Table 5. Feature History Table
Feature Name
|
Release Name
|
Description
|
Protection of Directly Connected EBGP Neighbors through Interface-Based LPTS Identifier
|
Release 7.10.1 |
We have enhanced the network security for directly connected eBGP neighbors by ensuring that only packets originating from
designated eBGP neighbors can traverse through a single interface, thus preventing IP spoofing. This is made possible because
we've now added an interface identifier for Local Packet Transport Services (LPTS). LPTS filters and polices the packets based
on the type of flow rate you configure.
The feature introduces these changes:
CLI:
YANG Data Model:
|
Local Packet Transport Services (LPTS) maintains tables describing all packet flows destined for the secure domain router
(SDR), making sure that packets are delivered to their intended destinations.
With respect to BGP sessions, LPTS bindings can be categorized as follows:
-
BGP Known: These LPTS entries correspond to BGP sessions with established neighbors.
-
BGP Configured Peer: LPTS entries in this category are designated to receive the initial packets (TCP SYN and 3rd ACK) from
specifically configured BGP neighbors.
-
BGP Default Entries: This category encompasses LPTS entries that capture all packets originating from un-configured BGP neighbors.
An attacker who spoofs a packet using the exact combination of source IP, destination IP, source port, and destination port,
and then floods these packets from another interface within the same VRF, will cause the packet to match the BGP known LPTS
entry. As a result, the packet will traverse up to the TCP layer and potentially be dropped at that level. All BGP known LPTS
entries share a common LPTS policer, which means that packets arriving through any of these entries will be policed at the
specified rate.
However, if the attacker sends these packets at a rate exceeding the policer's defined rate, this will lead to congestion
in this flow, adversely impacting BGP established peers. As a result, these BGP sessions may experience instability, which
could lead to flapping.
This feature enables you to protect your network by adding an interface identifier for LPTS in directly connected eBGP neighbors.
LPTS filters and polices the packets based on the type of flow rate you configure. This feature ensures that only packets
originating from designated eBGP neighbors can traverse through a single interface, thus preventing IP spoofing. The interface
identifier that is added will be passed to the LPTS and TCP only when the below-mentioned criteria are met:
-
The BGP peer is configured to be external.
-
The Fast External Failover (FEF) is not disabled.
-
The BGP peer is direclty connected.
-
The BGP peer is not a dynamic peer.
-
eBGP multihop is not enabled.
-
The default eBGP TTL is used.
-
The "ignore connected" option is not configured.
-
A non-link local IPv6 neighbor address is configured.
In the LPTS binding process through the LPTS socket option, BGP generates a tuple for the interface identifier for every directly
configured eBGP neighbor.
The configured BGP LPTS entry will only match an incoming connection (TCP SYN packet) if it is received from the programmed
interface.
The BGP default entry handles incoming connections, or any other packets, received on interfaces other than the specified
ones. These packets are subjected to rigorous policing and forwarded to TCP for reset generation. As a result, any spoofed
packets arriving from non-desired interfaces will not affect the BGP configured peer LPTS entries.
Upon receiving a passive connection from the programmed interface and establishing it at the TCP level, TCP will inherit the
same interface for the BGP known LPTS entry, which will be created for this specific connection.
Packets that match the source IP, destination IP, source port, destination port, and VRF information of an established connection
, but are received from a different interface, will not be matched to the LPTS entry. As a result, these packets will be directed
to the BGP default entry. This mechanism ensures that spoofed packets originating from non-desired interfaces will not affect
the BGP known peer LPTS entries.
During the bind process for an active connection, BGP will also furnish the interface identifier. TCP will incorporate this
interface information into the LPTS entry corresponding to the active connection, effectively safeguarding BGP known LPTS
entries against spoofed packets that might match this connection but originate from a different interface.