Layer 3 VPNs and Traceroute Alex Marder, Matthew Luckie, Bradley - - PowerPoint PPT Presentation

layer 3 vpns and traceroute
SMART_READER_LITE
LIVE PREVIEW

Layer 3 VPNs and Traceroute Alex Marder, Matthew Luckie, Bradley - - PowerPoint PPT Presentation

May 04, 2023 38 likes •219 views

Layer 3 VPNs and Traceroute Alex Marder, Matthew Luckie, Bradley Huffaker, kc claffy, Jonathan M. Smith Expected Response Types: Ingress Expected Response Types: Egress Responses Face the Traceroute Source Ingress Response Egress Response

slide-1
SLIDE 1

Layer 3 VPNs and Traceroute

Alex Marder, Matthew Luckie, Bradley Huffaker, kc claffy, Jonathan M. Smith

slide-2
SLIDE 2

Expected Response Types: Ingress

slide-3
SLIDE 3

Expected Response Types: Egress

slide-4
SLIDE 4

Responses Face the Traceroute Source

Ingress Response Egress Response

slide-5
SLIDE 5

Responses Do Not Face Destination

  • We don’t expect the interface that would have forwarded the

probe to the destination

slide-6
SLIDE 6

What is a Layer 3 VPN?

  • Virtual IP networks that share the same physical infrastructure
  • VPN uses ISP backbone but separate forwarding tables
  • Common uses
  • Connect customer sites together
  • Enable high bandwidth connection to cloud
slide-7
SLIDE 7

L3 VPN: Traceroute Example

SE1 SE2 S1 AE a a' BE b' b Service Provider ASA ASB s'1 s1 s'2 s2

Traceroute Network Map

slide-8
SLIDE 8

L3 VPN: Packet Sent From AS

ASA to AS ASB

SE1 SE2 S1 AE a a' BE b' b Service Provider ASA ASB s'1 s1 s'2 s2 Dest: ASB a ASA

Traceroute Network Map

slide-9
SLIDE 9

L3 VPN: Traceroute Starts Normally

SE1 SE2 S1 AE a a' BE b' b Service Provider ASA ASB s'1 s1 s'2 s2 Dest: ASB VPN ID MPLS Label a ASA s1 ASS

Traceroute Network Map

slide-10
SLIDE 10

L3 VPN: Egress Virtual Forwarding (VRF)

SE1 SE2 S1 AE a a' BE b' b Service Provider ASA ASB s'1 s1 s'2 s2 Dest: ASB VPN ID a ASA s1 ASS b' ASB

Traceroute Network Map

slide-11
SLIDE 11

L3 VPN: Ends Normally

SE1 SE2 S1 AE a a' BE b' b Service Provider ASA ASB s'1 s1 s'2 s2 Dest: ASB a ASA s1 ASS b' ASB b ASB

Traceroute Network Map

slide-12
SLIDE 12

Problem With Conventional Interpretation

128.91.238.218 UPenn 128.91.238.217 UPenn 162.252.70.103 Internet2

R1 162.252.70.103 Internet2 R2 128.91.238.218 UPenn R3 128.91.238.217 UPenn Internet2 UPenn

Traceroute Interpretation (Assuming Ingress Addresses)

slide-13
SLIDE 13

Problem With Conventional Interpretation

128.91.238.218 UPenn 128.91.238.217 UPenn 162.252.70.103 Internet2

R1 162.252.70.103 Internet2 R2 128.91.238.218 UPenn R3 128.91.238.217 UPenn Internet2 UPenn ?

Traceroute Correct Interpretation

slide-14
SLIDE 14

Finding Egress VRF Addresses

Adjacent hops with consecutive addresses

slide-15
SLIDE 15

Must Rule Out Two Separate /31s

R2 128.91.238.218 UPenn R3 128.91.238.217 UPenn UPenn 128.91.238.216 UPenn R1 162.252.70.103 Internet2 Internet2 128.91.238.219 UPenn R1 162.252.70.103 Internet2 R2 128.91.238.218 UPenn R3 128.91.238.217 UPenn Internet2 UPenn ?

One /30 Link Two /31 Links

slide-16
SLIDE 16

4 Address Prefixes: Ping Test

128.91.238.216 128.91.238.217 128.91.238.218 128.91.238.219 Usable Host Addresses Network Broadcast 128.91.238.216/30

slide-17
SLIDE 17

Results

slide-18
SLIDE 18

Conclusion

  • Watch out for egress VRF addresses
  • 6% of middle addresses in ITDK traceroutes
  • We can detect them
  • An hopefully account for them