Transcript IRR and Routing

Route filtering
using IRRs
APAN Net Eng Singapore - 19 July 2006
[email protected]
AARNet3 National Network
•
•
•
•
STM-64c (10Gbps) Backbone
Dual PoPs with divergent paths in major cities
Dual and divergent STM-1s to NT & Tasmania
DWDM network
– Providing backbone
– Providing multiple GigE to regional areas
• Provides Commodity and R&E traffic to customers
2
© 2006, AARNet Pty Ltd
AARNet3 Network
3
© 2006, AARNet Pty Ltd
AARNet3 International Network
• Multiple trans Pacific circuits
– 2 x STM-64c for research and education
– 4 x STM-4c (4 x 622Mbps) for commodity (LA &PA)
– 2 x STM-1 (155 Mbps) to Seattle
• Connections to Europe and Asia
– 2 x 2 x STM-1 to Singapore
– STM-4 to Frankfurt
4
© 2006, AARNet Pty Ltd
AARNet3 International Connectivity
5
© 2006, AARNet Pty Ltd
Commodity Provision
• International commodity from
–
–
–
–
Palo Alto
Los Angeles
Seattle
Frankfurt
• Domestic commodity in
–
–
–
–
–
–
6
Sydney
Melbourne
Adelaide
Canberra
Brisbane
Perth etc etc
© 2006, AARNet Pty Ltd
AARNet PoPs our footprint…
• 17 Domestic
–
–
–
–
–
–
–
–
–
7
Sydney (3)
Melbourne (2)
Brisbane (2)
Adelaide (2)
Perth (3)
Canberra (2)
Hobart (1)
Darwin (1)
Alice Springs (1)
© 2006, AARNet Pty Ltd
• 7 International
–
–
–
–
–
–
–
Seattle
Palo Alto
Los Angeles
Hawai’i
Suva
Singapore
Frankfurt
The AARNet3 environment
• Currently over 100 routers deployed
• A mix of Juniper and Cisco routers
– Juniper M320s at the core
– Cisco routers at the customer edge
– Link speeds varying from STM-64c to STM-4s and STM-1s
for long haul
– 10GbE intra PoPs and GbE connections from PoPs but
still some managed services and legacy ATM
8
© 2006, AARNet Pty Ltd
The BGP environment
•
•
•
•
•
•
•
•
9
17 commodity transit connections
Over 200 peers both commodity and R&E
Most peerings are bilateral, a few (3) are multilateral
Some 20 peerings with external international R&E networks
Over 200 iBGP peerings
Over 250 IPv4 prefixes advertised and growing…
IPv6 enabled
IPv4/IPv6 multicast enabled
© 2006, AARNet Pty Ltd
How do we manage this complexity?
• Very hard to manage on an ad-hoc basic with such
diversity
– Easy to make big mistakes with manual configurations
• Needs an overall policy that manages router BGP
configurations
• Needs cross vendor router support
• AARNet uses IRRs and RPSL to manage this
10
© 2006, AARNet Pty Ltd
BGP trust and security
• In BGP security is an afterthought
– BGP was designed originally to address routing between
trusted networks - the element of trust is not true of the
internet today
– MD5 encryption is gaining more acceptance but still
encryption is not fully deployed
– Filtering is an add on and is often very loosely deployed
– This has the potential to cause disruption
11
© 2006, AARNet Pty Ltd
BGP Misconfigurations
• Estimated that 1% of the routing table prefixes are
misconfigured each day*
– This churn increases the load on routers by 10% in bursts
– Routing is surprisingly resilient with only 4% of these
misconfigurations affecting connectivity/reachability of sites.
– But when it hits it can be severe, especially when there is
little protection in place - AS7007 incident
* Mahajan, Wetherall, Anderson - Understanding BGP Misconfiguration SIGCOMM 2002
http://www.cs.washington.edu/homes/ratul/bgp/bgp-misconfigs.pdf
12
© 2006, AARNet Pty Ltd
Route Hijacking
• A prefix is announced that does not belong to the originating AS
• Can be done by misconfiguration
• Can be done maliciously
– Spammers
– DOS attacks
• Short-Lived Prefix Hijacking on the Internet
– Peter Boothe, James Hiebert, Randy Bush
• http://www.nanog.org/mtg-0602/pdf/boothe.pdf
• “We can identify between 26 and 95 hijacking instances in
Route-Views data for December 2005
• Many more misconfigs and false alarms than purposeful
hijackings - 750+”
13
© 2006, AARNet Pty Ltd
How trusting are we with BGP?
• Do we really trust others
announcements?
• Would we deploy black hole community
tags with them to protect the network
from DOS attacks?
• We need to increase the trust level by
developing public policy and consistent
actions.
• To trust we need to be trustworthy
14
© 2006, AARNet Pty Ltd
How we went about it
• Need to identify which IRR to use
– AARNet uses RADB.
– Others run their own for control
• Need to decide what degree of filtering is desired
– Prefix filters
– AS path filters
– Both!
• Register a maintainer object at chosen IRR
– Usually a “manual” process and could be multi-stage if PGP
key authentication required
15
© 2006, AARNet Pty Ltd
What is RPSL?
• Object oriented language
• Structured whois objects
• Refinement of RIPE 181 (and it’s predecessors) based on
operational experience
• Describes things interesting to routing policy
–
–
–
–
16
Prefixes
AS Numbers
Relationships between BGP peers
Management responsibility
© 2006, AARNet Pty Ltd
Maintainer Object
Maintainer objects used for authentication
Multiple authentication methods
NONE, MAIL-FROM, CRYPT-PW, PGPKEY
mntner:
MAINT-ASAARNET
descr:
Maintainers for AARNet and AARNet member objects
admin-c:
CS3692
tech-c:
GT342-AU
upd-to:
[email protected]
mnt-nfy:
[email protected]
auth:
PGPKEY-FAD8C612
auth:
PGPKEY-23B7F8EF
remarks:
Australian Academic and Research Network
http://www.aarnet.edu.au/
mnt-by:
MAINT-ASAARNET
changed:
[email protected] 20040113
source:
RADB
17
© 2006, AARNet Pty Ltd
Route Object
Use CIDR length format
Specifies origin AS for a route
Can indicate membership of a route set
route:
descr:
origin:
mnt-by:
changed:
source:
18
© 2006, AARNet Pty Ltd
134.7.0.0/16
Curtin University of Technology
AS7575
MAINT-ASAARNET
[email protected] 20050818
RADB
Route Set Object
• Collects routes together with similar properties
route-set: AS7575:RS-UNSW
descr:
University of New South Wales
members:
129.94.0.0/16, 149.171.0.0/16, 203.10.48.0/24,
203.20.160.0/24, 203.20.160.0/19
remarks:
List of routes accepted from AS7570
admin-c:
MP151
tech-c:
ANOC-AP
mnt-by:
MAINT-ASAARNET
changed:
[email protected] 20050427
source:
RADB
19
© 2006, AARNet Pty Ltd
AS Set Object (1)
• Collect together Autonomous Systems with shared properties
• Can be used in policy in place of AS
as-set:
AS7575:AS-EDGE
descr:
AARNet3 customers AS set
members:
AS1851, AS4822, AS6262, AS7575, AS7645, AS9383,
AS10148, AS17498, AS23654, AS23719, AS23859, AS24101, AS24313,
AS24390, AS24431, AS24433, AS24434, AS24436, AS24437, AS24490,
AS37978, AS38083
remarks:
List of customers on AARNet3 using public AS numbers
remarks:
http://www.aarnet.edu.au
admin-c:
MP151
tech-c:
ANOC-AP
mnt-by:
MAINT-ASAARNET
changed:
[email protected] 20060713
source:
RADB
20
© 2006, AARNet Pty Ltd
AS Set Object (2)
• RPSL has hierarchical names
• Our customer base is in AS7575:AS-CUSTOMER
as-set:
descr:
members:
remarks:
remarks:
admin-c:
tech-c:
mnt-by:
changed:
source:
21
AS7575:AS-CUSTOMER
AARNet3 customers AS set
AS7575:AS-EDGE, AS7575:AS-RNO
List of customers on AARNet3 using public AS numbers
http://www.aarnet.edu.au
MP151
ANOC-AP
MAINT-ASAARNET
[email protected] 20060715
RADB
© 2006, AARNet Pty Ltd
Whois queries
• whois –h whois.ra.net AS7575:CUSTOMER
– members: AS7575:AS-EDGE, AS7575:AS-RNO
• whois –h whois.ra.net AS7575:AS-EDGE
– members: AS1851, AS4822, AS6262, AS7575,
AS7645, AS10148, AS17498, AS23654, AS23719,
AS24101, AS24390, AS24431, AS24433, AS24434,
AS24436, AS24437
• whois –h whois.ra.net \!gAS1851
– 192.43.227.0/24 129.127.0.0/16
192.43.229.0/24 203.9.156.0/24
129.127.0.0/16 192.43.228.0/24
192.43.229.0/24 203.9.156.0/24
22
© 2006, AARNet Pty Ltd
AS Route Sets
bhm$ whois -h whois.ra.net AS7575:AS-RESEARCH
as-set:
AS7575:AS-RESEARCH
descr:
AARNet3 peer R&E network AS set
members:
AS47, AS73, AS293, AS668, AS2153, AS6360, AS6509, AS7539,
AS7610, AS11537, AS20965, AS23796, AS32361, AS38018
remarks:
R&E networks peering with AARNet3
• If the AS’s we peer with used an IRR to specify their route sets then we
could create prefix-filters against our peers.
• Peers can create prefix-filters from our existing policy except for transit
peerings (see above!)
• And it’s all available publicly documented.
23
© 2006, AARNet Pty Ltd
Autonomous System Object
• Routing Policy Description object
• Most important components are
– import
– export
• These define the incoming and outgoing routing
announcement relationships
• Instant Documentation!
• whois –h whois.ra.net AS7575
24
© 2006, AARNet Pty Ltd
Use of RPSL
• Use RtConfig v4 (part of RAToolSet from
ISC) to generate filters based on
information stored in our routing registry
– Avoid filter errors (typos)
– Filters consistent with documented policy
(need to get policy correct though)
– Currently we use RAToolSet v 4.7.1
– Need to script our own tools for Juniper
25
© 2006, AARNet Pty Ltd
Using RPSL to configure routers
• Need to define “policy” for filtering
– Inbound from customers & peers
– Outbound to customers & peers
• Need to be aware of shortcomings in router
configuration and/or configuration generator
– Command line length (on cisco this is 512 bytes)
– Complexity of rules
26
© 2006, AARNet Pty Ltd
AARNet’s filtering philosophy
• Inbound
–
–
–
–
Filter customer by prefix and AS path
Filter peer by prefix filter
Filter providers for prefixes longer than a /24
Don’t accept martians or bogons from anyone
• Outbound
– Filter by BGP community, which indicates the class of the
prefix (customer, peer, etc)
27
© 2006, AARNet Pty Ltd
Overall Prefix and Path Filtering
•
•
•
•
28
Filter all customer prefixes on ingress
Filter all your advertisements on egress
Filter all bogons and martians
Filter/remove all private AS space
© 2006, AARNet Pty Ltd
RtConfig & IRRToolSet
• Version 4.0 supports RPSL
• Generates cisco configurations
• Contributed support for Bay’s BCC, Juniper’s Junos and
Gated/RSd
• Creates route and AS path filters.
• Can also create ingress/egress filters
29
© 2006, AARNet Pty Ltd
AS7575 policy
• Whois -h whois.ra.net AS7575
• An extract:
import: {
from AS-ANY
action pref=5;community.append(7575:1001,7575:2017,7575:8002);
accept ANY AND NOT { 0.0.0.0/0^25-32 } AND NOT AS7575 AND NOT
fltr-martian;
refine {
from AS20965 at 202.158.192.17
action community.append(7575:6002);
accept AS-GEANTNRN OR AS-EUMED;
30
© 2006, AARNet Pty Ltd
Peer route set
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
31
sao:~/rpsl bhm$ whois -h whois.ra.net AS-GEANTNRN
as-set:
AS-GEANTNRN
descr:
The GEANT IP Service
members:
AS20965
members:
AS-ACONET, AS-BELNET, AS-CERNEXT, AS-DFNTOWINISP
members:
AS-GARRTOGEANT, AS5408:AS-TO-GEANT, AS-JANETEURO
members:
AS-HBONETEN, AS-RCCN, AS-RENATER, AS-RESTENA
members:
AS-SWITCH, AS-SURFNET, AS-PLNET, AS1955
members:
AS-REDIRIS, AS2107, AS2611, AS2852, AS-HEANET
members:
AS-MACHBA, AS2108, AS-UNREN, AS3268, AS-ISTF
members:
AS-LATNET-Geant, AS3221, AS-LITNET, AS-RBNET
members:
AS-SANET2, AS-ROEDUNET, AS12046, AS-ULAKNET
members:
AS3208, AS-NORDUNET
tech-c:
DANT-RIPE
admin-c:
RS-RIPE
mnt-by:
DANTE-MNT
© 2006, AARNet Pty Ltd
AS20965 Object
import:
from AS7575 action pref=100; community.append
(20965:7575); med=0; accept <AS7575:AS-CUSTOMER>
• Our peer can safely receive our routes and discard any
erroneous prefixes that we advertise.
• But without this information we can only accept the routes
advertised by the peer.
• We could erroneously advertise default!
• We could originate hijacked routes and they would be
accepted
• We could inject commodity routes into an R&E network
and disrupt traffic.
32
© 2006, AARNet Pty Ltd
Juniper router rpsl config
policy-statement rs-as20965 {
replace:
term prefixes {
from {
@RtConfig printPrefixRanges "\t\troute-filter %p/%l upto
/24;\n" filter AS-GEANTNRN OR AS-EUMED OR AS2018
}
then accept;
}
}
33
© 2006, AARNet Pty Ltd
extract
policy-statement as20965-ipv4-import {
term as20965 {
from policy rs-as20965;
then {
local-preference 95;
community add research;
community add router-tag;
community add european;
next policy;
}
}
term reject {
then reject;
}
}
34
© 2006, AARNet Pty Ltd
Prefix policy
policy-statement rs-as20495
term prefixes {
from {
route-filter
route-filter
route-filter
route-filter
route-filter
route-filter
route-filter
route-filter
•
35
………
© 2006, AARNet Pty Ltd
{
62.148.160.0/19 upto /24;
66.164.200.0/21 upto /24;
66.164.208.0/21 upto /24;
80.69.160.0/20 upto /24;
80.247.192.0/19 upto /24;
82.112.32.0/19 upto /24;
84.243.192.0/18 upto /24;
84.244.128.0/18 upto /24;
BGP policy complexity
•
•
•
•
•
•
•
•
•
•
•
7575:1 Export external to AARNet with "no-export"
7575:2 No export beyond AARNet
7575:3 Prepend AS7575 once
7575:4 Prepend AS7575 twice
7575:5 Prepend AS7575 thrice
7575:6 Blackhole traffic
7575:7 Regional only
7575:70 AARNet local preference 70
7575:80 AARNet local preference 80
7575:90 AARNet local preference 90
…and much more…
–
36
Whois -h whois.ra.net AS7575 | grep remarks
© 2006, AARNet Pty Ltd
Using RtConfig
• RtConfig –cisco_use_prefix_lists < cpe-curtin-er1.rtconfig
• Redirect output to a file
• Upload by tftp to the router
• Done!
37
© 2006, AARNet Pty Ltd
What about SBGP and SoBGP?
• At the moment it’s all about trust
• There are implementations of BGP policy that make us
somewhat trustworthy and are being currently deployed
• It isn’t perfect
• But it is a start…
38
© 2006, AARNet Pty Ltd
References
• RPSL - RFC 2622
– http://www.faqs.org/rfcs/rfc2622.html
• Using RPSL in Practice - RFC 2650
– http://www.faqs.org/rfcs/rfc2650.html
• IRRToolSet
– ftp://ftp.isc.org.net/isc/IRRToolSet/
• RPSL Training Page
– http://www.isi.edu/ra/rps/training
• RADB
– http://www.radb.net/
39
© 2006, AARNet Pty Ltd
Thank you!
Any Questions?