CESNET IPv6 CoPP Implementation

CESNET technical report 14/2010

Petr Adamec, Josef Verich

Received 29. 11. 2010

Other formats: PDF, EPUB

Abstract

This document describes the testing implementation of the Cisco's Control Plane Policing for IPv6 in CESNET2 network. It also includes other security recommendations.

Keywords: IPv6, Control Plane Policing, CoPP, IPv6 Security

1  Introduction

Control Plane Policing (CoPP) is a feature designed to allow users to control and manage the flow of traffic handled by the route processor on the Cisco routers. CoPP allows for preventing of unnecessary traffic from overloading the route processor. For further information see [3] and [4].

IPv6 Control Plane Policing functionality results from internal architecture of the Cisco 7600 router. The Control Plane CPUs are connected through internal GE port to which standard QoS model in Forwarding Plane is applied (see Figure 1).

[Image]

Figure 1. Internal architecture of CoPP components.

As far as we know, IPv6 CoPP is currently not a feature supported by Cisco, but it results from IPv6 QoS support and, according to our experience, is fully functional (please see Section 9).

All examples described here are developed for software version 12.2(33)SRE2 on the Cisco 7600 platform with the SUP720-3BXL supervisor. Most of them should also work with the older version 12.2(33)SRB6 and also on the Catalyst 6500 platform.

Instead of real IPv6 prefixes of our network, in our examples we are using the following Unique Local Addresses (ULA) according to RFC 4193 [1]:

CoPP uses the Modular QoS Command Line Interface (MQC) for the traffic classification and for the policy actions applied to the classified traffic. The appropriate class map must be defined to identify the traffic to be classified. In case of CoPP every class has an IPv6 access control list assigned to associate packets with this class. Then the corresponding policy maps must be created to enforce policy actions for that kind of traffic. The CoPP service policy thus can be directly attached to the control plane.

2  Classes

For traffic classification we used six unique classes. According to their importance, these are named

An IP access list is used to define every of these classes. For easier orientation, the name of each class is the same as the IP access list name (see below).

class-map match-all IPv6_CoPP_int_net
 match access-group name Ipv6_CoPP_int_net
class-map match-all IPv6_CoPP_ext_net
 match access-group name IPv6_CoPP_ext_net
class-map match-all IPv6_CoPP_NOC
 match access-group name Ipv6_CoPP_NOC
class-map match-all IPv6_CoPP_icmp
 match access-group name IPv6_CoPP_icmp
class-map match-all IPv6_CoPP_backbone_ping
 match access-group name IPv6_CoPP_backbone_ping
class-map match-all IPv6_CoPP_trace_ping
 match access-group name IPv6_CoPP_trace_ping
class-map match-all IPv6_CoPP_deny_any
 match access-group name IPv6_CoPP_deny_any

3  Policies

Then we associated all policies with these six class-maps. For particular class rate-limiting towards the CPU we used policers. Critical classes IPv6_CoPP_int_net, IPv6_CoPP_ext_net, IPv6_CoPP_NOC are configured without any rate-limiting. The restrictions of other classes differ according to our experience and long term monitoring. At the end we specified the class-default, enabling mostly non-IP protocols (such as HDLC keepalives, CDP and multicast) which cannot be rate-limited using CoPP.

policy-map IPV6COPP
 class IPv6_CoPP_int_net
 police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action transmit
 class IPv6_CoPP_ext_net
 police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action transmit
 class IPv6_CoPP_NOC
 police cir 128000 bc 6000 be 6000 conform-action transmit exceed-action transmit
 class IPv6_CoPP_icmp
 police cir 128000 bc 6000 be 6000 conform-action transmit exceed-action drop
 class IPv6_CoPP_backbone_ping
 police cir 1024000 bc 1500 be 1500 conform-action transmit exceed-action drop
 class IPv6_CoPP_trace_ping
 police cir 512000 bc 10240 be 10240 conform-action transmit exceed-action drop
 class IPv6_CoPP_deny_any
 police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
 class class-default

4  Access-lists

The two following access-lists (ACL), IPv6_CoPP_int_net and IPv6_CoPP_ext_net, categorize packets critical for the router functions. The first ACL is used for internal routing protocols: OSPFv3, PIM, iBGP, BFD. LDP for IPv6 is not currently supported, its definition in the following example is given just for illustration and for possible future usage and it is commented out.

The second ACL deals with eBGP external routing protocol. External PIM connection is allowed through ACL IPv6_CoPP_int_net because it uses link-local addresses.

ipv6 access-list IPv6_CoPP_int_net
 remark OSPFv3
 permit 89 FE80::/10 any
 remark PIM
 permit 103 FE80::/10 any
 ! remark LDP
 ! permit tcp FE80::/10 eq 646 any
 ! permit tcp FE80::/10 any eq 646
 ! remark LDP discovery
 ! permit udp FE80::/10 eq 646 any eq 646
 remark iBGP
 permit tcp FDD6:C246:22A9::/48 any eq bgp
 permit tcp FDD6:C246:22A9::/48 eq bgp any
 remark BFD control packet
 permit udp FE80::/10 range 49152 65535 any eq 3784
 remark BFD echo packet
 permit udp FE80::/10 any eq 3785
ipv6 access-list IPv6_CoPP_ext_net
 remark eBGP and private ASes
 permit tcp FDD6:C246:22A0::/48 any eq bgp
 permit tcp FDD6:C246:22A0::/48 eq bgp any

The access-list IPv6_CoPP_icmp associates ICMP packets necessary for the operation of the router (the type of ICMP packet is given in brackets): address unreachable (1/3), time exceeded (3/0, 3/1), packet too big (2) and parameter problem (4/0, 4/1, 4/2). The packets for neighbor advertisement (136), neighbor solicitation (135) and for router advertisement (134) and router solicitation (135) are let through. The last two rows of the access list are necessary for IPv6 multicast operation – MLD query (130) and listener report v2 (143). 

ipv6 access-list IPv6_CoPP_icmp
 remark ICMP type 1/3,2,3/0,3/1,4/0,4/1,4/2,130,143
 permit icmp any any 1 3
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any parameter-problem
 remark nd-na, nd-ns, ra, rs
 permit icmp any any nd-na
 permit icmp any any nd-ns
 permit icmp any any router-advertisement
 permit icmp any any router-solicitation
 remark MLD - query, report_v2
 permit icmp any any mld-query
 permit icmp any any 143

4.1  IPv6_CoPP_NOC

The following access-list associates packets important but not necessary for the router operation.

Most of the rules associate packets necessary for the router remote control. If some of the packets are lost, the network would be still operational.

Telnet and SSH connections are allowed between all backbone devices. Currently, TACACS and NTP are not supported for IPv6, so they are mentioned here only for future use. TACACS support is planned for version 15.1(1)S on 7600 platform and SXJ on Catalyst 6500.

ipv6 access-list IPv6_CoPP_NOC
 remark TELNET from/to
 permit tcp FDD6:C246:22A9::/48 eq telnet any established
 permit tcp FDD6:C246:22A9::/48 any eq telnet
 remark SSH from/to
 permit tcp FDD6:C246:22A9::/48 eq 22 any established
 permit tcp FDD6:C246:22A9::/48 any eq 22
 remark SNMP
 permit udp host FDD6:C246:22A9:1:2:3FF:FE24:FF1E any eq snmp
 remark TFTP
 permit udp host FDD6:C246:22A9:1:2:3FF:FE24:FF1E gt 1023 any gt 1023
 ! remark NTP
 ! permit udp FDD6:C246:22A9::/48 eq ntp any eq ntp
 ! remark Monitoring NTP
 ! permit udp host FDD6:C246:22A9:1:2:3FF:FE24:FF1E any eq ntp
 ! remark TACACS servers
 ! permit tcp host FDD6:C246:22A9:1:2:3FF:FE24:FF1E eq tacacs any established
 remark DNS
 permit udp host FDD6:C246:22A9:2::1 eq domain any
 permit udp host FDD6:C246:22A9:2::2 eq domain any

4.2  IPv6_CoPP_trace_ping

The following access-list, specifying packets of normal operation, is created for standard network troubleshooting tools (ping, traceroute, …) using ICMP. But as all ICMP packets must be handled by control plane, they are often used for DoS attacks. These packets, in greater volume, can overload the CPU, which means that the CPU is not available for management. ICMP packet types that are needed for traceroute - echo request (128), echo reply (129), all unreachables (1/0-6) and UDP ports - are listed here:

ipv6 access-list IPv6_CoPP_trace_ping
 remark (ICMPv6 128,129)
 permit icmp any any echo-request
 permit icmp any any echo-reply
 remark TRACE
 permit icmp any any unreachable
 permit udp any any range 33434 33600

4.3  IPv6_CoPP_backbone_ping

The following access-list is special. It enables primary testing of connection between backbone routers. This is useful also for problem detection (e. g. problems with jumbo packets).

ipv6 access-list IPv6_CoPP_backbone_ping
 permit icmp FDD6:C246:22A9::/48  FDD6:C246:22A9::/48

4.4  IPv6_CoPP_deny_any

All unwanted packets that are not enabled in previous access-lists and would waste CPU resources are explicitly forbidden by this access-list:

ipv6 access-list IPv6_CoPP_deny_any
 permit icmp any any
 permit tcp any any
 permit udp any any
 permit ahp any any
 permit esp any any
 permit pcp any any
 permit sctp any any
 permit ipv6 any any

5  Enabling CoPP

To enable CoPP, the mls qos command has to be configured first. Then it suffices to use the following command:

control-plane
 service-policy input IPV6COPP

6  Hardware rate-limiters

For IPv6 multicast forwarding, few packets from each flow are periodically forwarded to CPU in order to create and maintain mroute states. PIM-SM is primarily data-driven and we need to leak periodically frames to trigger mechanism like ASSERTS. Thus, the first conclusion is that we should not drop all multicast traffic in CoPP. However, the CoPP action (i.e. the policer under the class-map) currently police forwarded multicast traffic in software so we recommend to use hardware-based mls rate-limiter instead:

mls rate-limit multicast ipv6 connected 1000 100
mls rate-limit multicast ipv6 sg 100 10
mls rate-limit multicast ipv6 mld 1000 100

Some rate-limiters on 7600 platform, such as TTL rate limiter and MTU rate limiter are shared between IPv4 and IPv6. These are already set up to protect control plane CPU. Others, mainly for IPv6 multicast, are IPv6 specific.

mls rate-limit all ttl-failure 1000 10
mls rate-limit unicast cef glean 1000 10

Neighbour discovery policies are not supported by CoPP. To protect the system, a useful tool is “mls qos”.

mls qos protocol NEIGH-DISCOVER police 128000 1000

7  Other Security Recommendations

IPv6 PIM should be switched off on all egress interfaces where PIM is not necessary. Also MLD is necessary only on interfaces facing towards end stations, therefore it should be switched off on all backbone interfaces and also on all peering interfaces. MLD is transported over ICMP types 130, 131, 132, 143, and should always have link local address. If the MLD packets do not have it they should be dropped.

As described above, for an edge port we use the following configuration:

no ipv6 mld router
no ipv6 pim
ipv6 nd ra suppress

Part of IPv6 standardization was a definition of routing header type 0 but latest RFC 5059 [2] deprecated this option. On any IOS device routing header type 0 processing can be disabled by a command:

no ipv6 source-route

This command disables processing also for Routing header type 2 which is not deprecated and is valid for IPv6 mobility services. However, currently there are no requirements to use Mobile IPv6 in the CESNET2 network.

8  CoPP Monitoring

The following commands are useful for CoPP monitoring and troubleshooting. Basic information is provided by

sh policy-map control-plane

For a more detailed description, one has to look for the module slot number:

R1#sh modules
Mod Ports Card Type                       Model           Serial No.
--- ----- ------------------------------  --------------  ----------
<snip>
 5  2     Supervisor Engine 720 (Active)  WS-SUP720-3BXL  SALXXXXXXX
 6  2     Supervisor Engine 720 (Hot)     WS-SUP720-3BXL  SALXXXXXXX
</snip>

and for the id of Control Plane Protection

R1#sh vlan internal usage
VLAN Usage
---- --------------------
<snip>
1013 Control Plane Protection
</snip>

To be able to attach to the module and list the detailed information:

R1#attach 5
R1-sp#sh tcam inter vlan 1013 qos type2 ipv6 detail

9  Limitations

There are some constraints related to the IPv6 control plane policing. Some of them are related to a particular hardware and software configuration, some are generic:

10  A Known Problem

An important issue is related to our use of extended ACLs for specifying traffic classes. For cards 65xx and older, extended ACLs for IPv6 work only for basic protocols (TCP/UDP/ICMP). IPv6 routing protocols and other advanced stuff are not supported (Internal DDTS CSCtf49196 (duplicated by CSCsa71058)).

11  Conclusion

Based on our experience, IPv6 CoPP is functional and ready for deployment in larger installations. Like with IPv4, it is essential to carefully set up rules and to test a particular configuration.

References

[1] HINDEN, R.; HABERMAN, B. Unique Local IPv6 Unicast Addresses. RFC 4193, IETF, October 2005.
[2] BHASKAR, N.; GALL, A.; LINGARD, J.; VENAAS, S. Bootstrap Router (BSR) Mechanism for Protocol Independent Multicast (PIM). RFC 5059, IETF, January 2008
[3] CISCO SYSTEMS. Control Plane Policing Implementation Best Practices. [cit. 2010-11-29]. Available online.
[4] CISCO SYSTEMS. Deploying Control Plane Policing. [cit. 2010-11-29]. Available online.
[5] KRISTOFF, J. Cisco's Control Plane Policing (CoPP) Implementation Notes. March 2005, [cit. 2010-11-29]. Available online.

Appendix A  Complete example

no ipv6 source-route
mls qos
mls ipv6 acl compress address unicast
mls qos protocol BGPv2 pass-through
mls qos protocol OSPFv3 pass-through
mls qos protocol NEIGH-DISCOVER police 32000 1000
mls flow ipv6 interface-full
mls rate-limit multicast ipv6 connected 1000 100
mls rate-limit multicast ipv6 sg 100 10
mls rate-limit multicast ipv6 mld 1000 100
!
class-map match-all IPv6_CoPP_int_net
 match access-group name IPv6_CoPP_int_net
class-map match-all IPv6_CoPP_NOC
 match access-group name IPv6_CoPP_NOC
class-map match-all IPv6_CoPP_backbone_ping
 match access-group name IPv6_CoPP_backbone_ping
class-map match-all IPv6_CoPP_ext_net
 match access-group name IPv6_CoPP_ext_net
class-map match-all IPv6_CoPP_deny_any
 match access-group name IPv6_CoPP_deny_any
class-map match-all IPv6_CoPP_trace_ping
 match access-group name IPv6_CoPP_trace_ping
class-map match-all IPv6_CoPP_icmp
 match access-group name IPv6_CoPP_icmp
!
policy-map IPV6COPP
 class IPv6_CoPP_int_net
 police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action transmit
 class IPv6_CoPP_ext_net
 police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action transmit
 class IPv6_CoPP_NOC
 police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action transmit
 class IPv6_CoPP_icmp
 police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action transmit
 class IPv6_CoPP_backbone_ping
 police cir 1024000 bc 1500 be 1500 conform-action transmit exceed-action transmit
 class IPv6_CoPP_trace_ping
 police cir 512000 bc 10240 be 10240 conform-action transmit exceed-action drop
 class IPv6_CoPP_deny_any
 police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
 class class-default
!
ipv6 access-list IPv6_CoPP_deny_any
 permit icmp any any
 permit tcp any any
 permit udp any any
 permit ahp any any
 permit esp any any
 permit pcp any any
 permit sctp any any
 permit ipv6 any any
!
ipv6 access-list IPv6_CoPP_trace_ping
 remark (ICMPv6 128,129)
 permit icmp any any echo-request
 permit icmp any any echo-reply
 remark TRACE
 permit icmp any any unreachable
 permit udp any any range 33434 33600
!
ipv6 access-list IPv6_CoPP_NOC
 remark TELNET from/to
 permit tcp FDD6:C246:22A9::/48 eq telnet any established
 permit tcp FDD6:C246:22A9::/48 any eq telnet
 remark SSH from/to
 permit tcp FDD6:C246:22A9::/48 eq 22 any established
 permit tcp FDD6:C246:22A9::/48 any eq 22
 remark SNMP
 permit udp host FDD6:C246:22A9:1:2:3FF:FE24:FF1E any eq snmp
 remark TFTP
 permit udp host FDD6:C246:22A9:1:2:3FF:FE24:FF1E gt 1023 any gt 1023
 ! remark NTP
 ! permit udp FDD6:C246:22A9::/48 eq ntp any eq ntp
 ! remark Monitoring NTP
 ! permit udp host FDD6:C246:22A9:1:2:3FF:FE24:FF1E any eq ntp
 ! remark TACACS servers
 ! permit tcp host FDD6:C246:22A9:1:2:3FF:FE24:FF1E eq tacacs any established
 remark DNS
 permit udp host FDD6:C246:22A9:2::1 eq domain any
 permit udp host FDD6:C246:22A9:2::2 eq domain any
!
ipv6 access-list IPv6_CoPP_int_net
 remark OSPFv3
 permit 89 FE80::/10 any
 remark PIM
 permit 103 FE80::/10 any
 ! remark LDP
 ! permit tcp FE80::/10 eq 646 any
 ! permit tcp FE80::/10 any eq 646
 ! remark LDP discovery
 ! permit udp FE80::/10 eq 646 any eq 646
 remark iBGP
 permit tcp FDD6:C246:22A9::/48 any eq bgp
 permit tcp FDD6:C246:22A9::/48 eq bgp any
 remark BFD control packet
 permit udp FE80::/10 range 49152 65535 any eq 3784
 remark BFD echo packet
 permit udp FE80::/10 any eq 3785
!
ipv6 access-list IPv6_CoPP_ext_net
 remark eBGP private ASes
 permit tcp FDD6:C246:22A0::/48 any eq bgp
 permit tcp FDD6:C246:22A0::/48 eq bgp any
!
ipv6 access-list IPv6_CoPP_icmp
 remark ICMP type 1,2,3/0,3/1,4/0,4/1,4/2
 permit icmp any any 1 3
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any parameter-problem
 remark nd-na, nd-ns, ra, rs
 permit icmp any any nd-na
 permit icmp any any nd-ns
 permit icmp any any router-advertisement
 permit icmp any any router-solicitation
 remark MLD - query, report_v2
 permit icmp any any mld-query
 permit icmp any any 143
!
ipv6 access-list IPv6_CoPP_backbone_ping
 permit icmp FDD6:C246:22A9::/48  FDD6:C246:22A9::/48
další weby:fond rozvojemetacentrumCzechLightpřenosyvideoservereduroameduID.cz