69
Advanced Routing Nick Feamster Georgia Tech

Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Embed Size (px)

Citation preview

Page 1: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Advanced Routing

Nick FeamsterGeorgia Tech

Page 2: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Tutorial Outline

• Topology• BGP• IS-IS• Business relationships• BGP/MPLS VPNs

Page 3: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

GeorgiaTech

Internet Routing Overview

• Today: Intradomain (i.e., “intra-AS”) routing• Monday: Interdomain routing

Comcast

Abilene

AT&T Cogent

Autonomous Systems (ASes)

Page 4: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Today: Routing Inside an AS

• Intra-AS topology– Nodes and edges– Example: Abilene

• Intradomain routing protocols– Distance Vector

• Split-horizon/Poison-reverse• Example: RIP

– Link State• Example: OSPF, ISIS

Page 5: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Topology Design

• Where to place “nodes”?– Typically in dense population centers

• Close to other providers (easier interconnection)• Close to other customers (cheaper backhaul)

– Note: A “node” may in fact be a group of routers, located in a single city. Called a “Point-of-Presence” (PoP)

• Where to place “edges”?– Often constrained by location of fiber

Page 6: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Node Clusters: Point-of-Presence (PoP)

• A “cluster” of routers in a single physical location

• Inter-PoP links– Long distances

– High bandwidth

• Intra-PoP links– Cables between racks or floors

– Aggregated bandwidth

PoP

Page 7: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Example: Abilene Network Topology

Page 8: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Another Example Backbone

Page 9: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Problem: Routing

• Routing: the process by which nodes discover where to forward traffic so that it reaches a certain node

• Within an AS: there are two “styles”– Distance vector: iterative, asynchronous, distributed– Link State: global information, centralized algorithm

Page 10: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Forwarding vs. Routing

• Forwarding: data plane– Directing a data packet to an outgoing link– Individual router using a forwarding table

• Routing: control plane– Computing paths the packets will follow– Routers talking amongst themselves– Individual router creating a forwarding table

Page 11: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Distance-Vector Routing

• Routers send routing table copies to neighbors• Routers compute costs to destination based on shortest

available path• Based on Bellman-Ford Algorithm

– dx(y) = minv{ c(x,v) + dv(y) }– Solution to this equation is x’s forwarding table

x y z

x 0 1 5

y

z

x y z

x

y 1 0 2

z

x y z

x

y

z 5 2 0

y

x z

1 2

5

Page 12: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Distance Vector Algorithm

Iterative, asynchronous: each local iteration caused by:

• Local link cost change

• Distance vector update message from neighbor

Distributed:• Each node notifies neighbors only

when its DV changes

• Neighbors then notify their neighbors if necessary

wait for (change in local link cost or message from neighbor)

recompute estimates

if DV to any destination has

changed, notify neighbors

Each node:

Page 13: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Good News Travels Quickly

• When costs decrease, network converges quickly

x y z

x 0 1 3

y 1 0 2

z 3 2 0

x y z

x 0 1 3

y 1 0 2

z 3 2 0

x y z

x 0 1 3

y 1 0 2

z 3 2 0

y

x z

1 2

5

Page 14: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Problem: Bad News Travels Slowly

y

x z

1 2

50

60

x y z

x 0 60 50

y 5 0 2

z 3 2 0

x y z

x 0 60 50

y 5 0 2

z 7 2 0

Note also that there is a forwarding loop between y and z.

Page 15: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

This continues…

• Question: How long does this continue?• Answer: Until z’s path cost to x via y is greater than 50.

y

x z

1 2

50

60

x y z

x 0 60 50

y 5 0 2

z 3 2 0

x y z

x 0 60 50

y 5 0 2

z 7 2 0

Page 16: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

“Solution”: Poison Reverse

• If z routes through y to get to x, z advertises infinite cost for x to y

• Does poison reverse always work?

x y z

x 0 1 3

y 1 0 2

z 3 2 0

x y z

x 0 1 X

y 1 0 2

z X 2 0

x y z

x 0 1 3

y 1 0 2

z 3 2 0

y

x z

1 2

5

Page 17: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Does Poison Reverse Always Work?

y

x z

1 3

50

60

w

1

1

Page 18: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Routing Information Protocol (RIP)

• Distance vector protocol– Nodes send distance vectors every 30 seconds– … or, when an update causes a change in routing

• Link costs in RIP– All links have cost 1– Valid distances of 1 through 15– … with 16 representing infinity– Small “infinity” smaller “counting to infinity” problem

Page 19: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Link-State Routing• Keep track of the state of incident links

– Whether the link is up or down– The cost on the link

• Broadcast the link state– Every router has a complete view of the graph

• Compute Dijkstra’s algorithm• Examples:

– Open Shortest Path First (OSPF)– Intermediate System – Intermediate System (IS-IS)

Page 20: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Link-State Routing

• Idea: distribute a network map• Each node performs shortest path (SPF)

computation between itself and all other nodes• Initialization step

– Add costs of immediate neighbors, D(v), else infinite– Flood costs c(u,v) to neighbors, N

• For some D(w) that is not in N– D(v) = min( c(u,w) + D(w), D(v) )

Page 21: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Detecting Topology Changes• Beaconing

– Periodic “hello” messages in both directions– Detect a failure after a few missed “hellos”

• Performance trade-offs– Detection speed– Overhead on link bandwidth and CPU– Likelihood of false detection

“hello”

Page 22: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Broadcasting the Link State

• Flooding– Node sends link-state information out its links– The next node sends out all of its links except

the one where the information arrivedX A

C B D

(a)

X A

C B D

(b)

X A

C B D

(c)

X A

C B D

(d)

Page 23: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Broadcasting the Link State

• Reliable flooding– Ensure all nodes receive the latestlink-state

information

• Challenges– Packet loss– Out-of-order arrival

• Solutions– Acknowledgments and retransmissions– Sequence numbers– Time-to-live for each packet

Page 24: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

When to Initiate Flooding

• Topology change– Link or node failure– Link or node recovery

• Configuration change– Link cost change

• Periodically– Refresh the link-state information– Typically (say) 30 minutes– Corrects for possible corruption of the data

Page 25: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Scaling Link-State Routing

• Message overhead– Suppose a link fails. How many LSAs will be flooded

to each router in the network?• Two routers send LSA to A adjacent routers• Each of A routers sends to A adjacent routers• …

– Suppose a router fails. How many LSAs will be generated?

• Each of A adjacent routers originates an LSA …

Page 26: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Scaling Link-State Routing• Two scaling problems

– Message overhead: Flooding link-state packets – Computation: Running Dijkstra’s shortest-path algorithm

• Introducing hierarchy through “areas”

Area 0areaborderrouter

Page 27: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Link-State vs. Distance-Vector• Convergence

– DV has count-to-infinity– DV often converges slowly (minutes) – DV has timing dependences– Link-state: O(n2) algorithm requires O(nE) messages

• Robustness– Route calculations a bit more robust under link-state– DV algorithms can advertise incorrect least-cost paths– In DV, errors can propagate (nodes use each others tables)

• Bandwidth Consumption for Messages– Messages flooded in link state

Page 28: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Open Shortest Paths First (OSPF)

• Key Feature: hierarchy• Network’s routers divided into areas• Backbone area is area 0• Area 0 routers perform SPF computation

– All inter-area traffic travles through Area 0 routers (“border routers”)

Area 0

Page 29: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Another Example: IS-IS• Originally: ISO Connectionless Network Protocol

– CLNP: ISO equivalent to IP for datagram delivery services– ISO 10589 or RFC 1142

• Later: Integrated or Dual IS-IS (RFC 1195)– IS-IS adapted for IP– Doesn’t use IP to carry routing messages

• OSPF more widely used in enterprise, IS-IS in large service providers

Page 30: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Area 49.001 Area 49.0002

Level-1Routing Level-2

Routing

Level-1Routing

Backbone

Hierarchical Routing in IS-IS

• Like OSPF, 2-level routing hierarchy – Within an area: level-1– Between areas: level-2– Level 1-2 Routers: Level-2 routers may also participate in L1 routing

Page 31: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

ISIS on the Wire…

Page 32: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

IS-IS Configuration on Abilene (atlang)

lo0 { unit 0 {

….family iso {

address 49.0000.0000.0000.0014.00; } …. }

isis { level 2 wide-metrics-only; /* OC192 to WASHng */ interface so-0/0/0.0 { level 2 metric 846; level 1 disable; }}

Only Level 2 IS-IS in Abilene

ISO Address Configured on Loopback Interface

Page 33: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Interdomain Routing

• Today’s interdomain routing protocol: BGP– BGP route attributes

• Usage• Problems

– Business relationships

See http://nms.lcs.mit.edu/~feamster/papers/dissertation.pdf (Chapter 2.1-2.3) for good coverage of this topic.

Page 34: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Internet Routing

• Large-scale: Thousands of autonomous networks• Self-interest: Independent economic and

performance objectives• But, must cooperate for global connectivity

Comcast

Abilene

AT&T Cogent

GeorgiaTechThe Internet

Page 35: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Internet Business Model (Simplified)

• Customer/Provider: One AS pays another for reachability to some set of destinations

• “Settlement-free” Peering: Bartering. Two ASes exchange routes with one another.

Provider

Peer

Customer

Preferences implemented with local preference manipulation

Destination

Pay to use

Get paid to use

Free to use

Page 36: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Relationship #1: Customer-ProviderFiltering

– Routes from customer: to everyone– Routes from provider: only to customers

providers

customer

From the customerTo other destinations

advertisements

traffic

From other destinationsTo the customer

customer

providers

Page 37: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Relationship #2: Peering

Filtering – Routes from peer: only to customers– No routes from other peers or providers

advertisements

traffic

customer customer

peer peer

Page 38: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

The Business Game and Depeering• Cooperative competition (brinksmanship)• Much more desirable to have your peer’s customers

– Much nicer to get paid for transit

• Peering “tiffs” are relatively common

31 Jul 2005: Level 3 Notifies Cogent of intent to disconnect.16 Aug 2005: Cogent begins massive sales effort andmentions a 15 Sept. expected depeering date.31 Aug 2005: Level 3 Notifies Cogent again of intent todisconnect (according to Level 3)5 Oct 2005 9:50 UTC: Level 3 disconnects Cogent. Masshysteria ensues up to, and including policymakers inWashington, D.C.7 Oct 2005: Level 3 reconnects Cogent

During the “outage”, Level 3 and Cogent’s singly homed customers could not reach each other. (~ 4% of the Internet’s prefixes were isolated from each other)

Page 39: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Depeering ContinuedResolution…

…but not before an attempt to steal customers!As of 5:30 am EDT, October 5th, Level(3) terminated peering withCogent without cause (as permitted under its peering agreement withCogent) even though both Cogent and Level(3) remained in fullcompliance with the previously existing interconnection agreement.Cogent has left the peering circuits open in the hope that Level(3)will change its mind and allow traffic to be exchanged between ournetworks. We are extending a special offering to single homed Level 3 customers.

Cogent will offer any Level 3 customer, who is single homed to theLevel 3 network on the date of this notice, one year of full Internettransit free of charge at the same bandwidth currently being suppliedby Level 3. Cogent will provide this connectivity in over 1,000locations throughout North America and Europe.

Page 40: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Internet Routing Protocol: BGP

Route Advertisement

Autonomous Systems (ASes)

Session

Traffic

Destination Next-hop AS Path130.207.0.0/16

130.207.0.0/16

192.5.89.89

66.250.252.44

10578..2637

174… 2637

Page 41: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Two Flavors of BGP

• External BGP (eBGP): exchanging routes between ASes

• Internal BGP (iBGP): disseminating routes to external destinations among the routers within an AS

eBGPiBGP

Question: What’s the difference between IGP and iBGP?

Page 42: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Example BGP Routing Table

> show ip bgp

Network Next Hop Metric LocPrf Weight Path*>i3.0.0.0 4.79.2.1 0 110 0 3356 701 703 80 i*>i4.0.0.0 4.79.2.1 0 110 0 3356 i*>i4.21.254.0/23 208.30.223.5 49 110 0 1239 1299 10355 10355 i* i4.23.84.0/22 208.30.223.5 112 110 0 1239 6461 20171 i

The full routing table

> show ip bgp 130.207.7.237BGP routing table entry for 130.207.0.0/16Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 10578 11537 10490 2637 192.5.89.89 from 18.168.0.27 (66.250.252.45) Origin IGP, metric 0, localpref 150, valid, internal, best Community: 10578:700 11537:950 Last update: Sat Jan 14 04:45:09 2006

Specific entry. Can do longest prefix lookup:

Prefix

AS pathNext-hop

Page 43: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Routing Attributes and Route Selection

• Local preference: numerical value assigned by routing policy. Higher values are more preferred.

• AS path length: number of AS-level hops in the path• Multiple exit discriminator (“MED”): allows one AS to specify that

one exit point is more preferred than another. Lower values are more preferred.

• eBGP over iBGP• Shortest IGP path cost to next hop: implements “hot potato”

routing• Router ID tiebreak: arbitrary tiebreak, since only a single “best”

route can be selected

BGP routes have the following attributes, on which the route selection process is based:

Page 44: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Other BGP Attributes

• Next-hop: IP address to send packets en route to destination. (Question: How to ensure that the next-hop IP address is reachable?)

• Community value: Semantically meaningless. Used for passing around “signals” and labelling routes. More in a bit.

Next-hop: 4.79.2.1

iBGP

4.79.2.14.79.2.2

Next-hop: 192.5.89.89

Page 45: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Local Preference

• Control over outbound traffic• Not transitive across ASes• Coarse hammer to implement route preference• Useful for preferring routes from one AS over another

(e.g., primary-backup semantics)

Primary

Backup

Higher local pref

Lower local pref

Destination

Page 46: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Communities and Local Preference

• Customer expresses provider that a link is a backup• Affords some control over inbound traffic• More on multihoming, traffic engineering in Lecture 7

Primary

Backup

“Backup” Community

Destination

Page 47: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

AS Path Length

• Among routes with highest local preference, select route with shortest AS path length

• Shortest AS path != shortest path, for any interpretation of “shortest path”

Destination

Traffic

Page 48: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

AS Path Length Hack: Prepending

• Attempt to control inbound traffic• Make AS path length look artificially longer• How well does this work in practice vs. e.g.,

hacks on longest-prefix match?

D

AS 1

AS 2 AS 3

AS 4

AS Path: “1” AS Path: “1 1”

AS Path: “3 1 1”AS Path: “2 1”

Traffic

Page 49: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Multiple Exit Discriminator (MED)

• Mechanism for AS to control how traffic enters, given multiple possible entry points.

I

San Francisco New York

Los Angeles

Dest.

Traffic MED: 10MED: 20

Page 50: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Hot-Potato Routing

• Prefer route with shorter IGP path cost to next-hop• Idea: traffic leaves AS as quickly as possible

I

New York Atlanta

Washington, DC

5 10

Dest.

Common practice: Set IGP weights in accordance with propagation delay (e.g., miles, etc.)

Traffic

Page 51: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Problems with Hot-Potato Routing

• Small changes in IGP weights can cause large traffic shifts

I

San Fran New York

LA

5 10

Dest.

Question: Cost of sub-optimal exit vs. cost of large traffic shifts

Traffic

11

Page 52: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

MPLS Overview

• Main idea: Virtual circuit– Packets forwarded based only on circuit identifier

Destination

Source 1

Source 2

Router can forward traffic to the same destination on different interfaces/paths.

Page 53: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Circuit Abstraction: Label Swapping

• Label-switched paths (LSPs): Paths are “named” by the label at the path’s entry point

• At each hop, label determines:– Outgoing interface– New label to attach

• Label distribution protocol: responsible for disseminating signalling information

A 12

3

A 2 D

Tag Out New

D

Page 54: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Layer 3 Virtual Private Networks

• Private communications over a public network

• A set of sites that are allowed to communicate with each other

• Defined by a set of administrative policies

– determine both connectivity and QoS among sites

– established by VPN customers

– One way to implement: BGP/MPLS VPN mechanisms (RFC 2547)

Page 55: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Building Private Networks

• Separate physical network– Good security properties– Expensive!

• Secure VPNs– Encryption of entire network stack between endpoints

• Layer 2 Tunneling Protocol (L2TP)– “PPP over IP”– No encryption

• Layer 3 VPNs

Privacy and interconnectivity (not confidentiality, integrity, etc.)

Page 56: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Layer 2 vs. Layer 3 VPNs

• Layer 2 VPNs can carry traffic for many different protocols, whereas Layer 3 is “IP only”

• More complicated to provision a Layer 2 VPN

• Layer 3 VPNs: potentially more flexibility, fewer configuration headaches

Page 57: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Layer 3 BGP/MPLS VPNs

• Isolation: Multiple logical networks over a single, shared physical infrastructure

• Tunneling: Keeping routes out of the core

VPN A/Site 1

VPN A/Site 2

VPN A/Site 3

VPN B/Site 2

VPN B/Site 1

VPN B/Site 3

CEA1

CEB3

CEA3

CEB2

CEA2CE1B1

CE2B1

PE1

PE2

PE3

P1

P2

P3

10.1/16

10.2/16

10.3/16

10.1/16

10.2/16

10.4/16

BGP to exchange routes

MPLS to forward traffic

Page 58: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

High-Level Overview of Operation

• IP packets arrive at PE

• Destination IP address is looked up in forwarding table

• Datagram sent to customer’s network using tunneling (i.e., an MPLS label-switched path)

Page 59: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

BGP/MPLS VPN key components

• Forwarding in the core: MPLS

• Distributing routes between PEs: BGP

• Isolation: Keeping different VPNs from routing traffic over one another– Constrained distribution of routing information– Multiple “virtual” forwarding tables

• Unique addresses: VPN-IP4 Address extension

Page 60: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Layer 3 VPNs

IBGP

CORE

EBGP

“Vanilla” Layer 3 VPNs: All customer routes in the core

MPLS CORE

BGP/MPLS VPNs: BGP between PEs; MPLS in the core

LDP LDP LDP

PE PEP P

Site 1 Site 2

Site 1 Site 2

Page 61: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Problems Introduced by Layer 3 VPNs

• Overlapping address space in forwarding table– Solution: Virtual routing and forwarding table (“VRF”)

• Overlapping address space in BGP routes– Solution: “Route distinguisher”--- 8-byte VPN-specific

identifier prepended to each IP address– Typically, one route distinguisher per VPN– New VPN-IP address family– Routes carried with multi-protocol BGP

• Filtering routes from routes not at that site– Route target: basically a special BGP community value

Page 62: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Virtual Routing and Forwarding

• Separate tables per customer at each router

10.0.1.0/24RD: Green

10.0.1.0/24RD: Blue

10.0.1.0/24

10.0.1.0/24

Customer 1

Customer 2

Customer 1

Customer 2

Page 63: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Routing: Constraining Distribution

• Performed by Service Provider using route filtering based on BGP Extended Community attribute– BGP Community is attached by ingress PE route filtering

based on BGP Community is performed by egress PE

Site 1

Site 2

Site 3

Static route, RIP, etc.

RD:10.0.1.0/24Route target: GreenNext-hop: A

A

10.0.1.0/24

BGP

Page 64: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

BGP/MPLS VPN Routing in Cisco IOS

ip vrf Customer_A rd 100:110 route-target export 100:1000 route-target import 100:1000 ! ip vrf Customer_B rd 100:120 route-target export 100:2000 route-target import 100:2000

Customer A Customer B

Page 65: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Forwarding• PE and P routers have BGP next-hop reachability

through the backbone IGP

• Labels are distributed through LDP (hop-by-hop) corresponding to BGP Next-Hops

• Two-Label Stack is used for packet forwarding• Top label indicates Next-Hop (interior label)• Second level label indicates outgoing interface or

VRF (exterior label)

IP DatagramLabel2

Label1

Layer 2 Header

Corresponds to LSP ofBGP next-hop (PE)

Corresponds to VRF/interface at exit

Page 66: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Forwarding in BGP/MPLS VPNs

• Step 1: Packet arrives at incoming interface– Site VRF determines BGP next-hop and Label #2

IP DatagramLabel2

• Step 2: BGP next-hop lookup, add corresponding LSP (also at site VRF)

IP DatagramLabel2

Label1

Page 67: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Scalability Problems

• Lots of customers leads to explosion of routing tables

• How to ensure that no single router needs to carry state for all customers?

Page 68: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Other Uses for MPLS/Tunneling

• Reducing state in network core– Internal routers no longer need paths for every

destination

• Traffic engineering– Can shift traffic based on virtual circuits, not just

destination prefixes

Page 69: Advanced Routing Nick Feamster Georgia Tech. Tutorial Outline Topology BGP IS-IS Business relationships BGP/MPLS VPNs

Open Research Questions

• Static configuration analysis for enforcing isolation and other security policies– Easier, in some sense, since security (reachability)

policies are likely easier to encode