Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH...

PracticaleverydayBGPfilteringwithAS_PATHfilters:PeerLocking

job@ntt.net

Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.

JobSnijders- Peerlocking- NANOG67

Anybodyknowhttp://puck.nether.net/bgp/leakinfo.cgi ?

https://www.nanog.org/meetings/nanog41/presentations/mauch-lightning.pdf

Whatarewetalkingabout?

Wikipediaproclaimed“bigboys”

7018,174,209,3320,3257,286,3356,3549,2914,5511,1239,6453,6762,12956,1299,701,2828,6461

NomorethentwooftheseshouldshowupinagivenAS_PATH,followingthe“Transit-Free”paradigm.

https://en.wikipedia.org/wiki/Tier_1_network#List_of_tier_1_networks

Non-scientificgraph- notmeanttopointfingers- ‘instigators’arenotalone(othersaccepttoo)- collectiveresponsibility tofilter- datafocussesonBGPupdates/uniqueprefixes- manyrouteleaksnotvisibleduetomax_prefix

Humans…

Peerlock-liteaka“bignetworks filter”

Assumingyou’llnotselltransittooneofthosebignetworksintheforeseeablefuture:rejectanyprefixesyoureceivefromyourcustomerswhichcontaina$bignetwork ASNanywhereintheAS_PATH.

ip as-path access-list 99 permit \_(174|209|286|701|1239|1299 \

|2828|2914|3257|3320|3356 \|3549|5511|6453|6461|6762 \|7018|12956)_

route-map ebgp-customer-in deny 1match as-path 99

Approachestopreventrouteleaks#1

• Networksshouldnotannouncereceivedprefixesoverpeeringtootherpeers– Fix:TagrouteswithBGPcommunitiesoningress,

executeonegress(recentNANOGthread)– Note:AlwayssetegressfilterstoREJECTprefixes

withoutany/thepropercommunities(failsafe)

• Onemustapplya“whitelist”ofprefixesacustomermayannounceoneverycustomersession– Fix:usebgpq3orsomeotherprefixfiltergenerator

• Con:– Customer’sAS-SETmightcontaintheentireinternet– thuswhenleakingafulltablestillallowingalottopass• https://github.com/job/irrtree• http://irrexplorer.nlnog.net/

• Maximumprefixsettingsonpeers+customers– Fix:ifunsure:justdoit– Note:automatetheadjustmentofmax_prefixsettingsforyourpeers!Onlyemailyourpeerwhenabsolutelyunsurewhattoconfigure.

• Con:doesnothelpagainstsmall/partialroute-leaks

PeerLock

TheHumanNetwork:Peerlockinginanutshell

WeknowPCCWisnotanupstreamforAT&T,weknowAT&TisnotanupstreamforPCCW,etc,etcetc.

Howdoweknowthis?Weemailedthem.

example:AS_PATH2914_3491_7018wouldbegarbage!

Peerlock schematicgoal

GivenASNsA,B,C,D,andEasourpeers.PeerAsubscribestothepeerlockidea(Protected ASN)andindicatesthatpeerBisan”Allowed Upstream”

OK: ^A_OK: ^B_A_NOTOK:^C_A_NOTOK:^D_A_NOTOK:^E_A_

Examplecases:

• Prevent_7018_routesfrombeingacceptedanywhereexceptondirect7018peering

• AllowonlyAS3356asupstreamforpeerPCCWglobally(wedon’t,butwecould)

Deploying&ManagingPeerlock

• “peerlock”isappliedonALLeBGP sessions(bothcustomersessionsandpeeringsessions)

• “peerlock”isentirelydynamicthroughNTT’snetworkmanagementwebinterface

• “peerlock”allowsforadvanced regionalexceptions/rules

• ITISRECOMMENDABLETHATBOTHPARTIESCONSENTTOPEERLOCK

ProtectedASN AllowedUpstream

InWhatRegion IgnoreConstraints

Active

3491 None Everywhere False True

7018 None Everywhere True True

65123 7018 US False True

4200000000 3491 Europe False True

4200000000 7018 US False True

UI/tableMockupRulesbasedapproach

RuleConstraints(unlessoverridden)1. BoththeProtected ASN andAllowed Upstream

MUSTbedirectlyconnectedwitheBGP sessionstotheAS2914backbone.

2. OnlyASNsthatconnectwithAS2914inmultipleregionsareeligibletobeusedasanAllowed Upstream.

3. TheAllowed Upstream fieldcanonlybesetto”None"incombinationwithin_what_region ”Everywhere”, iftheProtected ASN connectswithAS2914inmultipleregions.

4. AnAllowed Upstream canonlybespecifiedforaregioniftheAllowed Upstream connectswithAS2914withinthatregion.

OpenSourceProofofConceptconfigurationgenerator

Tofacilitateincalculatingwhattheproperas-path-setsare– I’vepublishedsomepythoncode.Thisisavariantwhatweusedtovalidatetheproductionimplementation.

https://github.com/job/peerlock

WARNING:codeisofHazyEngineeringQualityWINTHEPRIZE:I’vehiddenonebuginthescript

Thesearegenerated• perpeer• perregion

Exampleworkflow

1. Peeringteamengageswithpeerandseekspermission,proposesinitialruleset

2. Engineeringevaluatesiftheinitialproposedpeerlockruleswillbreaktheinternetornot

3. Deploytherulesetincoordinationwithpeer4. PeerscancontactyourNOCforchange

requests,youcommittotimelyresponses5. Engineeringapproves/denieschange

requeststopeer-lockrulesJobSnijders- Peerlocking- NANOG67

ExampleTechnicalDocumentationforoureBGP peers

1. Containsconfigurationexamples2. Terminology3. Disclaimer4. Defaultoperatingmode5. Howtorequestchanges/Whotocontact

http://instituut.net/~job/peerlock_manual.pdf

DroppingBogon ASNsMotivation:• OccurrencesofAS23456aremisconfigurationsorsoftwarebugs.

• Private/ReservedASNshavenoplaceintheglobalroutingtable

Weshouldnotrewardmisconfigurationsbyacceptingtheseroutes.Thenewparadigm:failhard&failfast.

NTTisnottheonlyone:GTT,AT&T,KPN&DE-CIXhavecommittedtooforJune/July2016.

WhatBogon ASNstodrop?AS2914willNOTacceptrouteannouncementsfromANYeBGPneighborswhichcontaina“Bogon ASN”anywhere intheAS_PATHoritsaggregateat.

Bogon ASNsaredefinedas:

02345664496– 1310714200000000– 4294967295

Basedon:RFC5398,RFC6996,RFC7300

ThispolicyiseffectivestartingJuly2016.http://www.us.ntt.net/support/policy/routing.cfm#bogon

Config examples

http://as2914.net/bogon_asns/configuration_examples.txt

Currentlyhaveconfigs forBIRD,IOSXR,JunOS,IOS(yuck)

policy-options {as-path-group bogon-asns {

as-path begin ".* 0 .*";as-path as_trans ".* 23456 .*";as-path reserved1 ".* [64496-131071] .*";as-path reserved2 ".* [4200000000-4294967295] .*";

}policy-statement import_from_ebgp {

term bogon-asns {from as-path-group bogon-asns;then reject;

}term .....

Puttingitalltogether:Ingress

1. Dynamicmaximumprefixsettings2. RejectBogon prefixes (RFC1918,etc)3. RejectBogon ASNs (AS0/AS23456etc)4. RejectIXPprefixes (SomeIXPsubnets)5. RejectleakagewiththePeerlock filter6. MatchagainstIRRwhitelist (onlycustomers)7. Markascustomerroute (oraspeerroute)8. ScrubinternallysignificantBGPcommunities9. ApplyFeatures– (blackholing,trafficengineering,etc,onlyforcustomers)

Puttingitalltogether:egress

1. RejectBogon prefixes2. remove-private-AS3. Reject“bad”routes4. Acceptpeerroutes(oncustomersession)5. Acceptcustomerroutes (oneverysession)6. Doprepending(ifrequested&applicable)7. Scrubinternalcommunities8. Setnext-hop-self9. NormalizeMed

Questions,anytime,anywhere

job@ntt.net

Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.

Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH...

Documents

Cisco - BGP Case Studiespld.cs.luc.edu/courses/net2/spr02/bgp-toc.pdfBGP4 Case Studies Section 1 Contents Introduction eBGP and iBGP Enabling BGP Routing Forming BGP Neighbors BGP

Routing Protocol - BGP - intERLab Routing/BGP... · Why BGP Suitable to large network Policy based routing Path for IN/OUT traffic Filtering

Implementing BGP - Cisco · Implementing BGP BorderGatewayProtocol(BGP)isanExteriorGatewayProtocol(EGP)thatallowsyoutocreateloop-free interdomainroutingbetweenautonomoussystems

Implementing BGP - cisco.com · Implementing BGP BorderGatewayProtocol(BGP)isanExteriorGatewayProtocol(EGP)thatallowsyoutocreateloop-free interdomainroutingbetweenautonomoussystems

BGP filtering - Zagreb 2013

Peering and Transit Tutorials: Practical Every Day BGP Filtering

Inter-Domain Routing Security ~BGP Route Hijacking~€¦ · BGP BGP peer UPDATE IRR Configure file-Prefix-Origin ASN-AS-Path:: Monitoring BGP update –Having BGP peer with multiple

BGP Filtering—Myths Legends and Reality€¦ · • Alcatel 7750 SR • Juniper (RE-4.0) Oct 23, 2005 BGP filtering: Myths Legends and Reality Page 21 Testing Results - Cisco •

Filtering using AS Path Filters 21 - Amazon S3 · • BGP fundamentals –Injecting networks, iBGP, eBGP, Route Reflectors, Confederations, Peer Groups • Policy Based BGP –Attributes

BGP Best Current Practicesftp.ines.ro/doc/isp-workshops/BGP Presentations/5-bgp-bcp.pdf · Cisco IOS Good Practices ! BGP in Cisco IOS is permissive by default ! Configuring BGP peering

Securing the Border Gateway Protocol€¦ · · 2005-01-03Outline [BGP Overview [BGP Security [S-BGP Architecture [Deployment Issues for S-BGP [Alternative Approaches to BGP Security

A - Transitbgp4all.com/ftp/isp-workshops/BGP Presentations/10-Transit.pdf · Peering – private interconnect between two ASNs, usually for no fee ! ... The importance of filtering

BGP/2004.5.1 November 2004 © O. Bonaventure, 2004 · Organization of the global Internet BGP basics BGP in large networks Interdomain traffic engineering with BGP BGP-based Virtual

BGP Techniques for Internet Service Providers - MENOG · BGP Techniques for Internet Service Providers BGP Basics Scaling BGP Using Communities Deploying BGP in an ISP network.

How to use Route Maps and Other Filters to Filter and ... · PDF fileUse Route Maps and Other Filters to Filter and Alter BGP and OSPF Routes | Page 3 Introduction BGP: Route Map Filtering

BGP Prefix Filtering - Noction · PDF filePage 5 of 13 BGP Prefix Filtering If your network is connected to one or more internet exchang - es, you’ll also want to reject the prefixes

Introduction to BGP - SourceForgedslrouter.sourceforge.net/stuff/cisco/bgp-0.pdf · BGP neighbour status Router1>sh ip bgp sum BGP router identifier 100.1.15.224, local AS number

BGP V1.1. When is BGP Applicable Basic BGP Peer Configuration Troubleshooting BGP Connections BGP Operation and Path Attributes Route Import/Export Selected

BGP Filtering with RouterOS - mum.mikrotik.com · BGP Filtering with RouterOS European MUM –2013 - Zagreb / Croatia Wardner Maia External Connectivity Strategies for Multi- Homed

BGP Filtering With RouterOS 2013 MUM-Zagreb-Cr Maia