Browse Prior Art Database

CREATING AUTOMATIC BACKBONE PROTECTION FOR SERVICE PROVIDER NETWORKS

IP.com Disclosure Number: IPCOM000245580D
Publication Date: 2016-Mar-18
Document File: 5 page(s) / 395K

Publishing Venue

The IP.com Prior Art Database

Related People

Keyur Patel: AUTHOR [+5]

Abstract

Border Gateway Protocol (BGP) related entries provide a good address map of an underlay topology. Automatically converting them into Access Control Lists (ACLs) at the edge routers and not allowing external traffic to these addresses provides a good way of protecting the core of the network of a Service Provider (SP). This mechanism is quite generic. It covers an entire core network (and is address agnostic). Moreover, it adapts to any new address creation or deletion in the core network.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 5

CREATING AUTOMATIC BACKBONE PROTECTION FOR SERVICE PROVIDER NETWORKS

AUTHORS:

    Keyur Patel Arjun Sreekantiah David Smith Shankar Satyanarayanan

Shitanshu Shah

CISCO SYSTEMS, INC.

ABSTRACT

    Border Gateway Protocol (BGP) related entries provide a good address map of an underlay topology. Automatically converting them into Access Control Lists (ACLs) at the edge routers and not allowing external traffic to these addresses provides a good way of protecting the core of the network of a Service Provider (SP). This mechanism is quite generic. It covers an entire core network (and is address agnostic). Moreover, it adapts to any new address creation or deletion in the core network.

DETAILED DESCRIPTION

    Large Service Provider (SP) networks providing Internet Protocol (IP) connectivity require that, from a security standpoint, none of the internal network and its addresses are accessed from any outside source. The internal network and its addresses are mostly core router link addresses, internal uplinks of edge routers, and any other IP devices that are located within the network. Their resources are attacked by using their internal IP addresses from external networks and thus there is a requirement to filter based on those IP addresses to mitigate these attacks. To date, the mechanism used to protect these links and its addresses are using manual configuration of Access Control Lists (ACLs) on edge routers. Any time their internal infrastructure addressing changes, the ACLs will need to be modified and all the Provider Edge (PE) devices will have to be re-configured. If the internal addressed become more fragmented the ACLs become more complicated to manage. Manual configuration of ACLs (for all the internal network addresses) is very cumbersome & complicated to manage. In addition they can

Copyright 2016 Cisco Systems, Inc.
1


Page 02 of 5

also be error prone from reliably protecting their resources. For this very reason, large SP networks need alternative mechanisms to solve the manual configuration challenges.

    FIG. 1 below shows an example of a large SP network, illustrating the core and infrastructure edge PE devices (that have Internet access).

FIG. 1

    FIG. 2 illustrates Internal Gateway Protocol (IGP) and core infrastructure, and Border Gateway Protocol (BGP) between Provider Edge and Customer Edge.

FIG. 2

Copyright 2016 Cisco Systems, Inc.

2


Page 03 of 5

FIG. 3 illustrates ACL configurations on all PE devices to prevent against attacks.
FIG. 3

    The solution presented herein applies to edge routers, and involves creating autom...