Thursday, June 7, 2012

Configuring MPLS - MPLS ttl-propagation

Would you disclose anything less than what you had to about your network? Certainly I follow the logic that the more I disclose the less secure my network becomes.

This post is a follow up from my 'Configuring MPLS - Easiest L3VPN Ever' and in that post I stated that when we do a traceroute from the CE (Customer Edge) router, we can see inside the MPLS cloud and all the next hop routers are exposed to the customers. Check out the screenshot below.


Why is this happening? The reason this is happening is because the TTL value of the original IP packet is copied to the MPLS Header.

Here is what a MPLS Header looks like.

In order to calculate the TTL in the MPLS header independent of the IP Header TTL, you need to type 'no mpls ip propagate-ttl' which will then turn off the default behavior of copying the IP Header TTL to the MPLS Header TTL field and assigns a TTL of 255 to the MPLS Header TTL at the Ingress LSR and is decremented per LSR hop.

A simple demonstration below with 'mpls ip progagate-ttl' which is on by default.
  • Packet arrives at the Ingress LSR with a IP TTL of 6.
  • 6 is copied or propagated to the MPLS Header TTL field.
  • MPLS Header TTL is decremented by 1 at each LSR.
  • IP TTL is decremented at the LSR directly connected to the LER (Label Edge Router) and then again by LER before sending it to the CE Router (Customer Edge). Reason the LSR directly connected to the LER is decrementing the IP TTL is due to penultimate hop popping. I will soon write up a blogtorial on penultimate hop popping or better known as PHP :)
Now after we issue the global command 'no mpls ip propoagate-ttl' the IP TTL field will not be copied to the MPLS Header TTL Field.

A simple demonstration below after the global command was issued.
  • Packet arrives at the Ingress LSR with a IP TTL of 6 and this is preserved for now.
  • MPLS Header TTL field is set to 255.
  • MPLS Header TTL is decremented by 1 at each LSR.
  • IP TTL is decremented at the LSR directly connected to the LER (Label Edge Router) and then again by LER before sending it to the CE Router (Customer Edge). Reason the LSR directly connected to the LER is decrementing the IP TTL is due to penultimate hop popping.
Two parameters: 

There are a couple of options you have with no mpls ip ttl-propagation [local | forwarded]. 
  • Local - This will only disable ttl propagation for locally generated packets. 
  • Forwarded - This will only disable the ttl propagation for packets that are forwarded meaning the MPLS structure is hidden from the customers but not from the provider.
Conclusion:
MPLS is a highly complex protocol, however if you understand the concepts then getting a lab up and running should be fairly easy to do.

Recommended books to read on MPLS are:
  • MPLS and VPN Architectures by Ivan Pepelnjak 
  • MPLS and VPN Architectures, Volume II by Ivan Pepelnjak

Many more articles to come so stay tuned.

If you like my posts please subscribe/comment/+1.

Thank you. 

2 comments: