Doing some deep dive testing into LPTS for ddos/security/exploit reasons and came across what I consider some shortcomings. Love to hear other people's opinions/test results!
I'm not sure if I'm missing something or this is the way it is intended.
For one, the OSPF-known unicast lpts policer gets applied to interfaces where OSPF is enabled, however it allows ALL OSPF unicast packets and it doesn't (like i think it should) add an entry per unicast neighbor once it gets the multicast hello. This opens up a vector for ddos. I spoofed ospf unicast packets across the network (from a few devices away) and i can easily overwhelm this policer. Some OSPF sessions p2p use unicast and will fail to come up if the packets aren't allowed.
The lpts on asr9k doesn't seem to do dynamic flows (like NCS). I think there's a lot of work that needs to be done in this area.
The main 'problem' I have here is that LPTS doesn't allow you to implement your own CoPP. Since it doesn't allow us to implement our own filters, the automatic ones need to be more robust. Not just OSPF but some of the others as well.. The BGP ones are done decently and I'm still doing tests on those to see if it actually does per-flow policing (in other words once a bgp session is established it goes into its own policer like a microflow/ubrl type scenario).
I'll be testing each one individually but this will take some time.
I'd be curious to see anyone else's lpts configuration and iACLs that may have a workaround for some of this to protect the control plane more fully.
XR-vm - CLI's
look for any process crash, review time stamp[if it is too old, then no immediate action needed]
verify if standby state is Ready and NSR-Ready
show proc cpu | exclude " 0%"
It's been a long standing ask for XR to support conditional route advertisements in BGP.
The expected option of using the
option in RPL currently can only be used at the default-inf...
On IOS-XR, Quality of Service has an extension to WRED (Weighted Random Early Detection) called Explicit Congestion Notification (ECN). ECN will mark packets instead of dropping them when the average queue length exceeds a specific threshold value. When c...
Technical Guide to Pre-Defined NAT.
In traditional NAT, due to the government regulations logging the CGN translations is mandatory and this is a huge cost incurrence. In Pre-defined NAT, the translations are known upfront, hence there is no nee...