Doing some deep dive testing into LPTS for ddos/security/exploit reasons and came across what I consider some shortcomings. Love to hear other people's opinions/test results!
I'm not sure if I'm missing something or this is the way it is intended.
For one, the OSPF-known unicast lpts policer gets applied to interfaces where OSPF is enabled, however it allows ALL OSPF unicast packets and it doesn't (like i think it should) add an entry per unicast neighbor once it gets the multicast hello. This opens up a vector for ddos. I spoofed ospf unicast packets across the network (from a few devices away) and i can easily overwhelm this policer. Some OSPF sessions p2p use unicast and will fail to come up if the packets aren't allowed.
The lpts on asr9k doesn't seem to do dynamic flows (like NCS). I think there's a lot of work that needs to be done in this area.
The main 'problem' I have here is that LPTS doesn't allow you to implement your own CoPP. Since it doesn't allow us to implement our own filters, the automatic ones need to be more robust. Not just OSPF but some of the others as well.. The BGP ones are done decently and I'm still doing tests on those to see if it actually does per-flow policing (in other words once a bgp session is established it goes into its own policer like a microflow/ubrl type scenario).
I'll be testing each one individually but this will take some time.
I'd be curious to see anyone else's lpts configuration and iACLs that may have a workaround for some of this to protect the control plane more fully.