Routing and RPSLng

IPv6 workshop KrakowMay 2012

Carlos Friaças, FCCNcfriacas@fccn.ptLuc De Ghein, CISCOldeghein@cisco.com

ContentsSystems

• Routing Context• VRRP (Virtual Router Redundancy Protocol)

Internal Routing• RIPng (Routing Information Protocol)• IS-IS (Intermediate System-Intermediate System)• OSPFv3 (Open Shortest Path First)

External Routing• Multiprotocol BGP (Border Gateway Protocol)

RPSLng• Routing Policies• RPSL and RPSLng• Examples and Tools

Systems’ Routing Context

OS IPv4 IPv6

Cisco (IOS)show ip route show ipv6 route

WinXP/Win7route print netsh interface ipv6 show route

Linux/sbin/route /sbin/route –A inet6

Macnetstat –r

VRRP

Virtual Router Redundancy Protocol• Providing a redundant gateway to end-systems

IETF: Version 3• RFC5798, March 2010• Based on VRRPv2 for IPv4• Election protocol

Usage of «virtual» addresses• Which are used by/configured on hosts• One of the existent VRRP routers is elected as

«MASTER»

VRRP

IPv6 Multicast Address• Assigned by IANA = FF02::12

Advantage of using VRRP on IPv4:• Higher-availability default path without

requiring configuration of dynamic routing or router discovery protocols on every end-host.

Advantage of using VRRP on IPv6:• Quicker switchover to Backup routers than can

be obtained with standard IPv6 Neighbor Discovery mechanisms.

Internal vs. External Routing

Autonomous System Number (ASN or AS)• Identifies a network independently managed• Unique identifier on the Internet• Initially 2-byte, now expanded to 4-byte• Allows for an independent routing policy (choosing peers

and transit providers)

Internal Routing Protocols• Used between routers from the same ASN

External Routing Protocols• Used between routers from different ASNs

Goal of any type of routing protocols is to share information about routes

RIPng

Same as IPv4• Based on RIPv2• Distance vector, max. 15 hop, split-horizon, …

It’s an IPv6 only protocol• In a dual-stack environment, running RIP, you’ll

need RIP (IPv4) and RIPng (IPv6)

IPv6 related functionality• Uses IPv6 for transport• IPv6 prefix, next-hop IPv6 address• For RIP updates, uses multicast address FF02::9

ISISv6OSI ProtocolBased on two levels

• L2 = Backbone• L1 = Stub• L2L1= interconnect L2 and L1

Runs on top of CNLS• Each IS device still sends out LSP (Link State

Packets)

• Send information via TLV’s

(Tag/Length/values)

• Neighborship process is unchanged

Major operation remains unchanged

L1

L1

L1L2

ISISv6 (2)

Updated features:• Two new Tag/Length/Values (TLV) for IPv6

– IPv6 Reachability – IPv6 Interface Address

• New network Layer Identifier– IPv6 NLPID

L1

L1

L1L2

OSPFv3

OSPFv3 = OSPF for IPv6Based on OSPFv2

Topology of an area is invisible from outside the area • LSA flooding is bounded by area• SPF calculation is performed separately for

each area

All areas must have a connection to the backbone (area 0)

Area #1

Internet

Area #2

BackboneArea #0

OSPFv3 (2)

OSPFv3 is an IPv6-only protocol• In a dual-stack environment, running OSPF, you’ll

need OSPFv2 (IPv4) and OSPFv3 (IPv6)• Work-in-progress about extensible mechanisms to

enable OSPFv3 with different address families support

Details• Runs directly over IPv6• Distributes IPv6 prefixes• New LSA types• Uses Multicast addresses

ALLSPFRouters (FF02::5) ALLDRouters (FF02::6)

Area #1

Internet

Area #2

BackboneArea #0

OSPFv3 Basic Configs & CommandsConfigs:

ipv6 router ospf <pid/asn>no passive interface defaultredistribute connected

interface <interface>ipv6 enableipv6 ospf <pid/asn> area <area_id>

Commandsshow ipv6 ospf neighborclear ipv6 ospf process

Multiprotocol BGP

«The» Exterior Gateway Protocol

Session based, 1 to 1

Connects separate routing domains that contain independent routing policies (and AS numbers)

Same «peering» and «transit» concepts

Multiprotocol BGP (2)

Carries sequences of AS numbers, indicating path (for each route)

Supports the same features and functionality as IPv4 BGP

AS Z

AS YAS X

PeeringPeering

PeeringMultiple addresses families: IPv4, IPv6, unicast, multicast

Multiprotocol BGP (3)

BGP4 carries only 3 types of information wich is truly IPv4 specific:• NLRI in the UPDATE message contains an

IPv4 prefix• NEXT_HOP attribute in the UPDATE message

contains an IPv4 address• BGP ID in AGGREGATOR attribute

Multiprotocol BGP (4)

RFC 4760 (Jan 2007) defines multi-protocols extensions for BGP4• this makes BGP4 available for other network

layer protocols (IPv6, MPLS…)• New BGP4 attributes:

MP_REACH_NLRI MP_UNREACH_NLRI

• Protocol Independent NEXT_HOP attribute• Protocol Independent NLRI attribute

MBGP Basic Configs & CommandsConfigs:

router bgp <asn>address-family ipv6 unicastneighbor 2001:db8::2 activateneighbor 2001:db8::2 version 4neighbor 2001:db8::2 remote-as

<nei_asn>network 2001:db8:ffff::/48

Commandsshow bgp ipv6 unicast summaryshow bgp neighbors 2001:db8::2 routesclear bgp ipv6 unicast <ipv6_address/asn>

Global Routing Stats (IPv6 vs. IPv4)

(28/04/2012) IPv6 IPv4

ROUTES 8800 409883

AGGREGATED

ROUTES

7643

(86,9%)

239727

(58,5%)

AUTONOMOUS

SYSTEMS

5447

(13,3% of IPv4)40931

source: www.cidr-report.org

Some BGP Tools

Looking Glasses & Route Servershttp://www.traceroute.org

RIPE Routing Information Service (RIS)http://www.ripe.net/ris

Conclusions

All operating systems have a routing context

All major routing protocols have stable IPv6Support, and no major differences with IPv4

In a dual-stack environment, some protocols are run with independent processes, one for IPv4 and a different one for IPv6

About 13% of ASNs are already seen on the global IPv6 routing table

Routing Policy

What is a «routing policy» ?

• Public description of the relationship between BGP (Border Gateway Protocol) peers

• Routing policies enable route classification for importing and exporting routes

• The goal of routing policies is to control traffic flows The v4 policy may be different from the v6 policy

(however, this may not be a best practice)

Routing Policy (2)

Why define a (public) routing policy ?

• Documentation Recreate your policy in case of loss of

hardware/administrators

• Allows automatic generation of router configurations

• Provides routing security Which routes to accept from each peer?

• Helps in a BGP troubleshooting process

Routing Policy (3)Reflects the AS’ goals

AS A

AS B AS C

• Which routes to accept from other AS’s• How to manipulate the accepted route• How to propagate routes through network• How to manipulate routes before they leave the AS• Which routes to send to third-party AS’s AS = Autonomous System

Routing Policy (4)

Each Autonomous System has its ownrouting policy towards other Networks

Each policy affects the way the globalnetwork (i.e. Internet) behaves

Which means:• It’s very useful to know third party policies• A place to publish them is needed!• You can automatically configure border routers

from that info, if you can rely on the quality of information

RPSLRPSL stands for Routing Policy SpecificationLanguage

• Replacement for the language previously known as RIPE-181

A tool to describe Inter-Domain Policies, itaffects:• People doing Local Internet Registry work• People dealing with border routers (i.e. BGP)

It is used for Internet network management.It is NOT about Internal Routing!

RPSL

Object oriented language• It has classes used to defined the various objects

Uses RIR database style (whois) objects.• Each Object is a list of "attribute-value" pairs

displayed in plain text. person, maintainer, role route as-set, route-set ...

Person Object - Exampleperson: Miguel Baptistaaddress: Example street Lisbon, Portugalphone: +351 123 456 789e-mail: miguel.bap@example.orgnic-hdl: MB10-TESTmnt-by: EXAMPLE-MNTremarks: *********************************remarks: This object is only an example!remarks: *********************************changed: carlos.friacas@example.org 20060228source: TEST

RPSLng is...

RPSL next generation

Yet another easy thing to have in place • one more item in the IPv6 check-list ;)

Yet another tool to help IPv6 development in an «orderly» fashion;

Yet another way of showing people IPv6 isnot that much complex than IPv4.

RFC4012 (Mar 2005)

Backward CompatibilityChanges:• New dictionary attribute – AFI• New predifined dictionary type• New protocol dictionary specification• New policy attributes• New route6 class• New attribute in route-set class• New attribute in filter-set class• New attribute in peering-set class• New attribute in inet-rtr class• New attribute in rtr-set class

RPSL and RPSLng, Some Differences

IPv4 IPv6

Networks inetnum inet6num

Routes route route6

Policies(aut-num)

import export

mp-importmp-export

Evolution…

RIPE/NCC, APNIC and AFRINIC have a RPSLng compliant Whois service. • ARIN and LACNIC implement different languages

LIR admins when their networks deploy IPv6 need to rewrite their routing policies, to include:• IPv4 Unicast;• IPv4 Multicast; • IPv6 Unicast;• IPv6 Multicast (very, very few)

Objects - Examples #1

Route6route6: 2001:0760::/32descr: GARR-IPv6origin: AS137mnt-by: GARR-LIR …

Peering-setpeering-set: prng-ebgp-peersdescr: TopneT IPv6 ebgp peers...mp-peering: AS12533 2001:15A8:A:1::2 at 2001:15A8:A:1::3 mp-peering: AS5609 3FFE:1001:1:F036::1 at 3FFE:1001:1:F036::2

mp-peering: AS5602 2001:15A8:A:1::5 at 2001:15A8:A:1::4 ...mp-peering: AS6939 2001:470:1F01:FFFF::224 at 2001:470:1F01:FFFF::225

route & route6 objects only exist in whois servers which are also routing registries (RR)

Objects - Examples #2

Aut-Numaut-num: AS1853as-name: ACOnetdescr: ACOnet Backbonedescr: ATremarks: ===================================remarks: #upstream: Sprint.netimport: from AS1239 action pref=100; accept ANYexport: to AS1239 announce AS-ACONET AND AS-SANETmp-import: afi ipv6.unicast from AS6175 accept ANYmp-export: afi ipv6.unicast to AS6175 announce AS-ACONET-V6remarks: #upstream: GEANT.netimport: from AS20965 action pref=100; accept ANYexport: to AS20965 announce AS-ACONET AND AS-UNREN AND AS-

ACOSERVmp-import: afi ipv6.unicast from AS20965 accept ANYmp-export: afi ipv6.unicast to AS20965 announce AS-ACONET-V6remarks: ===================================...

Objects - Examples #3

Inet-rtrinet-rtr: BR1.mucI.baycix.netlocal-as: AS12657ifaddr: 212.72.95.1 masklen 32interface: 2001:1578:0:FFFF::1 masklen 128interface: 2001:1578:0:FF::1 masklen 112peer: BGP4 212.72.95.3 asno(AS12657)peer: BGP4 212.72.72.197 asno(AS29317)mp-peer: MPBGP 2001:1578:0:FFFF::2 asno(AS12657)...

Route-setroute-set: AS29670:RS-IN-BERLINdescr: Individual Network Berlin e.V.org: ORG-INBE1-RIPEmp-members: 192.109.21.0/24mp-members: 217.197.80.0/20mp-members: 2001:bf0:c000::/35...

Objects - Examples #4

Filter-setfilter-set: AS12817:fltr-BOGONSdescr: Generic IPv4/IPv6 Prefix & AS filtermp-filter: { 10.0.0.0/8^+, 127.0.0.0/8^+, 169.254.0.0/16^+, 192.168.0.0/16^+, 0.0.0.0/0^25-32 } AND { 2001:db8::/32^+, 0000::/8^+, fe00::/9^+, ff00::/8^+, 0::/0^49-128 } AND <[AS64512-AS65534]>...

Example

AS AAS 64600

AS BAS 64700

AS CAS 64800

AS DAS 64900

IPv4 Unicast +IPv6 Unicast

IPv6 Multicast

IPv4 Unicast +IPv4 Multicast +IPv6 Unicast

IPv4 Unicast +IPv4 Multicast +IPv6 Unicast

Example – AS A Policy

aut-num: AS 64600as-name: AS Adescr: This is AS Amp-import: afi ipv4.unicast,ipv6.unicast from AS64700 action pref=106;

accept ANY;mp-export: afi ipv4.unicast,ipv6.unicast to AS64700 announce AS-A;

AS AAS 64600

Example – AS B Policy

aut-num: AS64700as-name: AS Bdescr: AS B, This is AS Bimport: from AS64800 action pref=106; accept AS-C;import: from AS64900 action pref=106; accept AS-D;import: from AS64800 action pref=106; accept AS-A;mp-import: afi ipv4.multicast,ipv6.unicast from AS64800 action pref=106; accept AS-C;mp-import: afi ipv4.multicast,ipv6.unicast from AS64900 action pref=106;

accept AS-D;mp-import: afi ipv6.unicast from AS64600 action pref=106; accept AS-A;export: to AS64800 announce ANY;export: to AS64900 announce ANY;export: to AS64600 announce ANY;mp-export: afi ipv4.multicast,ipv6.unicast to AS64800 announce ANY;mp-export: afi ipv4.multicast,ipv6.unicast to AS64900 announce ANY;mp-export: afi ipv6.unicast to AS64600 announce ANY

AS BAS 64700

Example – AS C Policy

aut-num: AS64800as-name: AS Cdescr: AS C, This is AS Cimport: from AS64700 action pref=106; accept ANYmp-import: afi ipv4.multicast,ipv6.unicast from AS64700 action pref=106; accept ANY;mp-import: afi ipv6.multicast from AS D action pref=110; accept AS Dexport: to AS64700 announce AS Cmp-export: afi ipv4.multicast,ipv6.unicast to AS64700 announce AS C;mp-export: afi ipv6.multicast to AS64900 announce AS C

AS CAS 64800

Example – AS D Policy

aut-num: AS64900as-name: AS Ddescr: This is AS Dmp-import: afi ipv4.unicast,ipv4.multicast,ipv6.unicast from AS64700 action pref=106; accept ANY;mp-import: afi ipv6.multicast from AS64800 action pref=110; accept AS-Cmp-export: afi ipv4.unicast,ipv4.multicast,ipv6.unicast to AS64700 announce AS-D;mp-export: afi ipv6.multicast to AS64800 announce AS-D

AS DAS 64900

RPSLng Tools

RIPE’s RPSLng Registry• IPv4 address -> inetnum, route, inet-rtr• IPv6 address -> inet6num, route6, inet-rtr• Inverse queries for aut-num -> route + route6• Production Routing Policies

IRRToolSet• Suite of policy analysis tools• Possible usage: Updating BGP routing

configurations• Produce Cisco & Juniper configuration• Managed by ISC:

http://www.isc.org/software/irrtoolset ftp://ftp.isc.org/isc/IRRToolSet

RPSLng Tools

WHOISd• Free• ftp://ftp.ripe.net/ripe/dbase/software• Managed by RIPE

IRRd• Free• http://www.irrd.net• Managed by MERIT

Conclusions

RPSL is needed to coordinate global IPv4 routing policies. RPSLng is needed for the same purpose, but for IPv6.

It’s rather simple, and someone already dealing with RPSL will easily start to use RPSLng when starting to route IPv6 packets.

Several tools are freely available

Questions

46