BGP

Download Report

Transcript BGP 

bgp-WoRkShOP
Arturo Servin | Carlos Martínez
Acknowledges
• Special thanks to Phillip Smith (APNIC) and
Alvaro Retana (Cisco Systems) whose material
has provided an invaluable input for the
creation of this presentation.
HOW THE INTERNET WORKS
IP address, where they come from?
Standards
Central Registry
Distribution
Regional Internet Registris
(RIRs) distribute IPv4, IPv6
and Autonomous System
Numbers
*
*
Distribution
Sometimes the distribution is done through
National Internet Registries (NIRs)
Allocations and
Assignments
End
user
Regional Internet Registries
Autonomous System Numbers
• Collection of networks with same routing
policy
• Single routing protocol
• Possibly multiple IGPs
• Usually under single ownership, trust and
administrative control
• Identified by a unique 32-bit integer (ASN)
ASNs
ASN 64511
ASN 65536
ASN 65537
More about ASNs
• Historically 2 bytes
– 1 to 65535
• But they were to run out and now are 4 bytes
(RFC 4893)
– 65536-4294967295
Special ASNs
• Special ASNs
– 0 and 65535 reserved
– 64496-64511, 65536-65551 documentation
(RFC5398)
– 64512-65534 Private use
– 23456 Representation of 4 bytes ASNs in 2 bytes
world
IGP vs EGP
• IGP – Interior Gateway Protocol
– Exchange routes within an Autonomous Systems
– Carries information about internal prefixes.
– OSPF, ISIS, EIGRP, etc
• EGP – Exterior Gateway Protocol
– Exchange routes between Autonomous Systems
– BGP is standard EGP today
– Connecting with outside networks
IGP vs EGP (more)
• IGP – Interior Gateway Protocol
– Sub-second convergence
– Generally Automatic discovery
– Generally trust your IGP routers
– Routes go to all IGP routers
• EGP – Exterior Gateway Protocol
– Decoupled from the IGP
– Specifically configured
Internet Routing
• BGP selects routes
according to a decision
algorithm and the values of
some route “attributes”
• AS_PATH is the list of
autonomous systems
where an UPDATE has gone
through
Internet Routing
ASN 6057
announces
200.40.0.0/16
ASN 8158
receives
200.40.0.0/16
The prefix 200.40.0.0/16 is
propagated with BGP to the
Internet
Atributos:
200.40.0.0/16 AS_PATH ASN1 ASN3 ASN6057
Transit and Peering
• Transit
– Traffic and prefixes originating from one AS are
carried across an intermediate AS to reach their
destination AS
– Usually for a fee
• Peering
– Private interconnect between two ASNs
– Usually for no fee
Transit and Peering
ASN 65538
ASN 64511
Transit
ASN 65536
Peering
ASN 65537
Peering in an Internet Exchange Point
(IXP)
• Internet Exchange Point
– Common interconnect location where several
ASNs exchange routing information and traffic
ASN 65536
ASN 65537
ASN 65538
ASN 65539
INTRO TO BGP
Border Gateway Protocol
• A Routing Protocol used to exchange routing
information between different networks
• Exterior gateway protocol
• Described in RFC4271
– RFC4276 gives an implementation report on BGP
– RFC4277 describes operational experiences using
BGP
• Works on TCP port 179
• Path Vector Protocol
More about BGP
• Learns multiple paths via internal and external
BGP speakers – Initial exchange of entire table
• Incremental Updates
– Picks THE bestpath and installs it in the IP forwarding
table – Policies applied by influencing the bestpath
selection
•
•
•
•
Keepalive messages exchanged
Many options for policy enforcement
Classless Inter Domain Routing (CIDR)
Widely used for Internet backbone
Neighbors
• BGP speakers
– Internal (iBPG) if they are in the same ASN
– External (eBGP) if they are in different ASN
eBGP
iBGP
ASN 65538
ASN 65536
Where to use BGP: Stub Network
ASN 65536,
Transit Provider
• Only one exit for
customer
• Not really need
to add BGP
ASN 65538, Customer
Multihomed Network
Transit Providers
ASN 65538
ASN 65539
• Different situations possible
•
•
•
ASN 65536
•
ASN 65537
•
Peering in IXP
Multiple links to same ISP
Secondary for only backup
Load share between
primary and secondary
Selectively use different
ISPs
Peering at IXP
BGP State-Machine
BGP States
1 - Idle
2 - Connect
3 - Active
4 - OpenSent
5 - OpenConfirm
6 - Established
BGP Events
1 - BGP Start
2 - BGP Stop
3 - BGP Transport connection open
4 - BGP Transport connection closed
5 - BGP Transport connection open failed
6 - BGP Transport fatal error
7 - ConnectRetry timer expired
8 - Hold Timer expired
9 - KeepAlive timer expired
10 - Receive OPEN message
11 - Receive KEEPALIVE message
12 - Receive UPDATE messages
13 - Receive NOTIFICATION message
Basic config
IPv4
router bgp xxxx
neighbor a.b.c.d. remoteas <as>
neighbor X:X:X:X::X …
network A.B.C.D. mask
no synchronization
exit address-family
IPv6
no bgp4 default unicast
bgp router-id a.b.d.f
router bgp xxxx
neighbor X:X:X:X::X remoteas …
neighbor X:X:X:X::X …
address-family ipv6
neighbor X:X:X:X::X activate
neighbor X:X:X:X::X …
network 2001:DB8::/32
no synchronization
exit address-family
Basic Config (IPv4 eBGP)
• Router A
router bgp 65536
network 150.10.0.0 mask 255.255.0.0
neighbor 131.108.10.2 remote-as 65537
• Router B
150.10.0.0/16
router bgp 65537
ASN 65536
network 131.108.0.0 mask 255.255.0.0
neighbor 131.108.10.1 remote-as 655536
131.108.10.1
131.108.10.2
Be careful, this need filters!!
Do not try it in production yet!!
131.108.0.0/16
ASN 65537
Basic Config (IPv4 iBGP)
• Router A
router bgp 65536
neighbor 131.108.10.1 remote-as 65536
• Router B
ASN 65536
router bgp 65536
network 131.108.0.0 mask 255.255.0.0
neighbor 131.108.10.2 remote-as 655536
131.108.0.0/16
131.108.10.1
ip route 131.108.0.0 255.255.0.0 null 0
ASN 65536
131.108.10.2
More about iBGP
• BGP peer within the same AS
• Not required to be directly connected
• IGP takes care of inter-BGP speaker
connectivity
• iBGP speakers must be fully meshed:
– They originate connected networks
– They pass on prefixes learned from outside the
ASN
– They do not pass on prefixes learned from other
iBGP speakers
Verifying Operation
• Summary of BGP
– Show ip bgp summary
– Show bgp ipv6 [unicast|multicast]
summary
• Routing table
– Show ip bgp <prefix> (empty shows all
the routes)
– Show bgp ipv6 [unicast|multicast]
<prefijo>
Show command example
sh ip bgp
BGP table version is 11, local router ID is 192.168.255.5
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
*>
*>
*>
*>
Network
N10.2.4.0/24
V10.4.0.0/16
V192.168.1.0
V192.168.2.0
I192.168.2.128/25
Next Hop
192.168.255.2
192.168.255.2
0.0.0.0
192.168.255.2
192.168.255.6
Metric LocPrf Weight Path
100
0 2 4 i
200
0 2 4 i
0
32768 i
0
200
0 2 i
0
50
0 3 ?
More show commands
• Verifying neighbors
– Show ip bgp neighbor <peer>
– Show bgp ipv6 [unicast|multicast] neighbor
<peer>
– Show ip bgp ] neighbor <peer> advertisedroutes
– Show bgp ipv6 [unicast|multicast] neighbor
<peer> advertised-routes
– Show ip bgp neighbor <peer> routes
– Show bgp ipv6 [unicast|multicast] neighbor
<peer> routes
– Show ip bgp neighbor <peer> received-routes
– Show bgp ipv6 [unicast|multicast] neighbor
<peer> received-routes
ATTRIBUTES
What’s an attribute
•
•
•
•
•
Part of a BGP Update
Describes the characteristics of prefix
It can either be transitive or non-transitive
Some are mandatory, some optional
Well known mandatory attributes, Well known
discretionary attributes, Optional transitive
attributes, Optional non-transitive attributes
Routes attributes
sh ip bgp
BGP table version is 11, local router ID is 192.168.255.5
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale, m multipath, b backup-path, f
RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
*>
*>
*>
*>
Network
N10.2.4.0/24
V10.4.0.0/16
V192.168.1.0
V192.168.2.0
I192.168.2.128/25
Next Hop
192.168.255.2
192.168.255.2
0.0.0.0
192.168.255.2
192.168.255.6
Metric LocPrf Weight Path
100
0 2 4 i
200
0 2 4 i
0
32768 i
0
200
0 2 i
0
50
0 3 ?
List of attributes (but not worry, we
just need AS_PATH for now)
Value Code Reference
Value Code Reference
0 Reserved
1 ORIGIN [RFC4271]
2 AS_PATH [RFC4271]
3 NEXT_HOP [RFC4271]
4 MULTI_EXIT_DISC RFC4271]
5 LOCAL_PREF [RFC4271]
6 ATOMIC_AGGREGATE [RFC4271]
7 AGGREGATOR [RFC4271]
8 COMMUNITY [RFC1997]
9 ORIGINATOR_ID[RFC4456]
10 CLUSTER_LIST [RFC4456]
14 MP_REACH_NLRI [RFC4760]
15 MP_UNREACH_NLRI [RFC4760]
16 EXTENDED COMMUNITIES
[RFC4360]
17 AS4_PATH [RFC6793]
18 AS4_AGGREGATOR [RFC6793]!
Decision Process in BGP
#
Step
1
Verify if NEXT HOP is reachable
3
Select route with the highest LOCAL PREFERENCE
4
Select route with locally originated
5
Select shortest AS_PATH
6
Select lowest origin code (IGP < EGP < Incomplete)
7
Select path with the lowest MED
8
Select eBGP paths over iBGP
9
Select path with the lowest IGP metric to the NEXT HOP
10
Select the oldest path
11
Select path with the lowest Router_ID
AS-Path
• Sequence of ASes a route has traversed
• Mandatory transitive attribute
• Used for:
– Loop detection
– Applying policy
AS-Path Example
ASN 65538
ASN 64496
2001:db8::/32 65538 65536 65537
2001:db8::/32 64511 65537
ASN 65536
ASN 64511
ASN 65537
2001:db8::/32
Best Path
Next-hop
• eBGP: address of external neighbour
• iBGP: NEXT_HOP from eBGP (but it could be
changed)
• Mandatory non-transitive attribute
ASN 65537
2001:db8::1
2001:db8:1:10
NH=2001:db8::1
ASN 65536
NH=2001:db8::1
Next-hop (cont.)
• To avoid carring external next-hop IP
addresses use command: next-hop self
– neighbor x.x.x.x next-hop-self
• Use loopbacks as NH in iBGP
Origin
• The origin of the prefix
• Historical attribute used in transition from EGP
to BGP
• Transitive and Mandatory Attribute
• Three values: IGP, EGP, incomplete
– IGP – generated by BGP network statement
– EGP – generated by EGP
– incomplete – redistributed from another routing
protocol
Aggregator
• Conveys the IP address of the router or BGP
speaker generating the aggregate route
• Optional & transitive attribute
• Created by using “aggregate-address”:
router bgp 65537
aggregate-address 10.1.0.0 255.0.0.0
Local Preference
• Indication of preferred path to exit the local
AS
• Non-transitive and optional attribute
• Global to the local AS
• Paths with highest LOCAL-PREF are most
desirable (default = 100)
Local Preference Example
ASN 64496
2001:db8::/32
ASN 65536
ASN 65537
Traffic to
2001:db8::/32
exits to ASN
65337
Set local pref
to 110
ASN 65535
Set local pref
to 150
Example
router bgp 65535
bgp router-id 3.3.3.3
neighbor 2001:db8::1 remote-as 65535
neighbor 2001:db8::1 update-source Loopback0
address-family ipv6
neighbor 2001:db8::1 activate
neighbor 2001:db8::1 next-hop-self
neighbor 2001:db8::1 route-map LOCAL_PREF out
exit-address-family
ipv6 prefix-list 10 seq 5 permit 2001:db8::/32
!
route-map LOCAL_PREF permit 10
match ipv6 address prefix-list 10
set local-preference 150
!
route-map LOCAL_PREF permit 20
Multi-Exit Discriminator (MED)
• Indication (to external peers) of the preferred
path into an AS
– Used in multiple entry AS
– Non-transitive & optional attribute
• Determines best path for inbound traffic
• Comparable if paths are from same AS
• Path with lowest MED wins, default = 0
(RFC4271)
Communities
• Communities are described in RFC1997
• Transitive and Optional Attribute
• 32 bit integer, Represented as two 16 bit
integers (RFC1998)
• Common format is <local-ASN>:xx
• 0:0 to 0:65535 and 65535:0 to 65535:65535
are reserved
Communities (Cont.)
• Used to group destinations, each destination
could be member of multiple communities
• Very useful in applying policies within and
between Ases
• It is like a tag applied to an update.
• Typical communities:
– Destinations learned from customers
– Destinations learned from ISPs or peers
– Destinations in VPN
Well-Know communities
• Several well known communities
– www.iana.org/assignments/bgp-well-knowncommunities
• no-export = do not advertise to eBGP peers
(65535:65281)
• no-advertise = do not advertise to any peer
(65535:65282)
• local-AS = do not advertise outside local AS
(used with confederations)
Example Set community
• Set community 65536:200
router bgp 65536
neighbor 10.1.1.1 remote-as 65537
neighbor 10.1.1.1 send-community
neighbor 10.1.1.1 route-map set_community out
!
route-map set_community 10 permit
match ip address 1
set community 65536:200
!
access-list 1 permit 10.10.0.0 0.0.255.255
Example Set local pref
• Set local pref based on community
router bgp 65537
neighbor 10.1.1.2 remote-as 65536
neighbor 10.1.1.2 route-map filter_on_community in
!
route-map filter_on_community 10 permit
match community 1
set local-preference 150
!
ip community-list 1 permit 65537:150
FILTERING, POLICIES AND SCALING
BGP
Applying Policies with BGP
•
•
•
•
•
As we have seen in some examples
Policy-based on AS path, community or prefix
Rejecting/accepting selected routes
Set attributes to influence path selection
Use
– Prefix-list (filters prefixes)
– Filter-list (filters Ases)
– Route-maps and communities
Prefix-list
• Per-peer prefix filter, inbound or outbound
• Allows coverage for ranges of prefix lengths
(ge, le)
• Based upon network numbers in NLRI (using
familiar IPv4 address/mask format)
ip prefix-list list-name [seq seq-value]
permit|deny network/len [ge ge-value] [le
le-value]
Examples
• Deny default route
ip prefix-list EG deny 0.0.0.0/0
• Permit the prefix 35.0.0.0/8
ip prefix-list EG permit 35.0.0.0/8
• Deny the prefix 172.16.0.0/12
ip prefix-list EG deny 172.16.0.0/12
• In 192/8 allow up to /24
ip prefix-list EG permit 192.0.0.0/8 le 24
Example
router bgp 65535
neighbor 2001:cafe::1 remote-as 65536
!
address-family ipv6
neighbor 2001:cafe::1 activate
neighbor 2001:cafe::1 prefix-list IPv6-BOGUS in
exit-address-family
!
ipv6 prefix-list IPv6-BOGUS deny 2001:db8::/32 le 128
ipv6 prefix-list IPv6-BOGUS permit 2002::/16
ipv6 prefix-list IPv6-BOGUS deny 2002::/16 le 128
ipv6 prefix-list IPv6-BOGUS deny 0000::/8 le 128
ipv6 prefix-list IPv6-BOGUS deny fe00::/9 le 128
ipv6 prefix-list IPv6-BOGUS deny ff00::/8 le 128
ipv6 prefix-list IPv6-BOGUS permit 0::/0 le 48
ipv6 prefix-list IPv6-BOGUs deny 0::/0 le 128
Regular expressions
• . Match one character
• * Match any number of preceding expression +
Match at least one of preceding expression ^
Beginning of line
• $ End of line
• \ Escape a regular expression character
• _ Beginning, end, white-space, brace
• | Or
• () brackets to contain expression
• [] brackets to contain number ranges
Examples of Regular Expressions
• .* Match anything
• ^$ Match routes local to this AS (as-path is
empty)
• _65536$ Originated by 65536 (as-path ends with
65536)
• ^65536_ Received from 65536 (as-path starts
with 65536)
• _65536_ 65536 is somewhere in the as-path
• _65536_65537_ Passing through 65536 then
65537
More examples
•
•
•
•
^[0-9]+$ Match AS_PATH length of one
^[0-9]+_[0-9]+$ Match AS_PATH length of two
^[0-9]*_[0-9]+$ Match AS_PATH length of one or two
^[0-9]*_[0-9]*$ Match AS_PATH length of one or two
(will also match zero)
• ^[0-9]+_[0-9]+_[0-9]+$ Match AS_PATH length of three
• _(65536|65537)_ Match anything which has gone
through AS65536 or AS65537
• _65536 (_.+_) 65537$ Match anything of origin
AS65536 and passed through AS65537
Filter-lists
• Filter routes based on AS path, Inbound or
Outbound
router bgp 65537
network 10.7.0.0 mask 255.255.0.0
neighbor 10.10.1.1 filter-list 5 out
neighbor 10.10.1.1 filter-list 6 in
!
ip as-path access-list 5 permit ^65536$
ip as-path access-list 6 permit ^65539$
Route-maps
• A sequence of statements
• Has “line” numbers, each line is a separate
condition/action
if match then do expression and exit
else
if match then do expression and exit
else etc
• Route-map “continue” let us apply multiple
conditions and actions in one route-map
Example Route-maps
route-map sample permit 10
match ip address prefix-list list-one
set local-preference 120
!
route-map sample permit 20
match ip address prefix-list list-two
set local-preference 80
!
route-map sample permit 30
Controlling Inbound Traffic
• The first rule of controlling inbound traffic…
– You do not have ultimate control of how traffic
enters your AS
– Your peers may have outbound policies that will
override all of your attempts to influence inbound
traffic
• So, what can you do?
– Leaking specific routes
– MED
– AS-PATH Prepending
AS Path Prepends
2001:db8::/32 65535 65535 65535 65536
2001:db8::/32 65535 65537
ASN 64496
ASN 65536
ASN 65537
Prepend 65535
65535 65535
No Prepend
ASN 65535
2001:db8::/32
AS Path Prepends
• Use your own AS number when prepending
otherwise BGP loop detection may cause
disconnects
router bgp 65535
neighbor 2001:cafe::1 remote-as 65536
address-family ipv6
neighbor 2001:cafe::1 activate
neighbor 2001:cafe::1 route-map SETPATH out
!
route-map SETPATH permit 10
set as-path prepend 65535 65535
No-export Community
2001:db8::/32 ASN2 ASN1
ASN 65536
ASN 65537
2001:db8::/32
2001:db8:100::/40
2001:db8::/32
2001:db8:200::/40
ASN 65536
2001:db8::/32
2001:db8:100::/40 No-export
2001:db8:200::/40 No-export
No Export Community
router bgp 65536
neighbor 2001:cafe::1 remote-as 65537
address-family ipv6
neighbor 2001:cafe::1 activate
neighbor 2001:cafe::1 route-map set_community out
exit-address-family
!
route-map set_community permit 10
match ip address prefix-list NO-EXPORT
set community no-export
!
route-map set_community permit 20
!
ipv6 prefix-list NO-EXPORT permit 2001:db8:100:/40
Order of policy application
• For inbound updates:
– Route-map
– Filter-list
– Prefix-list
• For outbound updates:
– Prefix-list
– Filter-list
– Route-map
Route-reflectors
• BGP cannot advertise a path from one iBGP to
another.
• iBGP has no way to detect loops (as opposite
to eBGP that uses AS-PATH)
• iBGP requieres a full-mesh, but that does not
scale
• Route-reflectors are central points to
distribute routes among iBGP peers
BEST PRACTICES
Loopbacks
• Loopback peering promotes stability
• If the link between two neighbors fails
– Without loopback, peering to the interface IP
would bring down the BGP session
– With loopback, Peering to a loopback allows the
session to stay up
• Used to load-balance traffic over multiple links
• In iBGP make sure there is an IGP route to
loopbacks
Loopbacks
2001:db8:2::1 loopback0
2001:db8:100::/40
2001:db8:100::/40
router bgp 65536
bgp log-neighbor-changes
no bgp default ipv4-unicast
ASN 65536
bgp router-id 192.168.99.70
!
neighbor 2001:db8:3::1 remote-as 65537
neighbor 2001:db8:3::1 update-source Loopback0
!
address-family ipv6
neighbor 2001:db8:3::1 activate
no synchronization
network 2001:db8:100::/40
network 2001:db8:200::/40
2001:db8:3::1 loopback0
exit-address-family
Ipv6 route 2001:db8:3::1 serial0
ASN 65537
Serial0
2001:db8:1::11
2001:db8:1::10
Routing Table Growth
Fuente: http://bgp.potaroo.net/
Disaggregation
2001:db8::/32 ASN2 ASN1
2001:db8::/40 ASN2 ASN1
2001:db8:100:/40 ASN2 ASN1
2001:db8::/40
2001:db8:100::/40
2001:db8::/32
ASN 4
ASN 2
ASN 3
2001:db8::/32
2001:db8::/40
2001:db8:100::/40
ASN 1
Aggregation
• Just announce the aggregate to your peers
• Use prefix-list to control what it gets out from
your network and what it gets to it.
• Use no-export communities
• Try to avoid to disaggregate as much as
possible
Example
router bgp 65536
network 10.10.0.0 mask 255.255.0.0
network 10.108.0.0 mask 255.255.0.0
network 10.0.0.0 mask 255.0.0.0
neighbor 10.108.10.1 remote-as 65537
neighbor 10.108.10.1 route-map set_community out
neighbor 10.108.11.1 remote-as 65537
neighbor 10.108.11.1 prefix-list ANNOUCE-OUT out
!
route-map set_community permit 10
match ip address prefix-list NO-EXPORT
set community no-export
!
route-map set_community permit 20
!
ip prefix-list NO-EXPORT permit 10.10.0.0/16
ip prefix-list NO-EXPORT permit 10.108.0.0/16
!
ip prefix-list ANNOUNCE-OUT permit 10.0.0.0/8
!
ip route 10.0.0.0 255.0.0.0 null 0
Apply no-export to this
neighbor
To this one just
announce the aggragate
Receiving and sending prefixes
• Always apply outbound filters to announce
only your prefixes and your customers
• Always apply inbound filters, you never know
what it may come in from your peers
• Not doing this produces problems such as
“Route-hijacking” and “Route-leaks”
Filtering special IPv4/IPv6 addresses
• You can add these addresses to your input
filters to avoid receive invalid announces
• Examples of these prefixes are 10.0.0.0/8,
192.168.0.0/16, 2001:db8::/32
• Check RFC 6890 for details
• Cisco, Juniper and other ACLs templates in:
– http://www.teamcymru.org/Services/Bogons/http.html
IPv6 special addresses
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
prefix-list
prefix-list
prefix-list
prefix-list
prefix-list
prefix-list
prefix-list
prefix-list
IPv6-BOGUS
IPv6-BOGUS
IPv6-BOGUS
IPv6-BOGUS
IPv6-BOGUS
IPv6-BOGUS
IPv6-BOGUS
IPv6-BOGUs
deny 2001:db8::/32 le 128
permit 2002::/16
deny 2002::/16 le 128
deny 0000::/8 le 128
deny fe00::/9 le 128
deny ff00::/8 le 128
permit 0::/0 le 48
deny 0::/0 le 128
Stable Prefixes
• Use static routes to keep your routes stable
and independent of interface changes
• Use loopbacks to peer with your neighbors
– With iBGP use them as next-hop, it avoids to carry
external routes in your IGP
– With eBGP it increases stability
INTERNET EXCHANGE POINTS
Recall: Transit and Peering
ASN 65538
ASN 64511
Transit
ASN 65536
Peering
ASN 65537
Transit and Peering
• Transit
– Traffic and prefixes originating from one AS are
carried across an intermediate AS to reach their
destination AS
– Usually for a fee
• Peering
– Private interconnect between two ASNs
– Usually for no fee
Peering in an Internet Exchange Point
(IXP)
• Internet Exchange Point
– Common interconnect location where several
ASNs exchange routing information and traffic
ASN 65536
ASN 65537
ASN 65538
ASN 65539
Recommendations and Best Practices
• Only announce your aggregates and your
customer aggregates at IXPs
• Only accept the aggregates which your peer is
entitled to originate
• Never carry a default route on an IXP (or
private) peering router
• Failing to do so leads to route-hijacks and
leaks
Route Hijacking
• This occurs when a participant in the Internet
Routing announces a prefix for which it has no
authority
• Malicious or by operational errors
• More know cases:
– Pakistan Telecom vs. You Tube (2008)
– China Telecom (2010)
– Google in Eastern Europe (various AS, 2010)
– Latin American cases (beginning 2011)
Route-Hijacking
AS 6057
announces
200.40/16
ASN 8158
ASN 8158
receives
receives y
200.40.0.0/16
200.40.0.0/16
200.40.235.0/24
AS 15358
announces
200.40.235.0/24
200.40.0.0/16 AS_PATH ASN1 ASN3 ASN6057
200.40.235.0/24 AS_PATH ASN1 ASN15358
Leaks
• There is not a standard definition of leaks
• But it happens when an ASN “leaks” noncustomer or self-originated routes to other
peers.
• The effects is to give transit to those networks
for the peers of the ASN
Simple Topology
• Layer 2 fabric
• N^N BGP relations
ASN 65536
ASN 65537
ASN 65538
ASN 65539
Route-server
• It allows to scale the BGP mesh
• All prefixes sent to a Route Server are usually
distributed to all ASNs that peer with the
Route Server
• BGP configuration to peer with a Route Server
is the same as for any other ordinary peer
• Do not forget inbound and outbound filters
too
Topology with route-server
Route-server
ASN 65536
ASN 65537
ASN 65538
ASN 65539
Thanks!
Questions?
[email protected]