Upload File

selective packet discard

prev
next
out of 3
Download Selective Packet Discard

Upload: nandan-bisht

Post on 15-Oct-2015

7 views

Category:

Documents


0 download

Report

DESCRIPTION

Selective Packet Discard

TRANSCRIPT

  • CCIE Security V4 Technology Labs Section 1:System Hardening and Availability

    Selective Packet Discard

    Last updated: May 3, 2013

    Task

    Load the configuration files for this task.

    Enable Selective Packet Discard on R1 in aggressive mode.

    Increase R1s input queue size on its link to VLAN 13 to twice the default.

    Increase the amount of the memory headroom for IGP packets to 150 buffers.

    Set the headroom for BGP packets should to 120 packets.

    Start dropping low-priority packets randomly when the input queue is 50% full.

    Explanation and Verification

    Selective Packet Discard is the queue management technique for interface input queueing. The

    SPD commands are hidden in the IOS parser, but you can see them in the running configuration

    after you enter them. By default, SPD is enabled in Normal mode. The following is the list of SPD

    commands:

    spd enable

    spd headroom

    spd extended-headroom

    ip spd mode aggressive

    ip spd queue threshold minimum maximum

    Every physical interface has an input FIFO queue. The router uses this queue to buffer packets

    going to the route processor. Usually these packets include control plane packets, such as Layer 2

    keepalives (such as HDLC/PPP keepalives), IGP packets (OSPF, ISIS, etc.), and BGP packets.

    The routing protocol packets are classified based on their default IP precedence of 6 or higher. In

    addition to control plane packets, the input queue holds other packets destined to the route

    processor, such as packets with an expired TTL, wrong header length, wrong checksum, or non-

    existent local UDP port numbers. The latter packets are malformed, in the sense that they require

    the router to generate an ICMP error message in response. The input queue holds packets that are

    to be process-switched, which is uncommon on modern CEF-based systems. SPD input queueing

    is desirable for a number of reasons. The first is for control plane security. Its possible to block the

    routers input queue with a high rate of malformed packets, which effectively blocks legitimate

    routing traffic. The result is a control plane DoS against the router. The next reason is for layer 2

    keepalive, IGP, and BGP traffic separation. Large BGP tables generate considerably large updates.

    These updates could potentially block the input queue for some time, preventing the router from

  • receiving keepalive packets or IGP updates. This may result in IGP adjacency flapping or layer 2

    link loss reports. The third reason is due to issues with process switching. If for some reason CEF

    is disabled, the IP INPUT process can result in regular IP traffic blocking the input queues, causing

    a loss of the control plane. SPD prevents this through input drops. So how does SPD work? First,

    the input queue consists of two parts. One part is the regular hold queue, which is visible through

    the show interface command, and the other part is the priority queue, which stores routing updates

    and keepalives. The processor serves the priority queue first until it is empty, and then switches to

    the regular hold-queue. Additionally, the priority queue consists of two parts, the SPD Headroom

    and the SPD Extended Headroom. The Extended Headroom queue is emptied before the SPD

    Headroom in a priority manner. Specifically, input packets are queued as follows:

    Layer 2 keepalives and IGP packets go to the SPD Extended Headroom. If there is no space

    available in the SPD Extended Headroom, packets go to the SPD Headroom. As a last resort, if

    both the Extended Headroom and Headroom are full, these packets go to the regular Hold Queue.

    BGP updates go directly to SPD Headroom. If the SPD Headroom is full, BGP packets hit the Hold

    Queue. All other IP packets (malformed or process-switched) go to the Hold Queue. The result is

    that L2 keepalive/IGP packets are serviced first, BGP next, and other packets last.

    Although the Hold Queue is FIFO, it uses the RED drop procedure. Two thresholds (Minimum and

    Maximum) set for hold queue define the random drop behavior. If the current hold queue length is

    less than the Minimum Threshold, packets are never dropped. If the queue length grows beyond

    Minimum, but is less than Maximum, every new packet is randomly dropped with the probability

    proportional to queue depth:

    Prob = (QueueDepth MinimumThresh)/(MaximumThresh-MinimumThresh)

    If the queue depth is above Maximum Threshold, SPD drops every new incoming packet.

    Note the important fact that SPD thresholds are global for all queues. SPD computes Min and Max

    thresholds based on the lowest hold-queue size in the system. Therefore, if you set the hold queue

    size lower on some interfaces, you will affect all other interface drop thresholds.

    Finally, SPD has two modes of operation: normal and aggressive. They differ in their treatment of

    malformed packets (packets that require the router to generate ICMP responses). When SPD is set

    for normal mode (the default), it treats malformed packets as it would all regular IP packets; it

    places them in the hold queue, subject to random drop. However, in aggressive mode, the

    malformed packets are dropped as soon as the hold queue grows above the minimum threshold.

    Effectively, SPD Aggressive mode replaces the random drop for malformed packets with an

    unconditional drop. SPD configuration can be configured and verified as follows.

    R1:

    R1#

    R1#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    R1(config)#spd extended-headroom 150

    R1(config)#spd headroom 120

    R1(config)#ip spd mode aggressive

    R1(config)#ip spd queue threshold minimum 75 maximum 150

    R1(config)#int g0/0

    R1(config-if)# hold-queue 150 in

    R1(config-if)#

  • To verify, we can check the input queue size and the SPD settings using the following two show

    commands.

    R1#show interface GigabitEthernet 0/0

    GigabitEthernet0/0 is up, line protocol is up

    Hardware is CN Gigabit Ethernet, address is 0007.7d3d.94e8 (bia 0007.7d3d.94e8)

    Internet address is 136.1.13.1/24

    MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

    reliability 255/255, txload 1/255, rxload 248/255

    Encapsulation ARPA, loopback not set

    Keepalive set (10 sec)

    Full Duplex, 100Mbps, media type is RJ45

    output flow-control is unsupported, input flow-control is unsupported

    ARP type: ARPA, ARP Timeout 04:00:00

    Last input 00:00:00, output 00:00:01, output hang never

    Last clearing of "show interface" counters never

    Input queue: 57/150/76/34987 (size/max/drops/flushes); Total output drops: 0

    Queueing strategy: fifo

    R1#show ip spd

    Current mode: normal.

    Queue min/max thresholds: 75/150, Headroom: 120, Extended Headroom: 150

    IP normal queue: 28, priority queue: 0.

    SPD special drop mode: aggressively drop bad packets

    R1#


Queueing Analysis of Partial Message Discard Policy · Queueing Analysis of Partial Message Discard Policy ... Eitan Altman. Queueing Analysis of Partial Message Discard Policy. [Research

Discard ban – a cornerstone of a comprehensive policy packet

DO NOT DISCARD 20211684963

Packet-Hiding Methods for Preventing Selective Jamming Attacks › Dotnet 2012 Base Paper › Packet-Hiding … · Packet-Hiding Methods for Preventing Selective Jamming Attacks Alejandro

10 Gbit Hardware Packet Filtering Using Commodity …ripe61.ripe.net/presentations/138-Deri_RIPE_61.pdf · Filtering Using Commodity Network Adapters ... discard those packets that

C-Pack - Supplier Solutions4).pdf · The C-Pack Industrial Cleaner Delivery ... Do not reuse empty packet. Discard in trash. ... PIEL: Quite la ropa contaminada

The EU Discard Reduction Manual

Implementation of Selective Packet Destruction on …...termed selective packet destruction (SPD) to ensure service for priority users. A testbed for SPD has been created, based on

Do Not Discard! - Johnson Controls

ISSN 2043-6386 Multi-objective optimisation for selective ...netlab/Pub/14-WSS-2014-0020.pdfISSN 2043-6386 Multi-objective optimisation for selective packet discarding in wireless

DESIGN AND COMPARATIVE ANALYSIS OF SINGLE-PATH AND ... · scheme to determine the information content of a packet, IDE-ALS instructs a node to relay or discard the packet depending

JDSU Triple Play Analyzer Software · Data Acquisition Platforms PacketPortal PacketPortal is a distributed packet acquisition and selective packet forwarding system that can capture

Better Early Packet Discard - Home - Springer...Better Early Packet Discard 383 queue size or to smooth the dropping of packets which is the matter of buffer queue management schemes

(Overview, benchmark results, current status)people.redhat.com/lczerner/discard/files/Performance...3 mkfs.ext4 -E discard /dev/sdc e2fsck 1 After the last check discard free space

UW‐Whitewater Discard

Power Outage Preparedness Guide · 2020-06-01 · Fresh eggs, hard-cooked in shell, egg dishes, egg products Discard Custards and puddings Discard Casseroles, soups, stews Discard

Branch SRX Series and J Series Selective Packet ServicesAPPLICATION NOTE - Branch SrX Series and J Series Selective Packet Services Introduction Juniper Networks® SrX Series Services

A Low-Latency, High-Bandwidth Ethernet Switch · PDF fileA Low-Latency, High-Bandwidth Ethernet Switch Chip. ... TX Port Logic MAC PCS SerDes ... - Pause & packet discard

DISCARD DANGER - Forge Distribution

Rapport Discard

Privacy-Preserving and Truthful Detection of Packet ... this paper, we develop an algorithm which is accurate for detecting selective packet drops made by insider at-tackers. Our algorithm

Discard Routes

DISCARD WARNING

A hybrid optical packet and wavelength selective switching ...lightwave.ee.columbia.edu/Publications/Xu2011d.pdf · A hybrid optical packet and wavelength selective switching platform

Selective-TCP for Wired/Wireless Networks · Sept. 27, 2005 Selective-TCP for wired/wireless networks 10 Loss detection scheme Detects the type of loss based on the packet inter-arrival

Draft Discard Gmail

Packet-Hiding Methods for Preventing selective jamming attack

Group 15 Herbicide · Discard clothing and other absorbent materi-als that have been drenched or heavily contaminated with ... Zidua® SC herbicide is a selective rate-dependent resid-

Packet-Hiding Methods for Preventing Selective Jamming …llazos/papers/PROANO_TDSC...Packet-Hiding Methods for Preventing Selective Jamming Attacks Alejandro Proano and Loukas Lazos˜

T DO NOT DISCARD THIS MANUAL DISCARD

12 ijecA Review on‖ Packet-Hiding Methods to Hamper Selective Jamming Attacks in wireless networkss

Privacy-Preserving and Truthful Detection of Packet ...krunz/Papers/Journals/TMC2015_tao.pdf2 In this paper, we develop an accurate algorithm for detecting selective packet drops made

Branch SRX Series and J Series Selective Packet … NOTE - Branch SrX Series and J Series Selective Packet Services Introduction Juniper Networks ® SrX Series Services Gateways and

Packet hiding methods for preventing selective jamming attacks

Marine life – our common responsibility Discard ban – a cornerstone of a comprehensive policy packet By Peter Gullestad Director General of Fisheries,