SlideShare a Scribd company logo

2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 ShowNet

Shuichi Ohkubo
Shuichi Ohkubo

http://www.janog.gr.jp/en/index.php?JANOG36_Meeting%2FJANOG36_Program_Contents%2Fbgpflowspec

Internet
1 of 18
Download to read offline
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team BGP Flowspec Interoperability Test @ Interop Tokyo 2015 ShowNet ShowNet NOC Team member Shuichi Ohkubo 2015/7/17 JANOG36 Lightning Talk
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 2 BGP Flowspec(RFC5575) • Distribute ACL configuration to network router by BGP Normal ACL configuration&operation BGP Flowspec Login & configuration to each routers Too much work :( Easy to work together with security appliance RR BGP
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 33 Use case https://tnc2012.terena.org/core/presentation/41 GRNET NEO TELECOMS http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 44 Use case https://tnc2012.terena.org/core/presentation/41 GRNET NEO TELECOM http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf But there is no use case of multi vendors interoperability
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 5 Interoperability test topology @ShowNet2015 Cisco ASR9900 Huawei NE5000E Juniper MX480 Spirent TestCenter TestCenter Proceeded Packets BGP Flowspec vMX Route Generation TestCenter
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 66 Test result BGP Flowspec Action rule Test Item NE5000E ASR9900 MX480 Drop ○ ○ ○ Rate-limit ○ ○ ○ VRF Redirect ○ ○ ○ • Configure rate-limit=0 for Drop action • Rate-limit: Confirmed by measuring the receiving rate to limit 100Mbps against sending 1Gbps traffic from TestCenter. • Redirect :confirm interface counter on 3 routers and monitor latency for received packets by Spirent TestCenter
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 7 VRF Redirect • Confirmed by measuring packets latency after redirecting (it’ not caused by degradation of forwarding functionality of the router) • ASR99xx took about 10 sec for processing after Redirection action rule injection. In case of withdrawn, the change was immediately reflected to the forwarding process. • It depends on BGP Next-hop Scan Timer(configurable) Latency
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 8 Rate-limit
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 99 Test result by Flow type Flow type NE5000E ASR9900 MX480 Type 1 - Destination Prefix ○ ○ ○ Type 2 - Source Prefix ○ ○ ○ Type 3 - IP Protocol ○ ○ ○ Type 4 - Port - - - Type 5 - Destination port ○ ○ ○ Type 6 - Source port ○ ○ ○ Type 7 - ICMP type ○ ○ ○ Type 8 - ICMP code ○ ○ ○ Type 9 - TCP flags ○ (Different NLRI) ○ (Different NLRI) ○ Type 10 - Packet length will support in Next release ○ ○ Type 11 - DSCP ○ ○ ○ Type 12 - Fragment - (Different NLRI) ○ ○
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1010 Difference NLRI format Type9. TCP Flags 0x01202d00023602202d00022a0900028010 0x01202d00023602202d00022a098112 Dest /32 45.0.2.54 Src /32 45.0.2.42 TCP Flg. Dest /32 45.0.2.54 Src /32 45.0.2.42 TCP Flg. Bit mask op op Bit mask op Bit mask 0x10 ACK0x02 SYN 0x12 ACK-SYN Juniper Cisco Configure syn+ack
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1111 Difference NLRI format Type9. TCP Flags ASR receive NLRI but does not work as expected Cisco provide special firmware during the Interop period , confirmed work as expected (It’s already integrated in 5.3.2 as CSCuu79956)
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1212 Difference in Match bit Type9. Type12. op=0x80 op=0x81 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | e | a | len | 0 | 0 |not| m | +---+---+---+---+---+---+---+---+ 1 0 0 0 0 0 0 0 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | e | a | len | 0 | 0 |not| m | +---+---+---+---+---+---+---+---+ 1 0 0 0 0 0 0 1 NE5000E treat as Invalid m=0 Juniper Cisco, Huawei Huawei will support in future (support m=0)
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1313 Operation example on ShowNet Always seen SSH Brute-force attack to Shownet Execute filtering by BGP Flowspec 1. permit TCP Port 22 from specific server 2. drop 45.0.0.0/16 TCP Port 22,23 order of evaluation is important
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1414 Need additional command for JUNOS By default, the Junos OS uses the term-ordering algorithm defined in version 6 of the BGP flow specification draft. In Junos OS Release 10.0 and later, you can configure the router to comply with the term-ordering algorithm first defined in version 7 of the BGP flow specification and supported through RFC 5575, Dissemination of Flow Specification Routes. Best Practice: We recommend that you configure the Junos OS to use the term- ordering algorithm first defined in version 7 of the BGP flow specification draft. We also recommend that you configure the Junos OS to use the same term- ordering algorithm on all routing instances configured on a router. set routing-options flow term-order standard http://www.juniper.net/documentation/en_US/junos14.2/topics/topic-map/bgp-flow-routes.html
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 15 Simulate Attacker Web Server (victim) DDoS Mitigation Cisco ASR9900 Juniper MX480 DDOS detection order to BOT GEIKO:C&C order to BOT ① Route-Reflector DDoS Attack DDoS Attack Juniper vMX Huawei NE5000E flowspec Advertise ② Combination demo with SAMURAI ③ ♪ Normal Traffic Attack traffic: scrubbed. Normal traffic: sent back to destination. ④ VRF Redirect Traffic information (xFlow)
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1616 Special Thanks We appreciate a lot of support
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1717 Appendix
Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1818 Software Version • Huawei NE5000E 8.65 • Cisco ASR9900 IOS-XR 5.3.1 • Juniper MX480 Junos 15.1R1.8

Recommended

How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Ixiaexplorer
IxiaexplorerIxiaexplorer
Ixiaexplorernlekh
 
flowspec @ APF 2013
flowspec @ APF 2013flowspec @ APF 2013
flowspec @ APF 2013Tom Paseka
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower OffloadNetronome
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 

Recommended

How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdPavel Odintsov
 
Ixiaexplorer
IxiaexplorerIxiaexplorer
Ixiaexplorernlekh
 
flowspec @ APF 2013
flowspec @ APF 2013flowspec @ APF 2013
flowspec @ APF 2013Tom Paseka
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower OffloadNetronome
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
OVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerOVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerNetronome
 
Using Network Acceleration for an Optimized Edge Cloud Server Architecture
Using Network Acceleration for an Optimized Edge Cloud Server ArchitectureUsing Network Acceleration for an Optimized Edge Cloud Server Architecture
Using Network Acceleration for an Optimized Edge Cloud Server ArchitectureNetronome
 
Implementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowImplementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowAPNIC
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyHiroshi Ota
 
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration MethodologiesLF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration MethodologiesLF_OpenvSwitch
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
LF_OVS_17_Red Hat's perspective on OVS HW Offload Status
LF_OVS_17_Red Hat's perspective on OVS HW Offload StatusLF_OVS_17_Red Hat's perspective on OVS HW Offload Status
LF_OVS_17_Red Hat's perspective on OVS HW Offload StatusLF_OpenvSwitch
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking ProtocolSamsung Open Source Group
 
LF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OpenvSwitch
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OpenvSwitch
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream KernelLF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream KernelLF_OpenvSwitch
 
DPDK Support for New HW Offloads
DPDK Support for New HW OffloadsDPDK Support for New HW Offloads
DPDK Support for New HW OffloadsNetronome
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OpenvSwitch
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 

More Related Content

What's hot

OVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerOVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerNetronome
 
Using Network Acceleration for an Optimized Edge Cloud Server Architecture
Using Network Acceleration for an Optimized Edge Cloud Server ArchitectureUsing Network Acceleration for an Optimized Edge Cloud Server Architecture
Using Network Acceleration for an Optimized Edge Cloud Server ArchitectureNetronome
 
Implementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowImplementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowAPNIC
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Juniper Networks
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyHiroshi Ota
 
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration MethodologiesLF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration MethodologiesLF_OpenvSwitch
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
LF_OVS_17_Red Hat's perspective on OVS HW Offload Status
LF_OVS_17_Red Hat's perspective on OVS HW Offload StatusLF_OVS_17_Red Hat's perspective on OVS HW Offload Status
LF_OVS_17_Red Hat's perspective on OVS HW Offload StatusLF_OpenvSwitch
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityThomas Graf
 
LF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OpenvSwitch
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OpenvSwitch
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream KernelLF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream KernelLF_OpenvSwitch
 
DPDK Support for New HW Offloads
DPDK Support for New HW OffloadsDPDK Support for New HW Offloads
DPDK Support for New HW OffloadsNetronome
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OpenvSwitch
 

What's hot (20)

OVS Hardware Offload with TC Flower
OVS Hardware Offload with TC FlowerOVS Hardware Offload with TC Flower
OVS Hardware Offload with TC Flower
 
Using Network Acceleration for an Optimized Edge Cloud Server Architecture
Using Network Acceleration for an Optimized Edge Cloud Server ArchitectureUsing Network Acceleration for an Optimized Edge Cloud Server Architecture
Using Network Acceleration for an Optimized Edge Cloud Server Architecture
 
Implementing MPLS Services using Openflow
Implementing MPLS Services using OpenflowImplementing MPLS Services using Openflow
Implementing MPLS Services using Openflow
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developments
 
Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)Flowspec @ Bay Area Juniper User Group (BAJUG)
Flowspec @ Bay Area Juniper User Group (BAJUG)
 
Network Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudyNetwork Test Automation 2015-04-23 #npstudy
Network Test Automation 2015-04-23 #npstudy
 
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration MethodologiesLF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 
LF_OVS_17_Red Hat's perspective on OVS HW Offload Status
LF_OVS_17_Red Hat's perspective on OVS HW Offload StatusLF_OVS_17_Red Hat's perspective on OVS HW Offload Status
LF_OVS_17_Red Hat's perspective on OVS HW Offload Status
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
 
6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol6LoWPAN: An open IoT Networking Protocol
6LoWPAN: An open IoT Networking Protocol
 
LF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress SchedulingLF_OVS_17_Ingress Scheduling
LF_OVS_17_Ingress Scheduling
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and GotchasLF_OVS_17_OVS-DPDK Installation and Gotchas
LF_OVS_17_OVS-DPDK Installation and Gotchas
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream KernelLF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
 
DPDK Support for New HW Offloads
DPDK Support for New HW OffloadsDPDK Support for New HW Offloads
DPDK Support for New HW Offloads
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_voss
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecasesLF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
 

Similar to 2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 ShowNet

PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
 
Ryu SDN Framework
Ryu SDN FrameworkRyu SDN Framework
Ryu SDN FrameworkAPNIC
 
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT PROIDEA
 
Lab 9 instructions
Lab 9 instructionsLab 9 instructions
Lab 9 instructionstrayyoo
 
P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxtampham61268
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceSamsung Open Source Group
 
Www ccnav5 net_ccna_3_v5_0_scaling_networks_final_exam_2013
Www ccnav5 net_ccna_3_v5_0_scaling_networks_final_exam_2013Www ccnav5 net_ccna_3_v5_0_scaling_networks_final_exam_2013
Www ccnav5 net_ccna_3_v5_0_scaling_networks_final_exam_2013Đồng Quốc Vương
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
Setup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkSetup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkNazmul Hossain Rakib
 
P&G BT Global Services - LLD Final Revision Year 2008.
P&G BT Global Services - LLD Final Revision Year 2008.P&G BT Global Services - LLD Final Revision Year 2008.
P&G BT Global Services - LLD Final Revision Year 2008.Kapil Sabharwal
 
CCNA_RSE_Chp10.pptx
CCNA_RSE_Chp10.pptxCCNA_RSE_Chp10.pptx
CCNA_RSE_Chp10.pptxHugoGamez7
 
3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based ArchitectureSridhar Bhaskaran
 
SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementLF Events
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspeChris Westin
 

Similar to 2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 ShowNet (20)

PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
Ryu SDN Framework
Ryu SDN FrameworkRyu SDN Framework
Ryu SDN Framework
 
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
 
Lab 9 instructions
Lab 9 instructionsLab 9 instructions
Lab 9 instructions
 
P4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptxP4+ONOS SRv6 tutorial.pptx
P4+ONOS SRv6 tutorial.pptx
 
ENSA_Module_10.pptx
ENSA_Module_10.pptxENSA_Module_10.pptx
ENSA_Module_10.pptx
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
 
CCNA CHAPTER 5 BY jetarvind kumar madhukar
CCNA CHAPTER 5 BY jetarvind kumar madhukarCCNA CHAPTER 5 BY jetarvind kumar madhukar
CCNA CHAPTER 5 BY jetarvind kumar madhukar
 
Www ccnav5 net_ccna_3_v5_0_scaling_networks_final_exam_2013
Www ccnav5 net_ccna_3_v5_0_scaling_networks_final_exam_2013Www ccnav5 net_ccna_3_v5_0_scaling_networks_final_exam_2013
Www ccnav5 net_ccna_3_v5_0_scaling_networks_final_exam_2013
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
Setup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE networkSetup VoIP System and Interconnection with LTE network
Setup VoIP System and Interconnection with LTE network
 
P&G BT Global Services - LLD Final Revision Year 2008.
P&G BT Global Services - LLD Final Revision Year 2008.P&G BT Global Services - LLD Final Revision Year 2008.
P&G BT Global Services - LLD Final Revision Year 2008.
 
Ccnav5.org ccna 3-v50_final_exam_2014
Ccnav5.org ccna 3-v50_final_exam_2014Ccnav5.org ccna 3-v50_final_exam_2014
Ccnav5.org ccna 3-v50_final_exam_2014
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
 
CCNA_RSE_Chp10.pptx
CCNA_RSE_Chp10.pptxCCNA_RSE_Chp10.pptx
CCNA_RSE_Chp10.pptx
 
3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture
 
SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and Improvement
 
TCP/IP Basics
TCP/IP BasicsTCP/IP Basics
TCP/IP Basics
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspe
 

More from Shuichi Ohkubo

2017.9.1 JANOG BoF & LT Night#2 クラウド向けのL3VPNサービスを作ってみた話
2017.9.1 JANOG BoF & LT Night#2 クラウド向けのL3VPNサービスを作ってみた話2017.9.1 JANOG BoF & LT Night#2 クラウド向けのL3VPNサービスを作ってみた話
2017.9.1 JANOG BoF & LT Night#2 クラウド向けのL3VPNサービスを作ってみた話Shuichi Ohkubo
 
2017.6.8 ShowNetステージ 地域BWA
2017.6.8 ShowNetステージ 地域BWA2017.6.8 ShowNetステージ 地域BWA
2017.6.8 ShowNetステージ 地域BWAShuichi Ohkubo
 
2016.11.29 InternetWeek マルチベンダ環境におけるEVPN構築のノウハウ
2016.11.29 InternetWeek マルチベンダ環境におけるEVPN構築のノウハウ2016.11.29 InternetWeek マルチベンダ環境におけるEVPN構築のノウハウ
2016.11.29 InternetWeek マルチベンダ環境におけるEVPN構築のノウハウShuichi Ohkubo
 
2016.7.6 さくらの夕べ@沖縄 さくらインターネットの「閉域網サービス」の裏側
2016.7.6 さくらの夕べ@沖縄 さくらインターネットの「閉域網サービス」の裏側2016.7.6 さくらの夕べ@沖縄 さくらインターネットの「閉域網サービス」の裏側
2016.7.6 さくらの夕べ@沖縄 さくらインターネットの「閉域網サービス」の裏側Shuichi Ohkubo
 
2016.03.04 NetOpsCoding#2
2016.03.04 NetOpsCoding#22016.03.04 NetOpsCoding#2
2016.03.04 NetOpsCoding#2Shuichi Ohkubo
 
2015.7.9 Juniper Cloud Builder Conference 2015
2015.7.9 Juniper Cloud Builder Conference 20152015.7.9 Juniper Cloud Builder Conference 2015
2015.7.9 Juniper Cloud Builder Conference 2015Shuichi Ohkubo
 

More from Shuichi Ohkubo (7)

2017.9.1 JANOG BoF & LT Night#2 クラウド向けのL3VPNサービスを作ってみた話
2017.9.1 JANOG BoF & LT Night#2 クラウド向けのL3VPNサービスを作ってみた話2017.9.1 JANOG BoF & LT Night#2 クラウド向けのL3VPNサービスを作ってみた話
2017.9.1 JANOG BoF & LT Night#2 クラウド向けのL3VPNサービスを作ってみた話
 
2017.6.8 ShowNetステージ 地域BWA
2017.6.8 ShowNetステージ 地域BWA2017.6.8 ShowNetステージ 地域BWA
2017.6.8 ShowNetステージ 地域BWA
 
2016.11.29 InternetWeek マルチベンダ環境におけるEVPN構築のノウハウ
2016.11.29 InternetWeek マルチベンダ環境におけるEVPN構築のノウハウ2016.11.29 InternetWeek マルチベンダ環境におけるEVPN構築のノウハウ
2016.11.29 InternetWeek マルチベンダ環境におけるEVPN構築のノウハウ
 
2016.7.6 さくらの夕べ@沖縄 さくらインターネットの「閉域網サービス」の裏側
2016.7.6 さくらの夕べ@沖縄 さくらインターネットの「閉域網サービス」の裏側2016.7.6 さくらの夕べ@沖縄 さくらインターネットの「閉域網サービス」の裏側
2016.7.6 さくらの夕べ@沖縄 さくらインターネットの「閉域網サービス」の裏側
 
2016.03.04 NetOpsCoding#2
2016.03.04 NetOpsCoding#22016.03.04 NetOpsCoding#2
2016.03.04 NetOpsCoding#2
 
2015.10.16 Flowops22
2015.10.16 Flowops222015.10.16 Flowops22
2015.10.16 Flowops22
 
2015.7.9 Juniper Cloud Builder Conference 2015
2015.7.9 Juniper Cloud Builder Conference 20152015.7.9 Juniper Cloud Builder Conference 2015
2015.7.9 Juniper Cloud Builder Conference 2015
 

Recently uploaded

定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 

Recently uploaded (20)

Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 

2015.7.17 JANOG36 BGP Flowspec Interoperability Test @ Interop Tokyo 2015 ShowNet

  • 1. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team BGP Flowspec Interoperability Test @ Interop Tokyo 2015 ShowNet ShowNet NOC Team member Shuichi Ohkubo 2015/7/17 JANOG36 Lightning Talk
  • 2. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 2 BGP Flowspec(RFC5575) • Distribute ACL configuration to network router by BGP Normal ACL configuration&operation BGP Flowspec Login & configuration to each routers Too much work :( Easy to work together with security appliance RR BGP
  • 3. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 33 Use case https://tnc2012.terena.org/core/presentation/41 GRNET NEO TELECOMS http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf
  • 4. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 44 Use case https://tnc2012.terena.org/core/presentation/41 GRNET NEO TELECOM http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf But there is no use case of multi vendors interoperability
  • 5. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 5 Interoperability test topology @ShowNet2015 Cisco ASR9900 Huawei NE5000E Juniper MX480 Spirent TestCenter TestCenter Proceeded Packets BGP Flowspec vMX Route Generation TestCenter
  • 6. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 66 Test result BGP Flowspec Action rule Test Item NE5000E ASR9900 MX480 Drop ○ ○ ○ Rate-limit ○ ○ ○ VRF Redirect ○ ○ ○ • Configure rate-limit=0 for Drop action • Rate-limit: Confirmed by measuring the receiving rate to limit 100Mbps against sending 1Gbps traffic from TestCenter. • Redirect :confirm interface counter on 3 routers and monitor latency for received packets by Spirent TestCenter
  • 7. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 7 VRF Redirect • Confirmed by measuring packets latency after redirecting (it’ not caused by degradation of forwarding functionality of the router) • ASR99xx took about 10 sec for processing after Redirection action rule injection. In case of withdrawn, the change was immediately reflected to the forwarding process. • It depends on BGP Next-hop Scan Timer(configurable) Latency
  • 8. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 8 Rate-limit
  • 9. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 99 Test result by Flow type Flow type NE5000E ASR9900 MX480 Type 1 - Destination Prefix ○ ○ ○ Type 2 - Source Prefix ○ ○ ○ Type 3 - IP Protocol ○ ○ ○ Type 4 - Port - - - Type 5 - Destination port ○ ○ ○ Type 6 - Source port ○ ○ ○ Type 7 - ICMP type ○ ○ ○ Type 8 - ICMP code ○ ○ ○ Type 9 - TCP flags ○ (Different NLRI) ○ (Different NLRI) ○ Type 10 - Packet length will support in Next release ○ ○ Type 11 - DSCP ○ ○ ○ Type 12 - Fragment - (Different NLRI) ○ ○
  • 10. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1010 Difference NLRI format Type9. TCP Flags 0x01202d00023602202d00022a0900028010 0x01202d00023602202d00022a098112 Dest /32 45.0.2.54 Src /32 45.0.2.42 TCP Flg. Dest /32 45.0.2.54 Src /32 45.0.2.42 TCP Flg. Bit mask op op Bit mask op Bit mask 0x10 ACK0x02 SYN 0x12 ACK-SYN Juniper Cisco Configure syn+ack
  • 11. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1111 Difference NLRI format Type9. TCP Flags ASR receive NLRI but does not work as expected Cisco provide special firmware during the Interop period , confirmed work as expected (It’s already integrated in 5.3.2 as CSCuu79956)
  • 12. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1212 Difference in Match bit Type9. Type12. op=0x80 op=0x81 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | e | a | len | 0 | 0 |not| m | +---+---+---+---+---+---+---+---+ 1 0 0 0 0 0 0 0 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | e | a | len | 0 | 0 |not| m | +---+---+---+---+---+---+---+---+ 1 0 0 0 0 0 0 1 NE5000E treat as Invalid m=0 Juniper Cisco, Huawei Huawei will support in future (support m=0)
  • 13. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1313 Operation example on ShowNet Always seen SSH Brute-force attack to Shownet Execute filtering by BGP Flowspec 1. permit TCP Port 22 from specific server 2. drop 45.0.0.0/16 TCP Port 22,23 order of evaluation is important
  • 14. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1414 Need additional command for JUNOS By default, the Junos OS uses the term-ordering algorithm defined in version 6 of the BGP flow specification draft. In Junos OS Release 10.0 and later, you can configure the router to comply with the term-ordering algorithm first defined in version 7 of the BGP flow specification and supported through RFC 5575, Dissemination of Flow Specification Routes. Best Practice: We recommend that you configure the Junos OS to use the term- ordering algorithm first defined in version 7 of the BGP flow specification draft. We also recommend that you configure the Junos OS to use the same term- ordering algorithm on all routing instances configured on a router. set routing-options flow term-order standard http://www.juniper.net/documentation/en_US/junos14.2/topics/topic-map/bgp-flow-routes.html
  • 15. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 15 Simulate Attacker Web Server (victim) DDoS Mitigation Cisco ASR9900 Juniper MX480 DDOS detection order to BOT GEIKO:C&C order to BOT ① Route-Reflector DDoS Attack DDoS Attack Juniper vMX Huawei NE5000E flowspec Advertise ② Combination demo with SAMURAI ③ ♪ Normal Traffic Attack traffic: scrubbed. Normal traffic: sent back to destination. ④ VRF Redirect Traffic information (xFlow)
  • 16. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1616 Special Thanks We appreciate a lot of support
  • 17. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1717 Appendix
  • 18. Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1818 Software Version • Huawei NE5000E 8.65 • Cisco ASR9900 IOS-XR 5.3.1 • Juniper MX480 Junos 15.1R1.8