It is a long-standing challenge of enterprise network design to provide a mechanism for ensuring that source/destination inverted network flows take semi-symmetric paths when the two endpoints of the flow are in separate “Network Security Zones” (NSZs). The desire for this path-selection behavior is driven by fact that nodes on the border of Network Security Zones (NSZs) typically run stateful inspection/enforcement services (such as network firewall services with stateful-packet-inspection), and those services will reject traffic if they do not process both flows in that source/destination-inverted flow-pair.
The lack of a solution to this problem has historically created a strong design-incentive to avoid creating multiple borders/perimeters between the same network security zones. This, in turn, has led to downstream design constraints which introduce un-wanted inefficiencies.
This article describes a novel BGP routing-policy framework that provides the a mechanism for ensuring that source/destination-inverted flow-pairs between nodes in separate “Network Security Zones” do traverse the same state-enforcing perimeter nodes between the two Network Security Zones.
This framework uses administratively defined key-value-pair tags (in BGP large-community attributes) to describe policy-relevant properties of both network transport nodes (the routers) and the network-segments/routes that they originate. Those tags are then used as policy primitives in route-map configurations that implement the logic of the novel(?) path selection algorithm introduced here.
Context
The use of stateful-inspection services (typically network firewalls) at network-security zone perimeters introduces a functional requirement for symmetric routing of traffic between two endpoints. That is to say, the path for endpoint(1) to endpoint(2) must traverse the same network firewall as the path for endpoint(2) to endpoint(1).
In traditionally-segmented enterprise networks, traffic moving between zones must be inspected by a firewall, and traffic moving within a single zone does not need to be inspected. Due to the high capacity tax associated with state synchronization between members of a firewall cluster and the requirement for LAN-scale latency of synchronization traffic, firewall instances are typically deployed in resilient pairs a a single site.
If an enterprise wishes to host workload in the same security zone at multiple sites though, difficulties arise when a given flow crosses both site and zone boundaries. In this scenario, optimal forwarding behavior has historically been extremely difficult to achieve and is typically only approximated by choosing which design objectives to compromise.
The Framework
This framework uses the following high-level elements to solve the challenges described above.
- A formalization of the widely adopted concept of “network security zones” which is generalized to the concept of “symmetric perimeter zones”.that acknowledges and incorporates the concepts innately hierarchical structure to derive the “transit zone” concept.
- A formalization of the widely adopted concept of “site”/”location” which is generalized to the concept of “path affinity groups.”
- The use of BGP large-community attributes to label the “symmetric security zone” and “path affinity group” in which a prefix is originated
- Explicit rules of inference prescribing the topology in which symmetric security zones and path affinity groups may be instantiated
- A novel path selection alogirithm implemented using standard/ubiquitous BGP and route-map functionality