Route filtering using IRRs APAN Net Eng Singapore - 19 July 2006 [email protected].
-
Upload
mikel-swanton -
Category
Documents
-
view
213 -
download
0
Transcript of Route filtering using IRRs APAN Net Eng Singapore - 19 July 2006 [email protected].
Route filtering using IRRs
APAN Net Eng Singapore - 19 July [email protected]
© 2006, AARNet Pty Ltd2
AARNet3 National Network
• STM-64c (10Gbps) Backbone• Dual PoPs with divergent paths in major cities• Dual and divergent STM-1s to NT & Tasmania• DWDM network
– Providing backbone– Providing multiple GigE to regional areas
• Provides Commodity and R&E traffic to customers
© 2006, AARNet Pty Ltd3
AARNet3 Network
© 2006, AARNet Pty Ltd4
AARNet3 International Network
• Multiple trans Pacific circuits– 2 x STM-64c for research and education– 4 x STM-4c (4 x 622Mbps) for commodity (LA &PA)– 2 x STM-1 (155 Mbps) to Seattle
• Connections to Europe and Asia– 2 x 2 x STM-1 to Singapore– STM-4 to Frankfurt
© 2006, AARNet Pty Ltd5
AARNet3 International Connectivity
© 2006, AARNet Pty Ltd6
Commodity Provision• International commodity from
– Palo Alto– Los Angeles– Seattle– Frankfurt
• Domestic commodity in– Sydney– Melbourne– Adelaide– Canberra– Brisbane– Perth etc etc
© 2006, AARNet Pty Ltd7
AARNet PoPs our footprint…• 17 Domestic
– Sydney (3)– Melbourne (2)– Brisbane (2) – Adelaide (2)– Perth (3)– Canberra (2)– Hobart (1)– Darwin (1)– Alice Springs (1)
• 7 International– Seattle– Palo Alto– Los Angeles– Hawai’i– Suva– Singapore– Frankfurt
© 2006, AARNet Pty Ltd8
The AARNet3 environment• Currently over 100 routers deployed• A mix of Juniper and Cisco routers
– Juniper M320s at the core– Cisco routers at the customer edge– Link speeds varying from STM-64c to STM-4s and STM-1s
for long haul– 10GbE intra PoPs and GbE connections from PoPs but still
some managed services and legacy ATM
© 2006, AARNet Pty Ltd9
The BGP environment• 17 commodity transit connections• Over 200 peers both commodity and R&E• Most peerings are bilateral, a few (3) are multilateral• Some 20 peerings with external international R&E networks• Over 200 iBGP peerings• Over 250 IPv4 prefixes advertised and growing…• IPv6 enabled• IPv4/IPv6 multicast enabled
© 2006, AARNet Pty Ltd10
How do we manage this complexity?
• Very hard to manage on an ad-hoc basic with such diversity– Easy to make big mistakes with manual configurations
• Needs an overall policy that manages router BGP configurations
• Needs cross vendor router support• AARNet uses IRRs and RPSL to manage this
© 2006, AARNet Pty Ltd11
BGP trust and security
• In BGP security is an afterthought– BGP was designed originally to address routing between
trusted networks - the element of trust is not true of the internet today
– MD5 encryption is gaining more acceptance but still encryption is not fully deployed
– Filtering is an add on and is often very loosely deployed– This has the potential to cause disruption
© 2006, AARNet Pty Ltd12
BGP Misconfigurations• Estimated that 1% of the routing table prefixes are
misconfigured each day*– This churn increases the load on routers by 10% in bursts– Routing is surprisingly resilient with only 4% of these
misconfigurations affecting connectivity/reachability of sites.– But when it hits it can be severe, especially when there is
little protection in place - AS7007 incident
* Mahajan, Wetherall, Anderson - Understanding BGP Misconfiguration SIGCOMM 2002
http://www.cs.washington.edu/homes/ratul/bgp/bgp-misconfigs.pdf
© 2006, AARNet Pty Ltd13
Route Hijacking• A prefix is announced that does not belong to the originating AS• Can be done by misconfiguration• Can be done maliciously
– Spammers– DOS attacks
• Short-Lived Prefix Hijacking on the Internet– Peter Boothe, James Hiebert, Randy Bush
• http://www.nanog.org/mtg-0602/pdf/boothe.pdf • “We can identify between 26 and 95 hijacking instances in
Route-Views data for December 2005 • Many more misconfigs and false alarms than purposeful
hijackings - 750+”
© 2006, AARNet Pty Ltd14
How trusting are we with BGP?• Do we really trust others
announcements?• Would we deploy black hole community
tags with them to protect the network from DOS attacks?
• We need to increase the trust level by developing public policy and consistent actions.
• To trust we need to be trustworthy
© 2006, AARNet Pty Ltd15
How we went about it• Need to identify which IRR to use
– AARNet uses RADB.– Others run their own for control
• Need to decide what degree of filtering is desired– Prefix filters– AS path filters– Both!
• Register a maintainer object at chosen IRR– Usually a “manual” process and could be multi-stage if PGP
key authentication required
© 2006, AARNet Pty Ltd16
What is RPSL?• Object oriented language• Structured whois objects• Refinement of RIPE 181 (and it’s predecessors) based on
operational experience• Describes things interesting to routing policy
– Prefixes– AS Numbers– Relationships between BGP peers– Management responsibility
© 2006, AARNet Pty Ltd17
Maintainer Object
mntner: MAINT-ASAARNETdescr: Maintainers for AARNet and AARNet member objectsadmin-c: CS3692tech-c: GT342-AUupd-to: [email protected]: [email protected]: PGPKEY-FAD8C612auth: PGPKEY-23B7F8EFremarks: Australian Academic and Research Network http://www.
aarnet.edu.au/mnt-by: MAINT-ASAARNETchanged: [email protected] 20040113source: RADB
Maintainer objects used for authenticationMultiple authentication methods
NONE, MAIL-FROM, CRYPT-PW, PGPKEY
© 2006, AARNet Pty Ltd18
Route ObjectUse CIDR length formatSpecifies origin AS for a routeCan indicate membership of a route set
route: 134.7.0.0/16
descr: Curtin University of Technology
origin: AS7575
mnt-by: MAINT-ASAARNET
changed: [email protected] 20050818
source: RADB
© 2006, AARNet Pty Ltd19
Route Set Object
route-set: AS7575:RS-UNSWdescr: University of New South Walesmembers: 129.94.0.0/16, 149.171.0.0/16, 203.10.48.0/24, 203.20.160.0/24, 203.20.160.0/19remarks: List of routes accepted from AS7570admin-c: MP151tech-c: ANOC-APmnt-by: MAINT-ASAARNETchanged: [email protected] 20050427source: RADB
• Collects routes together with similar properties
© 2006, AARNet Pty Ltd20
AS Set Object (1)
• Collect together Autonomous Systems with shared properties• Can be used in policy in place of AS
as-set: AS7575:AS-EDGEdescr: AARNet3 customers AS setmembers: AS1851, AS4822, AS6262, AS7575, AS7645, AS9383, AS10148, AS17498, AS23654, AS23719, AS23859, AS24101, AS24313, AS24390, AS24431, AS24433, AS24434, AS24436, AS24437, AS24490, AS37978, AS38083remarks: List of customers on AARNet3 using public AS numbersremarks: http://www.aarnet.edu.auadmin-c: MP151tech-c: ANOC-APmnt-by: MAINT-ASAARNETchanged: [email protected] 20060713source: RADB
© 2006, AARNet Pty Ltd21
AS Set Object (2)
as-set: AS7575:AS-CUSTOMER
descr: AARNet3 customers AS set
members: AS7575:AS-EDGE, AS7575:AS-RNO
remarks: List of customers on AARNet3 using public AS numbers
remarks: http://www.aarnet.edu.au
admin-c: MP151
tech-c: ANOC-AP
mnt-by: MAINT-ASAARNET
changed: [email protected] 20060715
source: RADB
• RPSL has hierarchical names• Our customer base is in AS7575:AS-CUSTOMER
© 2006, AARNet Pty Ltd22
Whois queries• whois –h whois.ra.net AS7575:CUSTOMER
– members: AS7575:AS-EDGE, AS7575:AS-RNO• whois –h whois.ra.net AS7575:AS-EDGE
– members: AS1851, AS4822, AS6262, AS7575, AS7645, AS10148, AS17498, AS23654, AS23719, AS24101, AS24390, AS24431, AS24433, AS24434, AS24436, AS24437
• whois –h whois.ra.net \!gAS1851– 192.43.227.0/24 129.127.0.0/16 192.43.229.0/24 203.9.156.0/24 129.127.0.0/16 192.43.228.0/24 192.43.229.0/24 203.9.156.0/24
© 2006, AARNet Pty Ltd23
AS Route Setsbhm$ whois -h whois.ra.net AS7575:AS-RESEARCHas-set: AS7575:AS-RESEARCHdescr: AARNet3 peer R&E network AS setmembers: AS47, AS73, AS293, AS668, AS2153, AS6360, AS6509, AS7539,
AS7610, AS11537, AS20965, AS23796, AS32361, AS38018remarks: R&E networks peering with AARNet3
• If the AS’s we peer with used an IRR to specify their route sets then we could create prefix-filters against our peers.
• Peers can create prefix-filters from our existing policy except for transit peerings (see above!)
• And it’s all available publicly documented.
© 2006, AARNet Pty Ltd24
Autonomous System Object• Routing Policy Description object• Most important components are
– import– export
• These define the incoming and outgoing routing announcement relationships
• Instant Documentation!• whois –h whois.ra.net AS7575
© 2006, AARNet Pty Ltd25
Use of RPSL• Use RtConfig v4 (part of RAToolSet
from ISC) to generate filters based on information stored in our routing registry– Avoid filter errors (typos)– Filters consistent with documented policy
(need to get policy correct though)– Currently we use RAToolSet v 4.7.1– Need to script our own tools for Juniper
© 2006, AARNet Pty Ltd26
Using RPSL to configure routers• Need to define “policy” for filtering
– Inbound from customers & peers– Outbound to customers & peers
• Need to be aware of shortcomings in router configuration and/or configuration generator– Command line length (on cisco this is 512 bytes)– Complexity of rules
© 2006, AARNet Pty Ltd27
AARNet’s filtering philosophy• Inbound
– Filter customer by prefix and AS path– Filter peer by prefix filter– Filter providers for prefixes longer than a /24– Don’t accept martians or bogons from anyone
• Outbound– Filter by BGP community, which indicates the class of the
prefix (customer, peer, etc)
© 2006, AARNet Pty Ltd28
Overall Prefix and Path Filtering
• Filter all customer prefixes on ingress• Filter all your advertisements on egress• Filter all bogons and martians• Filter/remove all private AS space
© 2006, AARNet Pty Ltd29
RtConfig & IRRToolSet• Version 4.0 supports RPSL• Generates cisco configurations• Contributed support for Bay’s BCC, Juniper’s Junos and
Gated/RSd• Creates route and AS path filters.• Can also create ingress/egress filters
© 2006, AARNet Pty Ltd30
AS7575 policy
• Whois -h whois.ra.net AS7575• An extract:import: {
from AS-ANY
action pref=5;community.append(7575:1001,7575:2017,7575:8002);
accept ANY AND NOT { 0.0.0.0/0^25-32 } AND NOT AS7575 AND NOT fltr-martian;
refine {
from AS20965 at 202.158.192.17
action community.append(7575:6002);
accept AS-GEANTNRN OR AS-EUMED;
© 2006, AARNet Pty Ltd31
Peer route set• sao:~/rpsl bhm$ whois -h whois.ra.net AS-GEANTNRN• as-set: AS-GEANTNRN• descr: The GEANT IP Service• members: AS20965• members: AS-ACONET, AS-BELNET, AS-CERNEXT, AS-DFNTOWINISP• members: AS-GARRTOGEANT, AS5408:AS-TO-GEANT, AS-JANETEURO• members: AS-HBONETEN, AS-RCCN, AS-RENATER, AS-RESTENA• members: AS-SWITCH, AS-SURFNET, AS-PLNET, AS1955• members: AS-REDIRIS, AS2107, AS2611, AS2852, AS-HEANET• members: AS-MACHBA, AS2108, AS-UNREN, AS3268, AS-ISTF• members: AS-LATNET-Geant, AS3221, AS-LITNET, AS-RBNET• members: AS-SANET2, AS-ROEDUNET, AS12046, AS-ULAKNET• members: AS3208, AS-NORDUNET• tech-c: DANT-RIPE• admin-c: RS-RIPE• mnt-by: DANTE-MNT
© 2006, AARNet Pty Ltd32
AS20965 Objectimport: from AS7575 action pref=100; community.append
(20965:7575); med=0; accept <AS7575:AS-CUSTOMER>
• Our peer can safely receive our routes and discard any erroneous prefixes that we advertise.
• But without this information we can only accept the routes advertised by the peer.
• We could erroneously advertise default!• We could originate hijacked routes and they would be
accepted• We could inject commodity routes into an R&E network
and disrupt traffic.
© 2006, AARNet Pty Ltd33
Juniper router rpsl config policy-statement rs-as20965 {
replace:
term prefixes {
from {
@RtConfig printPrefixRanges "\t\troute-filter %p/%l upto /24;\n" filter AS-GEANTNRN OR AS-EUMED OR AS2018
}
then accept;
}
}
© 2006, AARNet Pty Ltd34
extract
policy-statement as20965-ipv4-import { term as20965 { from policy rs-as20965; then { local-preference 95; community add research; community add router-tag; community add european; next policy; } } term reject { then reject; } }
© 2006, AARNet Pty Ltd35
Prefix policy policy-statement rs-as20495 {
term prefixes {
from {
route-filter 62.148.160.0/19 upto /24;
route-filter 66.164.200.0/21 upto /24;
route-filter 66.164.208.0/21 upto /24;
route-filter 80.69.160.0/20 upto /24;
route-filter 80.247.192.0/19 upto /24;
route-filter 82.112.32.0/19 upto /24;
route-filter 84.243.192.0/18 upto /24;
route-filter 84.244.128.0/18 upto /24;• ………
© 2006, AARNet Pty Ltd36
BGP policy complexity• 7575:1 Export external to AARNet with "no-export"• 7575:2 No export beyond AARNet• 7575:3 Prepend AS7575 once• 7575:4 Prepend AS7575 twice• 7575:5 Prepend AS7575 thrice• 7575:6 Blackhole traffic• 7575:7 Regional only• 7575:70 AARNet local preference 70• 7575:80 AARNet local preference 80• 7575:90 AARNet local preference 90• …and much more…
– Whois -h whois.ra.net AS7575 | grep remarks
© 2006, AARNet Pty Ltd37
Using RtConfig• RtConfig –cisco_use_prefix_lists < cpe-curtin-er1.rtconfig
• Redirect output to a file• Upload by tftp to the router• Done!
© 2006, AARNet Pty Ltd38
What about SBGP and SoBGP?
• At the moment it’s all about trust• There are implementations of BGP policy that make us
somewhat trustworthy and are being currently deployed• It isn’t perfect• But it is a start…
© 2006, AARNet Pty Ltd39
References• RPSL - RFC 2622
– http://www.faqs.org/rfcs/rfc2622.html• Using RPSL in Practice - RFC 2650
– http://www.faqs.org/rfcs/rfc2650.html• IRRToolSet
– ftp://ftp.isc.org.net/isc/IRRToolSet/ • RPSL Training Page
– http://www.isi.edu/ra/rps/training• RADB
– http://www.radb.net/
Thank you!
Any Questions?