BGP Multiple Origin AS (MOAS) Conflict Analysis

BGP Multiple Origin AS (MOAS) Conflict Analysis

Xiaoliang Zhao, NCSU

S. Felix Wu, UC Davis

Allison Mankin, Dan Massey, USC/ISI

Dan Pei, Lan Wang, Lixia Zhang, UCLA

NANOG-23, October 23, 2001

NANOG 23 - Oakland 210/23/2001

Definition of MOAS

BGP routes include a prefix and AS path– Example: 131.179.0.0/16, Path: 4513, 11422, 11422, 52

Origin AS: the last AS in the path– In the above example: AS 52 originated the path

advertisement for prefix 131.179/16

Multiple Origin AS (MOAS): the same prefix announced by more than one origin AS


Example MOAS Conflicts

128.9.0.0/16Path: 226

128.9.0.0/16 nets

AS 4AS 226

128.9.0.0/16Path: 4

128.9.0.0/16Path: X, 4

AS XAS Y

128.9.0.0/16Path: Z, 226

AS Z

MOAS conflict !

Static or IGP learnedroute to 128.9/16

Valid MOAS case: 128.9/16 reachable either wayInvalid MOAS case: 128.9/16 reachable one way but not the other


Talk Outline

Measurement data shows that MOAS exists Some MOAS cases caused by faults Some MOAS cases due to operational need Important to distinguish the two

– proposed solutions


Measurement Data Collection

Data collected from the Oregon Route Views– Peers with >50 routers from >40 different ASes.– Our analysis uses data [11/08/9707/18/01]

(1279 days total) More than 38000 MOAS conflicts observed during

this time periodAt a given moment,– The Route Views server observed 1364 MOAS

conflicts – The views from 3 individual ISPs showed 30, 12 and

228 MOAS conflicts


year Median number increase rate #BGP table entries increase rate1998 683 520001999 810.5 18.7% 60000 15.40%2000 951 17.3% 80000 33.30%2001 1294 34.8% 109000 36%

MOAS Conflicts Do Exist

Max: 11842(11357 from a single AS)

Max: 10226(9177 from a single AS)


Histogram of MOAS Conflict Lifetime

Total # of days a prefix experienced MOAS conflict

# of

MO

AS

con

flic

ts


Distribution of MOAS Conflicts over Prefix Lengths

0

0.005

0.01

0.015

0.02

0.025

0.03

0.035

0.04

0.045

1 4 7

10 13 16 19 22 25 28 31

ratio of # MOAS entries over total routing entries for the same prefix length


Multi-homing without BGP Private AS number Substitution

Valid Causes of MOAS Conflicts

128.9/16Path: 11422,4

128.9/16Path: 226

131.179/16Path: 64512

131.179/16Path: X

131.179/16Path:Y

128.9/16 131.179/16

AS 64512

AS YAS X

AS 4

AS 11422AS 226

Static routeor IGP route128.9/16

Path: 4

NANOG 23 - Oakland 1010/23/2001

Invalid Causes of MOAS Conflicts

Operational faults led to large spikes of MOAS conflicts – 04/07/1998: one AS originated 12593 prefixes, out of

which 11357 were MOAS conflicts– 04/10/2001: another AS originated 9180 prefixes, out

of which 9177 were MOAS conflicts Falsely originated routes

– Errors– Intentional traffic hijacking

NANOG 23 - Oakland 1110/23/2001

Handling MOAS Conflicts

RFC 1930 recommends each prefix be originated from a single AS

Today’s routing practice leads to MOAS in normal operations

We must tell valid MOAS cases from invalid ones– Proposal 1: using BGP community attribute – Proposal 2: DNS-based solution

NANOG 23 - Oakland 1210/23/2001

BGP-Based Solution Define a new community attribute

– Listing all the ASes allowed to originate a prefix Attach this MOAS community-attribute to BGP

route announcement Enable BGP routers to detect faults and attacks

– At least in most cases, we hope!

NANOG 23 - Oakland 1310/23/2001

Comm. Attribute Implementation Example

router bgp 59 neighbor 1.2.3.4 remote-as 52 neighbor 1.2.3.4 send-community neighbor 1.2.3.4 route-map setcommunity outroute-map setcommunity match ip address 18.0.0.0/8 set community 59:MOAS 58:MOAS additive

Example configuration:

AS58

18/8, PATH<4>, MOAS{4,58,59}

AS59

18.0

.0.0

/8 18/8, PATH<58>, MOAS{58,59}

18/8, PATH<59>, MOAS{58,59}

18/8, PATH<52>, MOAS{52, 58}

AS52

NANOG 23 - Oakland 1410/23/2001

Implementation Considerations

Quickly and incrementally deployable– Generating MOAS community attribute: configuration

changes only– Detecting un-validated MOAS or a MOAS-CA conflict:

• Short term: observable from monitoring platforms• Longer term: adding into BGP update processing

But community attributes may be dropped by a transit AS due to local configurations or policies– time to fix the handling of community attributes?

NANOG 23 - Oakland 1510/23/2001

Another Proposal: DNS-based Solution Put the MOAS list in a new DNS Resource Record

ftp://psg.com/pub/dnsind/draft-bates-bgp4-nlri-orig-verif-00.txt by Bates, Li, Rekhter, Bush, 1998

$ORIGIN 18.bpg.in-addr.arpa....

AS 58 8 AS 59 8

...

Example configuration (zone file for 18.bgp.in-addr.arpa):

Query 18.bgp.in-addr.arpa: origin AS?

Response 18.bgp.in-addr.arpa AS 58 8 AS 59 8

EnhancedDNS service

MOAS detected for 18/8, query DNS to verify

ftp://psg.com/pub/dnsind/draft-bates-bgp4-nlri-orig-verif-00.txt

NANOG 23 - Oakland 1610/23/2001

Issues to Consider for the DNS Solution

Provides a general prefix to origin AS mapping database

Complementary to Community-attribute Approach

– Check with DNS when community tag indicates a potential

problem

– DNSSEC, once available, authenticates the MOAS list

But requires changes to DNS and BGP

DNS may be vulnerable without DNSSEC

– When would DNSSEC be ready? Routing system querying naming system: circular

dependency?

NANOG 23 - Oakland 1710/23/2001

Summary

MOAS conflicts exist today – Some due to operational need; some due to faults

Blind acceptance of MOAS could be dangerous– An open door for traffic hijacking

We plan to finalize the solution and bring to IETF

Send all questions to [email protected]

For more info about FNIISC project:http://fniisc.nge.isi.edu

mailto:[email protected]

BGP Multiple Origin AS (MOAS) Conflict Analysis

Documents

Transcript of BGP Multiple Origin AS (MOAS) Conflict Analysis