Tcp-Based Reliable Transport Sessions; How To Implement Data Plane Security; Enable Source Rloc-Based Decapsulation Filtering - Cisco ASR 9000 Series Routing Configuration Manual

TCP-based Reliable Transport Sessions

To rebuild its EID instance membership database, the (P)xTR issues a Membership-Refresh-Request message
as soon as the Map-Server indicates that it is willing to provide membership services through a
Membership-ACK message. The (P)xTR maintains an epoch for each discovered membership entry. When
a Membership-Refresh-Start message is received from a Map-Server, the (P)xTR increments the epoch it
maintains for the Map-Server and EID instance combination, thus flagging the existing membership state as
stale. Subsequent Membership-Add messages received during the refresh update the epoch of the corresponding
entries. When the Membership-Refresh-End message is received, the (P)xTR sweeps the membership entries
for the EID instance received from the Map-Server deleting the ones carrying an old epoch that have not been
updated during the refresh.
Filter Communication to Forwarding
The LISP control plane uses the RIB opaque facility for communicating information through the RIB, all the
way to all FIB instances as part of table distribution. Messages are defined to:
• Convey the filter enablement state on a per RLOC AF and EID instance granularity
• Convey RLOC filter entries
TCP-based Reliable Transport Sessions
LISP uses TCP-based sessions between the xTRs and Map-Servers for EID instance membership distribution.
The reliable transport session supports (using TCP port 4342) establishing of an active or passive session,
with the xTR taking the active role and the Map-Server the passive role. Sessions are accepted only from valid
RLOCs from the Map-Server side based on source RLOC filtering. The number of concurrent TCP connections
that can be supported varies on a per OS and platform basis. Some security considerations that you must be
take into account:
• The number of xTRs that a Map-Server can cater for is limited by the number of TCP sessions that a
• All the xTRs belonging to the same VPN must register with the same Map-Server.You cannot have
• Session authentication of the initial deliverable relies on the integrity of the RLOC network and only
For additional details on TCP-based reliable transport session such as Session Establishment, Reliable Transport
Message Format, Keep-alive Message, Error Notification Message, see http:// tools.ietf.org
/id/draft-kouvelas-lisp-reliable-transport-00.txt.

How to Implement Data Plane Security

This section contains the following procedures:

Enable Source RLOC-based Decapsulation Filtering

To configure an xTR or Proxy-xTR to download decapsulation filter lists for source validation when
decapsulating LISP packets, use the decapsulation filter source command in the lisp configuration mode.
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
662
platform can establish and maintain. This will determine the number of VPN customers that a Map-Server
can host. Horizontal scaling is achieved by dividing VPN customers between multiple Map-Servers.
VPNs with a larger number of xTRs than the Map-Server TCP session scale limit.
filters TCP sessions using the source address of packets.
Implementing Data Plane Security