Layer 3 VPNs and Traceroute Alex Marder, Matthew Luckie, Bradley - PowerPoint PPT Presentation

Layer 3 VPNs and Traceroute Alex Marder, Matthew Luckie, Bradley Huffaker, kc claffy, Jonathan M. Smith

Expected Response Types: Ingress

Expected Response Types: Egress

Responses Face the Traceroute Source Ingress Response Egress Response

Responses Do Not Face Destination • We don’t expect the interface that would have forwarded the probe to the destination

What is a Layer 3 VPN? • Virtual IP networks that share the same physical infrastructure • VPN uses ISP backbone but separate forwarding tables • Common uses • Connect customer sites together • Enable high bandwidth connection to cloud

L3 VPN: Traceroute Example Traceroute Network Map Service Provider AS A SE 1 s' 1 s 1 S 1 s' 2 s 2 SE 2 AE a' a b' b BE AS B

L3 VPN: Packet Sent From AS AS A to AS AS B Traceroute a AS A Network Map Service Provider AS A SE 1 s' 1 s 1 S 1 s' 2 s 2 SE 2 AE a' a b' b BE AS B Dest: AS B

L3 VPN: Traceroute Starts Normally Traceroute s 1 a AS A AS S Network Map Service Provider AS A SE 1 s' 1 s 1 S 1 s' 2 s 2 SE 2 AE a' a b' b BE AS B MPLS Label VPN ID Dest: AS B

L3 VPN: Egress Virtual Forwarding (VRF) Traceroute s 1 a b' AS A AS B AS S Network Map Service Provider AS A SE 1 s' 1 s 1 S 1 s' 2 s 2 SE 2 AE a' a b' b BE AS B VPN ID Dest: AS B

L3 VPN: Ends Normally Traceroute s 1 a b' b AS A AS B AS B AS S Network Map Service Provider AS A SE 1 s' 1 s 1 S 1 s' 2 s 2 SE 2 AE a' a b' b BE AS B Dest: AS B

Problem With Conventional Interpretation Traceroute 162.252.70.103 128.91.238.218 128.91.238.217 Internet2 UPenn UPenn Interpretation (Assuming Ingress Addresses) 162.252.70.103 128.91.238.218 128.91.238.217 R 1 R 2 R 3 Internet2 UPenn UPenn Internet2 UPenn

Problem With Conventional Interpretation Traceroute 162.252.70.103 128.91.238.218 128.91.238.217 Internet2 UPenn UPenn Correct Interpretation 162.252.70.103 128.91.238.218 128.91.238.217 R 1 R 2 R 3 ? Internet2 UPenn UPenn Internet2 UPenn

Finding Egress VRF Addresses Adjacent hops with consecutive addresses

Must Rule Out Two Separate /31s One /30 Link 162.252.70.103 128.91.238.218 128.91.238.217 R 1 R 2 R 3 ? Internet2 UPenn UPenn Internet2 UPenn Two /31 Links 162.252.70.103 128.91.238.219 128.91.238.218 128.91.238.216 128.91.238.217 R 1 R 2 R 3 Internet2 UPenn UPenn UPenn UPenn Internet2 UPenn

4 Address Prefixes: Ping Test 128.91.238.216/30 Network 128.91.238.216 Usable 128.91.238.217 Host 128.91.238.218 Addresses 128.91.238.219 Broadcast

Results

Conclusion • Watch out for egress VRF addresses • 6% of middle addresses in ITDK traceroutes • We can detect them • An hopefully account for them