1 / 40

Route filtering using IRRs

Route filtering using IRRs. APAN Net Eng Singapore - 19 July 2006 Bruce.Morgan@aarnet.edu.au. AARNet3 National Network. STM-64c (10Gbps) Backbone Dual PoPs with divergent paths in major cities Dual and divergent STM-1s to NT & Tasmania DWDM network Providing backbone

cambria
Télécharger la présentation

Route filtering using IRRs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Route filtering using IRRs APAN Net Eng Singapore - 19 July 2006 Bruce.Morgan@aarnet.edu.au

  2. AARNet3 National Network • STM-64c (10Gbps) Backbone • Dual PoPs with divergent paths in major cities • Dual and divergent STM-1s to NT & Tasmania • DWDM network • Providing backbone • Providing multiple GigE to regional areas • Provides Commodity and R&E traffic to customers © 2006, AARNet Pty Ltd

  3. AARNet3 Network © 2006, AARNet Pty Ltd

  4. AARNet3 International Network • Multiple trans Pacific circuits • 2 x STM-64c for research and education • 4 x STM-4c (4 x 622Mbps) for commodity (LA &PA) • 2 x STM-1 (155 Mbps) to Seattle • Connections to Europe and Asia • 2 x 2 x STM-1 to Singapore • STM-4 to Frankfurt © 2006, AARNet Pty Ltd

  5. AARNet3 International Connectivity © 2006, AARNet Pty Ltd

  6. Commodity Provision • International commodity from • Palo Alto • Los Angeles • Seattle • Frankfurt • Domestic commodity in • Sydney • Melbourne • Adelaide • Canberra • Brisbane • Perth etc etc © 2006, AARNet Pty Ltd

  7. 17 Domestic Sydney (3) Melbourne (2) Brisbane (2) Adelaide (2) Perth (3) Canberra (2) Hobart (1) Darwin (1) Alice Springs (1) 7 International Seattle Palo Alto Los Angeles Hawai’i Suva Singapore Frankfurt AARNet PoPs our footprint… © 2006, AARNet Pty Ltd

  8. The AARNet3 environment • Currently over 100 routers deployed • A mix of Juniper and Cisco routers • Juniper M320s at the core • Cisco routers at the customer edge • Link speeds varying from STM-64c to STM-4s and STM-1s for long haul • 10GbE intra PoPs and GbE connections from PoPs but still some managed services and legacy ATM © 2006, AARNet Pty Ltd

  9. The BGP environment • 17 commodity transit connections • Over 200 peers both commodity and R&E • Most peerings are bilateral, a few (3) are multilateral • Some 20 peerings with external international R&E networks • Over 200 iBGP peerings • Over 250 IPv4 prefixes advertised and growing… • IPv6 enabled • IPv4/IPv6 multicast enabled © 2006, AARNet Pty Ltd

  10. How do we manage this complexity? • Very hard to manage on an ad-hoc basic with such diversity • Easy to make big mistakes with manual configurations • Needs an overall policy that manages router BGP configurations • Needs cross vendor router support • AARNet uses IRRs and RPSL to manage this © 2006, AARNet Pty Ltd

  11. BGP trust and security • In BGP security is an afterthought • BGP was designed originally to address routing between trusted networks - the element of trust is not true of the internet today • MD5 encryption is gaining more acceptance but still encryption is not fully deployed • Filtering is an add on and is often very loosely deployed • This has the potential to cause disruption © 2006, AARNet Pty Ltd

  12. BGP Misconfigurations • Estimated that 1% of the routing table prefixes are misconfigured each day* • This churn increases the load on routers by 10% in bursts • Routing is surprisingly resilient with only 4% of these misconfigurations affecting connectivity/reachability of sites. • But when it hits it can be severe, especially when there is little protection in place - AS7007 incident * Mahajan, Wetherall, Anderson - Understanding BGP Misconfiguration SIGCOMM 2002 http://www.cs.washington.edu/homes/ratul/bgp/bgp-misconfigs.pdf © 2006, AARNet Pty Ltd

  13. Route Hijacking • A prefix is announced that does not belong to the originating AS • Can be done by misconfiguration • Can be done maliciously • Spammers • DOS attacks • Short-Lived Prefix Hijacking on the Internet • Peter Boothe, James Hiebert, Randy Bush • http://www.nanog.org/mtg-0602/pdf/boothe.pdf • “We can identify between 26 and 95 hijacking instances in Route-Views data for December 2005 • Many more misconfigs and false alarms than purposeful hijackings - 750+” © 2006, AARNet Pty Ltd

  14. How trusting are we with BGP? • Do we really trust others announcements? • Would we deploy black hole community tags with them to protect the network from DOS attacks? • We need to increase the trust level by developing public policy and consistent actions. • To trust we need to be trustworthy © 2006, AARNet Pty Ltd

  15. How we went about it • Need to identify which IRR to use • AARNet uses RADB. • Others run their own for control • Need to decide what degree of filtering is desired • Prefix filters • AS path filters • Both! • Register a maintainer object at chosen IRR • Usually a “manual” process and could be multi-stage if PGP key authentication required © 2006, AARNet Pty Ltd

  16. What is RPSL? • Object oriented language • Structured whois objects • Refinement of RIPE 181 (and it’s predecessors) based on operational experience • Describes things interesting to routing policy • Prefixes • AS Numbers • Relationships between BGP peers • Management responsibility © 2006, AARNet Pty Ltd

  17. Maintainer Object • Maintainer objects used for authentication • Multiple authentication methods • NONE, MAIL-FROM, CRYPT-PW, PGPKEY mntner: MAINT-ASAARNET descr: Maintainers for AARNet and AARNet member objects admin-c: CS3692 tech-c: GT342-AU upd-to: irrcontact@aarnet.edu.au mnt-nfy: irrcontact@aarnet.edu.au auth: PGPKEY-FAD8C612 auth: PGPKEY-23B7F8EF remarks: Australian Academic and Research Network http://www.aarnet.edu.au/ mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20040113 source: RADB © 2006, AARNet Pty Ltd

  18. Route Object Use CIDR length format Specifies origin AS for a route Can indicate membership of a route set route: 134.7.0.0/16 descr: Curtin University of Technology origin: AS7575 mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20050818 source: RADB © 2006, AARNet Pty Ltd

  19. Route Set Object • Collects routes together with similar properties route-set: AS7575:RS-UNSW descr: University of New South Wales members: 129.94.0.0/16, 149.171.0.0/16, 203.10.48.0/24, 203.20.160.0/24, 203.20.160.0/19 remarks: List of routes accepted from AS7570 admin-c: MP151 tech-c: ANOC-AP mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20050427 source: RADB © 2006, AARNet Pty Ltd

  20. AS Set Object (1) • Collect together Autonomous Systems with shared properties • Can be used in policy in place of AS as-set: AS7575:AS-EDGE descr: AARNet3 customers AS set members: AS1851, AS4822, AS6262, AS7575, AS7645, AS9383, AS10148, AS17498, AS23654, AS23719, AS23859, AS24101, AS24313, AS24390, AS24431, AS24433, AS24434, AS24436, AS24437, AS24490, AS37978, AS38083 remarks: List of customers on AARNet3 using public AS numbers remarks: http://www.aarnet.edu.au admin-c: MP151 tech-c: ANOC-AP mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20060713 source: RADB © 2006, AARNet Pty Ltd

  21. AS Set Object (2) as-set: AS7575:AS-CUSTOMER descr: AARNet3 customers AS set members: AS7575:AS-EDGE, AS7575:AS-RNO remarks: List of customers on AARNet3 using public AS numbers remarks: http://www.aarnet.edu.au admin-c: MP151 tech-c: ANOC-AP mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20060715 source: RADB • RPSL has hierarchical names • Our customer base is in AS7575:AS-CUSTOMER © 2006, AARNet Pty Ltd

  22. Whois queries • whois –h whois.ra.net AS7575:CUSTOMER • members: AS7575:AS-EDGE, AS7575:AS-RNO • whois –h whois.ra.net AS7575:AS-EDGE • members: AS1851, AS4822, AS6262, AS7575, AS7645, AS10148, AS17498, AS23654, AS23719, AS24101, AS24390, AS24431, AS24433, AS24434, AS24436, AS24437 • whois –h whois.ra.net \!gAS1851 • 192.43.227.0/24 129.127.0.0/16 192.43.229.0/24 203.9.156.0/24 129.127.0.0/16 192.43.228.0/24 192.43.229.0/24 203.9.156.0/24 © 2006, AARNet Pty Ltd

  23. AS Route Sets bhm$ whois -h whois.ra.net AS7575:AS-RESEARCH as-set: AS7575:AS-RESEARCH descr: AARNet3 peer R&E network AS set members: AS47, AS73, AS293, AS668, AS2153, AS6360, AS6509, AS7539, AS7610, AS11537, AS20965, AS23796, AS32361, AS38018 remarks: R&E networks peering with AARNet3 • If the AS’s we peer with used an IRR to specify their route sets then we could create prefix-filters against our peers. • Peers can create prefix-filters from our existing policy except for transit peerings (see above!) • And it’s all available publicly documented. © 2006, AARNet Pty Ltd

  24. Autonomous System Object • Routing Policy Description object • Most important components are • import • export • These define the incoming and outgoing routing announcement relationships • Instant Documentation! • whois –h whois.ra.net AS7575 © 2006, AARNet Pty Ltd

  25. Use of RPSL • Use RtConfig v4 (part of RAToolSet from ISC) to generate filters based on information stored in our routing registry • Avoid filter errors (typos) • Filters consistent with documented policy (need to get policy correct though) • Currently we use RAToolSet v 4.7.1 • Need to script our own tools for Juniper © 2006, AARNet Pty Ltd

  26. Using RPSL to configure routers • Need to define “policy” for filtering • Inbound from customers & peers • Outbound to customers & peers • Need to be aware of shortcomings in router configuration and/or configuration generator • Command line length (on cisco this is 512 bytes) • Complexity of rules © 2006, AARNet Pty Ltd

  27. AARNet’s filtering philosophy • Inbound • Filter customer by prefix and AS path • Filter peer by prefix filter • Filter providers for prefixes longer than a /24 • Don’t accept martians or bogons from anyone • Outbound • Filter by BGP community, which indicates the class of the prefix (customer, peer, etc) © 2006, AARNet Pty Ltd

  28. Overall Prefix and Path Filtering • Filter all customer prefixes on ingress • Filter all your advertisements on egress • Filter all bogons and martians • Filter/remove all private AS space © 2006, AARNet Pty Ltd

  29. RtConfig & IRRToolSet • Version 4.0 supports RPSL • Generates cisco configurations • Contributed support for Bay’s BCC, Juniper’s Junos and Gated/RSd • Creates route and AS path filters. • Can also create ingress/egress filters © 2006, AARNet Pty Ltd

  30. AS7575 policy • Whois -h whois.ra.net AS7575 • An extract: import: { from AS-ANY action pref=5;community.append(7575:1001,7575:2017,7575:8002); accept ANY AND NOT { 0.0.0.0/0^25-32 } AND NOT AS7575 AND NOT fltr-martian; refine { from AS20965 at 202.158.192.17 action community.append(7575:6002); accept AS-GEANTNRN OR AS-EUMED; © 2006, AARNet Pty Ltd

  31. Peer route set • sao:~/rpsl bhm$ whois -h whois.ra.net AS-GEANTNRN • as-set: AS-GEANTNRN • descr: The GEANT IP Service • members: AS20965 • members: AS-ACONET, AS-BELNET, AS-CERNEXT, AS-DFNTOWINISP • members: AS-GARRTOGEANT, AS5408:AS-TO-GEANT, AS-JANETEURO • members: AS-HBONETEN, AS-RCCN, AS-RENATER, AS-RESTENA • members: AS-SWITCH, AS-SURFNET, AS-PLNET, AS1955 • members: AS-REDIRIS, AS2107, AS2611, AS2852, AS-HEANET • members: AS-MACHBA, AS2108, AS-UNREN, AS3268, AS-ISTF • members: AS-LATNET-Geant, AS3221, AS-LITNET, AS-RBNET • members: AS-SANET2, AS-ROEDUNET, AS12046, AS-ULAKNET • members: AS3208, AS-NORDUNET • tech-c: DANT-RIPE • admin-c: RS-RIPE • mnt-by: DANTE-MNT © 2006, AARNet Pty Ltd

  32. AS20965 Object import: from AS7575 action pref=100; community.append (20965:7575); med=0; accept <AS7575:AS-CUSTOMER> • Our peer can safely receive our routes and discard any erroneous prefixes that we advertise. • But without this information we can only accept the routes advertised by the peer. • We could erroneously advertise default! • We could originate hijacked routes and they would be accepted • We could inject commodity routes into an R&E network and disrupt traffic. © 2006, AARNet Pty Ltd

  33. Juniper router rpsl config policy-statement rs-as20965 { replace: term prefixes { from { @RtConfig printPrefixRanges "\t\troute-filter %p/%l upto /24;\n" filter AS-GEANTNRN OR AS-EUMED OR AS2018 } then accept; } } © 2006, AARNet Pty Ltd

  34. extract policy-statement as20965-ipv4-import { term as20965 { from policy rs-as20965; then { local-preference 95; community add research; community add router-tag; community add european; next policy; } } term reject { then reject; } } © 2006, AARNet Pty Ltd

  35. Prefix policy policy-statement rs-as20495 { term prefixes { from { route-filter 62.148.160.0/19 upto /24; route-filter 66.164.200.0/21 upto /24; route-filter 66.164.208.0/21 upto /24; route-filter 80.69.160.0/20 upto /24; route-filter 80.247.192.0/19 upto /24; route-filter 82.112.32.0/19 upto /24; route-filter 84.243.192.0/18 upto /24; route-filter 84.244.128.0/18 upto /24; • ……… © 2006, AARNet Pty Ltd

  36. BGP policy complexity • 7575:1 Export external to AARNet with "no-export" • 7575:2 No export beyond AARNet • 7575:3 Prepend AS7575 once • 7575:4 Prepend AS7575 twice • 7575:5 Prepend AS7575 thrice • 7575:6 Blackhole traffic • 7575:7 Regional only • 7575:70 AARNet local preference 70 • 7575:80 AARNet local preference 80 • 7575:90 AARNet local preference 90 • …and much more… • Whois -h whois.ra.net AS7575 | grep remarks © 2006, AARNet Pty Ltd

  37. Using RtConfig • RtConfig –cisco_use_prefix_lists < cpe-curtin-er1.rtconfig • Redirect output to a file • Upload by tftp to the router • Done! © 2006, AARNet Pty Ltd

  38. What about SBGP and SoBGP? • At the moment it’s all about trust • There are implementations of BGP policy that make us somewhat trustworthy and are being currently deployed • It isn’t perfect • But it is a start… © 2006, AARNet Pty Ltd

  39. References • RPSL - RFC 2622 • http://www.faqs.org/rfcs/rfc2622.html • Using RPSL in Practice - RFC 2650 • http://www.faqs.org/rfcs/rfc2650.html • IRRToolSet • ftp://ftp.isc.org.net/isc/IRRToolSet/ • RPSL Training Page • http://www.isi.edu/ra/rps/training • RADB • http://www.radb.net/ © 2006, AARNet Pty Ltd

  40. Thank you! Any Questions?

More Related