Tuesday, 28 February 2012

Source filtering L2TP

One of the things we do as standard is source filtering of L2TP connections. It means that our customers on broadband cannot spoof packets. This is standard on Internet services and Best Current Practice.

It is not filtering their Internet connection as the packets are not validly from them if they have the wrong source IP, IMHO, so lets not start that discussion.

We are quite comprehensive, catching IPv4, IPv6, tunneled IPv6 with us as the endpoint, and 2002::/16 prefix IPv6 using their IPv4 address space, and even when that is tunneled over IPv4. So quite generous!

The way it works is that when a packet arrives we look up where we would send that packet. If to the same L2TP session then it is allowed. If bonded to multiple sessions and one matches, then it is allowed.

We even go further, and if there are lower metric L2TP sessions for that target IP we check those too. The reason is that someone may have main and backup downlink on the same IPs but want to bond uplink - sending from those IPs from either or two (or more) lines. It works well.

The issue is when we have multiple LNSs. For bonded downlink we ensure lines go to the same LNS (by using a hash of the login to direct sessions), but there can be any number of reasons for this not to be the case including equipment failure and planned LNS changovers.

We have a system to pick up split LNS line groups and bounce lines to fix this.

But still, there can be a problem - a window of opportunity to be broken. The issue is that the routes are shared by BGP, so if line 1 is high priority on LNS 1, and line 2 is low priority on LNS 2, then LNS 2 sees the best route to send traffic to LNS 1 (by BGP) and so does that.

For downlink routing that is fine - the split LNS sends data down one line not bonded. Not as fast but it works.

The uplink breaks though as LNS 2 does a route lookup and finds it would route to the other LNS not to an L2TP session, and so blocks the uplink traffic. Ooops.

So, much coding today, and much testing, and now the forwarding system has a list of L2TP session for source checking on any route type, even BGP. So it sees BGP to other LNS as best route but sees it also have one or more lower metric L2TP session route, and so allows the uplink traffic if the session matches.

New code in place, more testing to do, but may be deployed this week for real.

No comments:

Post a Comment