Content uploaded by Balaji Venkat Venkataswami
Author content
All content in this area was uploaded by Balaji Venkat Venkataswami on Jun 20, 2020
Content may be subject to copyright.
Scalable Anti spoofing mechanism at the Edge.
1.0 Introduction :
DOS, DDOS, RDOS attacks are mounted usually with
spoofed IP addresses which do not belong to the
attacker mounting such Denial of Service attacks.
By spoofed we mean that the attacker is using an
IP address belonging to a subnet that he/she does
not own. DOS attacks of various kinds are
initiated also through botnets which are
compromised machines which are used as a proxy
for mounting such DOS attacks. The malware that
initiate such botnet attacks from the compromised
bots use spoofed IP addresses as the source IP
address in the attack packets. This is very
common and the fact that spoofed source IP
address based DOS attacks are still relevant is
that there seems to be no mechanism to filter
such spoofed IP address packets at the edge of
the network itself. By edge we mean at the
enterprise network edge if the bots or the
attacker is coming from an enterprise network, or
the Tier 3 Internet Service Provider edge or the
customer closest edges of a Tier 2 or Tier 1 ISP
or the edge of a local service provider who is
buying transit services from other hierarchically
superior ISPs. The reason why the filtering at
the edge does NOT take place is that Unicast
Reverse Path forwarding should be enabled to make
this check for spoofed source IP addresses at the
edge. The next reason in the reason chain as to
why URPF is NOT enabled is that on modern routers
the TCAM or the Ternary Content Addressable
memory that stores the routing table needs to be
divided into two equal banks to do source based
lookup and destination based lookup
simultaneously. TCAMs are very expensive and
assume that a router has 1000 entry TCAM just for
an example's sake. So the router can hold just
1000 route entries in its TCAM banks. If the
number of route entries on the router's routing
table exceeds 500 (which is 1000 / 2) then there
would be insufficient space to do destination
based lookup for routing and URPF based source
based lookup. This puts a constraint on the fact
that the number of entries in the TCAM is a
limiting factor for enabling destination based
lookup and URPF driven source based lookup.
Considering this resource constraint most routers
at the edge (wherever that edge may be) are not
enabled with URPF check using TCAM bank division
(equal division that is). Given the increase in
the number of route entries even at the edge this
becomes a serious constraint on the TCAM
resources and thus spoofing based on source IP
address is still common. Currently an external
TCAM is deployed which costs more substantially
than just an existing Main TCAM.
2.0 Methodology of the invention :
This invention disclosure devises a scheme based
on which source based IP lookup for URPF can be
done without seriously straining the existing
TCAM resources. TCAM entries are normally divided
into banks of TCAM entries. The size of a TCAM
bank may contain a power of 2 number of route
entries. Eg., 4096 entries per each bank and a
8192 entry TCAM may consists of 2 4096 route
entry banks. The same goes for TCAM with
multiplicity of entries even up to 1 million or 2
million route entries. What we propose in this
disclosure is to set aside a separate TCAM of
extremely limited size when compared with the
main TCAM to be used for source based lookup for
preventing spoofing of source IP addresses.
Assume a router has a TCAM of 24 banks of 4096
entries each of a access router that is placed at
the edge of say an enterprise network. Assume
that there are 1024 subnets of varying mask
deployed within the enterprise network. This
invention proposes that a URPF TCAM of size 8192
entries with 2 banks of 4096 entries each be
incorporated in the router specifically on the
Route Processor Module and on possibly every line
card in the router chassis. If the Edge router is
NOT a Chassis driven one, and if it is a 1 RU or
a 2 RU unit, then the layout of the lookup engine
can be enhanced by locating this URPF TCAM of say
8192 entries in such a way that the destination
lookup and the source based URPF lookup can be
done simultaneously. This seperate TCAM for URPF
can be filled by the routing table entries
corresponding to the connected and other networks
reachable via those interfaces that are
enterprise facing (on the inner edge of the
enterprise). In our example, the 8192 entries of
the URPF TCAM can accomodate upto 8192 subnets of
varying mask sizes. This is sufficient for a
normal sized enterprise deploying a routing
protocol for its internal routing purposes. This
would include /32 prefixes as well. For next
stages of larger enterprises the URPF TCAM could
be even bigger to accomodate for the subnets and
the /32 entries reachable from the inner edge
facing interfaces.
2.1 Lookup algorithm modified for separate URPF :
In the network processor unit,
a) The destination IP address is looked up in the
normal TCAM of bigger size
b) The source IP address is looked up in the URPF
TCAM
c) If the source IP address is NOT present in the
URPF TCAM and strict mode is configured
then the packet is dropped and the next step
after destination lookup is aborted.
c.1) If an interface is not configured for URPF
check then step (c) is bypassed for
that packet.
d) If the source IP address is NOT present in the
URPF TCAM and loose mode is configured
then the packet is dropped and the next step
after destination lookup is aborted.
d.1) If an interface is not configured for URPF
check then step (d) is bypassed for
that packet.
e) and so on... for other types of URPF that are
in vogue and are yet to come.
2.2 Alternative to a physically distinct separate
URPF TCAM :
If in case a smaller URPF TCAM cannot be added to
the network processor unit then a configurable
unequal sized division of the banks in an
existing Large Main TCAM can be enabled on the
network processor unit through the SDK that comes
along with the usage techniques of the Network
Processor Unit. This API call can divide the
existing Large main TCAM into 2 or more unequal
parts one of which parts is used for URPF and the
rest large sized part is used for destination
based lookup. This is another invention that is
proposed in this proposal.
For example, if there exists a TCAM of 24 banks
of 4096 route entries each then 2 or 3 possibly
banks of 4096 route entries each can be used for
URPF TCAM and the rest for destination based
lookup. This API call at the time of loading the
routing table into the TCAM can effectively be
used for simultaneous URPF and destination based
lookup by this division into unequal parts. The
TCAM logic can with the existing state of the art
be made to lookup the unequally divided banks
simultaneously which is extremely plausible in
the current state of the art.
Since the URPF check must be done at the edge,
core routers need NOT have this feature enabled
as for them the source IP or the destination IP
is substantial enough in number in the middle of
the ISP / Internet and it would be unwise to have
unequal sized divisions of the TCAM at that
position in the internet or the ISP's core. Even
for the ISP edge this would NOT apply as well.
But for a enterprise access based edge router or
a local service provider edge or even for a Tier
2 ISP the this would work out just fine. The
logic behind this scheme is that spoofing needs
to be stopped at the edge as close to the botnet
as possible or the compromised host as possible,
or as close to the attacker (if he is not going
through the botnet route) as possible which is
the outer edge fringes of the Internet.
So in essence the source lookup votes for whether
the destination based lookup should go ahead or
not. Diagramatically this is represented in the
following diagram.
Example of a L3 Switch a.k.a router on a switch.
With TCAM for L3 lookup.
Figure 1.0 Generic picture of Internet Topology
The intent is to deploy the switches of the
proposed architecture in Stub Domains at the very
edge to access partitions of such Stub Domains to
contain IP Source address spoofing. This scheme
can also be deployed at the Firewall at the
boundary of the Enterprise networks. This should
be also be deployed at the customer incoming edge
of local service providers.
Legacy methods of Destination based IP lookup
+-------+
+--------------------+ IP | Main |
| Layer 3 Lookup | Lookup| TCAM |
| Engine |------>| |
| | | |
+--------------------+ | |
+-------+
Legacy methods of Destination and source based
lookup
Dest. +-------+
+--------------------+ IP | Main |
| Layer 3 Lookup | Lookup| TCAM |
| Engine |------>|-------| Equal division of TCAM
| | Src. | | into Dst lookup banks
+--------------------+ IP | | and Src lookup banks
Lookup+-------+
2.3.1.0 Proposal for Ancillary (Smaller fraction)
TCAM Source based IP lookup
Dest. +-------+
+--------------------+ IP | Main |
| Layer 3 Lookup | Lookup| TCAM |
| Engine |------>|-------|
| | | |
+--------------------+ | |
| +-------+ Separate TCAM for
|Source Source IP lookup
|IP Lookup+---------+
+-------->|Ancillary|
|Smaller |
|TCAM |
+---------+
2.3.2.0 Proposal for Unequal Division of TCAM
with Smaller fraction for Source based IP lookup
Dest. +---------+
+--------------------+IP | Main |
| Layer 3 Lookup |Lookup| TCAM |
| Engine |----->| | Unequal division of
| | |_________| TCAM. Larger fraction for
+--------------------+ |Anc. TCAM| Dst Lookup and Smaller
+----------> +---------+ for Src Lookup.
Source IP Lookup
Figure 2.0 Internet Service Provider Hierarchy.
The above diagram / Figure illusrtates the
structure of the Internet Hierarchy where the
ISPs are divided into Tier 1, Tier 2, Tier 3 and
local service providers at the lowest rungs.
Sometime even Tier 1 providers provide Internet
access to end users and so it goes with Tier 2
and 3. At the very edge closest to the End-Users
these providers can deploy routers that deploy
the invention with low cost as the TCAM sizes at
these edges are a fraction of the cost of TCAM
sizes higher up in the hierarchy. So the logic is
to contain spoofing at the edges so that there
arises no necessity to do it at the core or at
the edge-core. The edge networks include
Enterprise networks deploying the said invention
a their access edges.
Figure 3.0 Typical example of a L3 switch close
to the access edge or within an Enterprise.
Here the FIB TCAM can be divided for providing
lookups to the L3 engine, by unequally
partitioning the TCAM banks to allow for
Destination based and source based lookup.
3.0 Advantages :
- Spoofing source IP addresses from the edge
can be controlled completely without causing
scalability issues for the TCAM complex.
- Unequal division of TCAM through SDK api
scheme is very easily deployable by merely
changing or incorporating the appropriate API
call. The change is to the firmware alone. By
merely a simple software upgrade this can be
deployed.
- Since the number of subnets at the edge of
the Internet near the access edge are limited
to a smaller size this scheme just works out
perfectly in terms of isolating the spoofing
check to the edge.
- TCAM logic has become more flexible at this
current state of the art that incoporating
the unequal division scheme will not be much
of an impediment.
- DOS, DDOS, DRDOS attacks will be eliminated
if not minimized to a substantial extent
because of this idea.
- Even spoofing attacks of other kinds within a
enterprise network or at a ISP edge (local or
Tier 3 and the outer rungs of a Tier 1 or 2
Internet Service Provider) can be minimized
to a large extent.
- At long last security can be enhanced to a
large extent using this invention. Only those
IP addresses that can source packets from the
edge and with legitimacy will be allowed to
do so.
- This proposal can apply to P4 based
Programmable Network Forwarding Chips as
well.
- This invention takes advantage of multiple IP
lookups which are possible in different parts
of the TCAM regions / banks that is already
in common practice. Mere programming effort
is needed to implement this scheme.
- On low end routers at the edges of the
internet or at the boundary of an enterprise
there would be no necessity to deploy an
external TCAM which would add more costs.
Cost is an important issue that this
invention solves for.
4.0 Novelty :
a) This'kind' of'a' scheme'has' not' been'seen' in'prior' art'as' far' as'
the'searches'done'in'the'Internet.'
b) Applying'the'prinicple'of'keeping'this'invention'to'the'edges'of'
the' Internet,' this' scheme' allows' for' easy' deployment' as' the'
number'of'subnets'at'the'edge'are'limited'to'possibly'a'fraction'
of'the'total'routes'in'the'middle'of'the'internet'on'a'core'router.'
Hence'this'scheme'is'extremely'scalable.'
c) The' unequal' division' of' banks' allowing' for' simultaneous'
lookup' in' these' unequal' divisions' can' be' facilitated' by' the'
current'state'of'the'art.'
d) If' not' as' per' point' (c)' then' this' invention'introduces' a'
paradigm'change'in'the'area'of'TCAMs'which'can'be'unequally'
divided' and' simultaneous' lookup' be' enabled' in' each' of' the'
unequal'divisions'of'the'TCAM.'
e) In' the' immediate' past,' the' technique' has' been' to' divide' the'
TCAM' into' 2' equal' parts' and' place'the' destination' based'
lookup' prefixes,' and' the' source' based' IP' lookup' prefixes,'
essentially'the'entire'routing'table'with'2'copies'to'achieve'the'
same' purpose.' This' has' been' an' inefficient' way' of'
implementing'the'schemes'of' the' past'since'twice'the'capacity'
of' the' TCAM' available' was' required' if' the' table' was' close' to'
being'full.'