Engineering for CDNs
Traffic Engineering for CDNs
 
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
Cisco Live! :: Introduction to Segment Routing :: BRKRST-2124 | Las Vegas 2017
 
PLNOG16: Usługi w sieciach operatorskich, Marcin Aronowski
PLNOG16: Usługi w sieciach operatorskich, Marcin AronowskiPLNOG16: Usługi w sieciach operatorskich, Marcin Aronowski
PLNOG16: Usługi w sieciach operatorskich, Marcin Aronowski
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 

Viewers also liked

Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
APNIC
 
Efficient Label Encoding algorithm For Segment Routing (ELEANOR)
Efficient Label Encoding algorithm For Segment Routing (ELEANOR)Efficient Label Encoding algorithm For Segment Routing (ELEANOR)
Efficient Label Encoding algorithm For Segment Routing (ELEANOR)
Rabah GUEDREZ
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83
Thomas Mangin
 
Презентации. Во сколько они реально обходятся компании?
Презентации. Во сколько они реально обходятся компании?Презентации. Во сколько они реально обходятся компании?
Презентации. Во сколько они реально обходятся компании?
Sergey Gusarov
 
Segment Routing: фундамент для построения сетей SDN
Segment Routing: фундамент для построения сетей SDNSegment Routing: фундамент для построения сетей SDN
Segment Routing: фундамент для построения сетей SDN
Cisco Russia
 
Scaling Networks with Segment Routing
Scaling Networks with Segment RoutingScaling Networks with Segment Routing
Scaling Networks with Segment Routing
APNIC
 
Построение автономных и управляемых сетей
Построение автономных и управляемых сетейПостроение автономных и управляемых сетей
Построение автономных и управляемых сетей
Cisco Russia
 
Stateful PCE and Segment Routing
Stateful PCE and Segment RoutingStateful PCE and Segment Routing
Stateful PCE and Segment Routing
APNIC
 
Архитектура HAWQ / Алексей Грищенко (Pivotal)
Архитектура HAWQ / Алексей Грищенко (Pivotal)Архитектура HAWQ / Алексей Грищенко (Pivotal)
Архитектура HAWQ / Алексей Грищенко (Pivotal)
Ontico
 
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios
 
21st Century iBGP Route Reflection by Mark Tinka
21st Century iBGP Route Reflection by Mark Tinka21st Century iBGP Route Reflection by Mark Tinka
21st Century iBGP Route Reflection by Mark TinkaMyNOG
 
Bgp route reflector
Bgp route reflector Bgp route reflector
Bgp route reflector
Deepak Kumar
 
Securing Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKISecuring Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKI
APNIC
 
Segment Routing
Segment RoutingSegment Routing
Segment Routing
APNIC
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
Juniper Networks
 
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiMyNOG
 
Bgpcep odl summit 2015
Bgpcep odl summit 2015Bgpcep odl summit 2015
Bgpcep odl summit 2015
Giles Heron
 
Advanced Topics and Future Directions in MPLS
Advanced Topics and Future Directions in MPLS Advanced Topics and Future Directions in MPLS
Advanced Topics and Future Directions in MPLS
Cisco Canada
 

Viewers also liked (20)

Segment Routing: A Tutorial
Segment Routing: A TutorialSegment Routing: A Tutorial
Segment Routing: A Tutorial
 
Efficient Label Encoding algorithm For Segment Routing (ELEANOR)
Efficient Label Encoding algorithm For Segment Routing (ELEANOR)Efficient Label Encoding algorithm For Segment Routing (ELEANOR)
Efficient Label Encoding algorithm For Segment Routing (ELEANOR)
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83
 
Презентации. Во сколько они реально обходятся компании?
Презентации. Во сколько они реально обходятся компании?Презентации. Во сколько они реально обходятся компании?
Презентации. Во сколько они реально обходятся компании?
 
Segment Routing: фундамент для построения сетей SDN
Segment Routing: фундамент для построения сетей SDNSegment Routing: фундамент для построения сетей SDN
Segment Routing: фундамент для построения сетей SDN
 
Scaling Networks with Segment Routing
Scaling Networks with Segment RoutingScaling Networks with Segment Routing
Scaling Networks with Segment Routing
 
Построение автономных и управляемых сетей
Построение автономных и управляемых сетейПостроение автономных и управляемых сетей
Построение автономных и управляемых сетей
 
Stateful PCE and Segment Routing
Stateful PCE and Segment RoutingStateful PCE and Segment Routing
Stateful PCE and Segment Routing
 
Архитектура HAWQ / Алексей Грищенко (Pivotal)
Архитектура HAWQ / Алексей Грищенко (Pivotal)Архитектура HAWQ / Алексей Грищенко (Pivotal)
Архитектура HAWQ / Алексей Грищенко (Pivotal)
 
RR
RRRR
RR
 
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
Nagios Conference 2012 - Scott Wilkerson - Passive Monitoring Solutions For R...
 
21st Century iBGP Route Reflection by Mark Tinka
21st Century iBGP Route Reflection by Mark Tinka21st Century iBGP Route Reflection by Mark Tinka
21st Century iBGP Route Reflection by Mark Tinka
 
Bgp route reflector
Bgp route reflector Bgp route reflector
Bgp route reflector
 
Securing Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKISecuring Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKI
 
Segment Routing
Segment RoutingSegment Routing
Segment Routing
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 
2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/External2015-ShowNet -DDoS/IX/BGPFlowspec/External
2015-ShowNet -DDoS/IX/BGPFlowspec/External
 
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed RawiManaging Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
Managing Traffic Flows via BGP Flowspec by Mohd Izni Zuhdi Mohamed Rawi
 
Bgpcep odl summit 2015
Bgpcep odl summit 2015Bgpcep odl summit 2015
Bgpcep odl summit 2015
 
Advanced Topics and Future Directions in MPLS
Advanced Topics and Future Directions in MPLS Advanced Topics and Future Directions in MPLS
Advanced Topics and Future Directions in MPLS
 

Similar to BGP persistence

BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
APNIC
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
Bangladesh Network Operators Group
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PROIDEA
 
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek JanikPLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PROIDEA
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
Tim Martin
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-service
Cloudflare
 
DDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-HaltdosDDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-Haltdos
Haltdos
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
 
DDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersDDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customers
Stephanie Weagle
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
Rethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security EnforcementRethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security Enforcement
Corsa Technology
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
 
9534715
95347159534715
9534715
Pavel Odintsov
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?
Steve Simlo
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspective
Miya Kohno
 
Bezpečnostní architektura F5
Bezpečnostní architektura F5Bezpečnostní architektura F5
Bezpečnostní architektura F5
MarketingArrowECS_CZ
 
Introducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingIntroducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment Routing
Cisco Service Provider
 
DDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service ProvidersDDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service Providers
Corero Network Security
 

Similar to BGP persistence (20)

BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek JanikPLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-service
 
DDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-HaltdosDDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-Haltdos
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
DDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersDDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customers
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Rethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security EnforcementRethinking Security: Corsa Red Armor Network Security Enforcement
Rethinking Security: Corsa Red Armor Network Security Enforcement
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
9534715
95347159534715
9534715
 
IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?IPv6 and IP Multicast… better together?
IPv6 and IP Multicast… better together?
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspective
 
Bezpečnostní architektura F5
Bezpečnostní architektura F5Bezpečnostní architektura F5
Bezpečnostní architektura F5
 
20151207 - iot strategy
20151207 - iot strategy20151207 - iot strategy
20151207 - iot strategy
 
Introducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment RoutingIntroducing Application Engineered Routing Powered by Segment Routing
Introducing Application Engineered Routing Powered by Segment Routing
 
DDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service ProvidersDDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service Providers
 

Recently uploaded

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 

Recently uploaded (20)

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 

BGP persistence

  • 1. BGP flowspec phase 2: BGP persistence Bertrand Duvivier (bduvivie@cisco.com) Sr Product Manager September, 2014 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  • 2. DDOS impact on customer Business GOOD DDOS
  • 3. DDOS impact on customer Business • Enterprise customer can’t defend themselve, when DDOS hit the FW… it’s already too late. • SP could protect enterprise by cleaning DDOS traffic at ingress peering point. • New revenue for SP.
  • 4. 2014 DDoS trends (Nanog source) • Any Internet Operator Can Be a Target for DDoS Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS attacks are the most commonly identified attack motivations • Size and Scope of Attacks Continue to Grow at an Alarming Pace High-bandwidth DDoS attacks are the ‘new normal’ as over 40% of respondents report attacks greater than 1 Gbps and 13% report attacks greater than 10Gbps Increased sophistication and complexity of layer-7 DDoS attacks, multi-vector DDoS attacks becoming more common • IPv6 DDoS Attacks 'in the Wild' on Production Networks https://www.nanog.org/sites/default/files/tuesday_general_sockrider_infrastructure_3.pdf
  • 5. DDoS mitigation architecture 1. Detection (no DDOS) DDOS scruber Security Controller DDOS Analyser Sample Netflow Scan Netflow data to detect DDOS attacks
  • 6. DDoS mitigation architecture 2. Detection (DDOS) Scan Netflow data Find DDOS signature DDOS scruber Security Controller DDOS Analyser Sample Netflow
  • 7. DDoS mitigation architecture 3. Redirect traffic to DDOS scruber Scan Netflow data Find DDOS signature DDOS scruber Security Controller DDOS Analyser BGP flowspec Flow: DDOS flow Action: redirect to DDOS scruber
  • 8. Next-Gen BGP flowspec phase 1 is • BGP flowspec baseline (RFC-5575) • IPv6 support (draft-ietf-idr-flow-spec-v6) • Flowspec origin check relax (draft-ietf-idr-bgp-flowspec-oid) • Extra redirection options (draft-ietf-idr-flowspec-redirect-ip & draft-ietf-idr-flowspec-redirect-rt-bis) • Internet in VPN use-case (Wireless SP) • Optimized flow based forwarding plane. • BGP FS client / route-reflector / controller • IOS-XR 5.2.0: June 2014 XR 5.2.0
  • 9. Next-Gen BGP flowspec phase 2 is • BGP persistence (draft-uttaro-idr-bgp-persistence) XR 5.2.2
  • 10. BGP persistence Problem we try to resolve: • BGP flowspec policies are distributed from controller to route-reflector then to all BGP flowspec client; Border-Router’s or Provider Edge’s. • If ever the route-reflector or BGP flowspec controller died, like required by BGP standard all updates are then withdraw… and thus all filters/polices protecting the network are then drop. opening the network to future DDoS attacks. • BGP persistence will allow long live graceful restart, in another will allow to keep filters/policies for a while. Could be hours or days or until the route-reflector or controller come back alive. • Time is configurable per address family and also supported for IP, L3VPN and L2VPN addresse famillies.
  • 11. User Interface - Configuration Configuring persistence on neighbor AF RP/0/RSP0/CPU0:RA03_R1#show run router bgp | be 3.3.3.3 neighbor 3.3.3.3 remote-as 30813 update-source Loopback0 graceful-restart stalepath-time 150 address-family ipv4 unicast route-policy pass in route-policy pass out ! address-family vpnv4 unicast route-policy pass in route-policy pass out long-lived-graceful-restart capable long-lived-graceful-restart stale-time send 16777215 accept 16777215 ! address-family vpnv6 unicast route-policy pass in route-policy pass out long-lived-graceful-restart capable long-lived-graceful-restart stale-time send 16777215 accept 16777215 in sec = 194 days