Route filtering using IRRs

APAN Net Eng Singapore - 19 July 2006Bruce.Morgan@aarnet.edu.au

© 2006, AARNet Pty Ltd2

AARNet3 National Network

• STM-64c (10Gbps) Backbone• Dual PoPs with divergent paths in major cities• Dual and divergent STM-1s to NT & Tasmania• DWDM network

– Providing backbone– Providing multiple GigE to regional areas

• Provides Commodity and R&E traffic to customers

© 2006, AARNet Pty Ltd3

AARNet3 Network

© 2006, AARNet Pty Ltd4

AARNet3 International Network

• Multiple trans Pacific circuits– 2 x STM-64c for research and education– 4 x STM-4c (4 x 622Mbps) for commodity (LA &PA)– 2 x STM-1 (155 Mbps) to Seattle

• Connections to Europe and Asia– 2 x 2 x STM-1 to Singapore– STM-4 to Frankfurt

© 2006, AARNet Pty Ltd5

AARNet3 International Connectivity

© 2006, AARNet Pty Ltd6

Commodity Provision• International commodity from

– Palo Alto– Los Angeles– Seattle– Frankfurt

• Domestic commodity in– Sydney– Melbourne– Adelaide– Canberra– Brisbane– Perth etc etc

© 2006, AARNet Pty Ltd7

AARNet PoPs our footprint…• 17 Domestic

– Sydney (3)– Melbourne (2)– Brisbane (2) – Adelaide (2)– Perth (3)– Canberra (2)– Hobart (1)– Darwin (1)– Alice Springs (1)

• 7 International– Seattle– Palo Alto– Los Angeles– Hawai’i– Suva– Singapore– Frankfurt

© 2006, AARNet Pty Ltd8

The AARNet3 environment• Currently over 100 routers deployed• A mix of Juniper and Cisco routers

– Juniper M320s at the core– Cisco routers at the customer edge– Link speeds varying from STM-64c to STM-4s and STM-1s

for long haul– 10GbE intra PoPs and GbE connections from PoPs but still

some managed services and legacy ATM

© 2006, AARNet Pty Ltd9

The BGP environment• 17 commodity transit connections• Over 200 peers both commodity and R&E• Most peerings are bilateral, a few (3) are multilateral• Some 20 peerings with external international R&E networks• Over 200 iBGP peerings• Over 250 IPv4 prefixes advertised and growing…• IPv6 enabled• IPv4/IPv6 multicast enabled

© 2006, AARNet Pty Ltd10

How do we manage this complexity?

• Very hard to manage on an ad-hoc basic with such diversity– Easy to make big mistakes with manual configurations

• Needs an overall policy that manages router BGP configurations

• Needs cross vendor router support• AARNet uses IRRs and RPSL to manage this

© 2006, AARNet Pty Ltd11

BGP trust and security

• In BGP security is an afterthought– BGP was designed originally to address routing between

trusted networks - the element of trust is not true of the internet today

– MD5 encryption is gaining more acceptance but still encryption is not fully deployed

– Filtering is an add on and is often very loosely deployed– This has the potential to cause disruption

© 2006, AARNet Pty Ltd12

BGP Misconfigurations• Estimated that 1% of the routing table prefixes are

misconfigured each day*– This churn increases the load on routers by 10% in bursts– Routing is surprisingly resilient with only 4% of these

misconfigurations affecting connectivity/reachability of sites.– But when it hits it can be severe, especially when there is

little protection in place - AS7007 incident

* Mahajan, Wetherall, Anderson - Understanding BGP Misconfiguration SIGCOMM 2002

http://www.cs.washington.edu/homes/ratul/bgp/bgp-misconfigs.pdf

© 2006, AARNet Pty Ltd13

Route Hijacking• A prefix is announced that does not belong to the originating AS• Can be done by misconfiguration• Can be done maliciously

– Spammers– DOS attacks

• Short-Lived Prefix Hijacking on the Internet– Peter Boothe, James Hiebert, Randy Bush

• http://www.nanog.org/mtg-0602/pdf/boothe.pdf • “We can identify between 26 and 95 hijacking instances in

Route-Views data for December 2005 • Many more misconfigs and false alarms than purposeful

hijackings - 750+”

© 2006, AARNet Pty Ltd14

How trusting are we with BGP?• Do we really trust others

announcements?• Would we deploy black hole community

tags with them to protect the network from DOS attacks?

• We need to increase the trust level by developing public policy and consistent actions.

• To trust we need to be trustworthy

© 2006, AARNet Pty Ltd15

How we went about it• Need to identify which IRR to use

– AARNet uses RADB.– Others run their own for control

• Need to decide what degree of filtering is desired– Prefix filters– AS path filters– Both!

• Register a maintainer object at chosen IRR– Usually a “manual” process and could be multi-stage if PGP

key authentication required

© 2006, AARNet Pty Ltd16

What is RPSL?• Object oriented language• Structured whois objects• Refinement of RIPE 181 (and it’s predecessors) based on

operational experience• Describes things interesting to routing policy

– Prefixes– AS Numbers– Relationships between BGP peers– Management responsibility

© 2006, AARNet Pty Ltd17

Maintainer Object

mntner: MAINT-ASAARNETdescr: Maintainers for AARNet and AARNet member objectsadmin-c: CS3692tech-c: GT342-AUupd-to: irrcontact@aarnet.edu.aumnt-nfy: irrcontact@aarnet.edu.auauth: PGPKEY-FAD8C612auth: PGPKEY-23B7F8EFremarks: Australian Academic and Research Network http://www.

aarnet.edu.au/mnt-by: MAINT-ASAARNETchanged: nobody@aarnet.edu.au 20040113source: RADB

Maintainer objects used for authenticationMultiple authentication methods

NONE, MAIL-FROM, CRYPT-PW, PGPKEY

© 2006, AARNet Pty Ltd18

Route ObjectUse CIDR length formatSpecifies origin AS for a routeCan indicate membership of a route set

route: 134.7.0.0/16

descr: Curtin University of Technology

origin: AS7575

mnt-by: MAINT-ASAARNET

changed: nobody@aarnet.edu.au 20050818

source: RADB

© 2006, AARNet Pty Ltd19

Route Set Object

route-set: AS7575:RS-UNSWdescr: University of New South Walesmembers: 129.94.0.0/16, 149.171.0.0/16, 203.10.48.0/24, 203.20.160.0/24, 203.20.160.0/19remarks: List of routes accepted from AS7570admin-c: MP151tech-c: ANOC-APmnt-by: MAINT-ASAARNETchanged: nobody@aarnet.edu.au 20050427source: RADB

• Collects routes together with similar properties

© 2006, AARNet Pty Ltd20

AS Set Object (1)

• Collect together Autonomous Systems with shared properties• Can be used in policy in place of AS

as-set: AS7575:AS-EDGEdescr: AARNet3 customers AS setmembers: AS1851, AS4822, AS6262, AS7575, AS7645, AS9383, AS10148, AS17498, AS23654, AS23719, AS23859, AS24101, AS24313, AS24390, AS24431, AS24433, AS24434, AS24436, AS24437, AS24490, AS37978, AS38083remarks: List of customers on AARNet3 using public AS numbersremarks: http://www.aarnet.edu.auadmin-c: MP151tech-c: ANOC-APmnt-by: MAINT-ASAARNETchanged: nobody@aarnet.edu.au 20060713source: RADB

© 2006, AARNet Pty Ltd21

AS Set Object (2)

as-set: AS7575:AS-CUSTOMER

descr: AARNet3 customers AS set

members: AS7575:AS-EDGE, AS7575:AS-RNO

remarks: List of customers on AARNet3 using public AS numbers

remarks: http://www.aarnet.edu.au

admin-c: MP151

tech-c: ANOC-AP

mnt-by: MAINT-ASAARNET

changed: nobody@aarnet.edu.au 20060715

source: RADB

• RPSL has hierarchical names• Our customer base is in AS7575:AS-CUSTOMER

© 2006, AARNet Pty Ltd22

Whois queries• whois –h whois.ra.net AS7575:CUSTOMER

– members: AS7575:AS-EDGE, AS7575:AS-RNO• whois –h whois.ra.net AS7575:AS-EDGE

– members: AS1851, AS4822, AS6262, AS7575, AS7645, AS10148, AS17498, AS23654, AS23719, AS24101, AS24390, AS24431, AS24433, AS24434, AS24436, AS24437

• whois –h whois.ra.net \!gAS1851– 192.43.227.0/24 129.127.0.0/16 192.43.229.0/24 203.9.156.0/24 129.127.0.0/16 192.43.228.0/24 192.43.229.0/24 203.9.156.0/24

© 2006, AARNet Pty Ltd23

AS Route Setsbhm$ whois -h whois.ra.net AS7575:AS-RESEARCHas-set: AS7575:AS-RESEARCHdescr: AARNet3 peer R&E network AS setmembers: AS47, AS73, AS293, AS668, AS2153, AS6360, AS6509, AS7539,

AS7610, AS11537, AS20965, AS23796, AS32361, AS38018remarks: R&E networks peering with AARNet3

• If the AS’s we peer with used an IRR to specify their route sets then we could create prefix-filters against our peers.

• Peers can create prefix-filters from our existing policy except for transit peerings (see above!)

• And it’s all available publicly documented.

© 2006, AARNet Pty Ltd24

Autonomous System Object• Routing Policy Description object• Most important components are

– import– export

• These define the incoming and outgoing routing announcement relationships

• Instant Documentation!• whois –h whois.ra.net AS7575

© 2006, AARNet Pty Ltd25

Use of RPSL• Use RtConfig v4 (part of RAToolSet

from ISC) to generate filters based on information stored in our routing registry– Avoid filter errors (typos)– Filters consistent with documented policy

(need to get policy correct though)– Currently we use RAToolSet v 4.7.1– Need to script our own tools for Juniper

© 2006, AARNet Pty Ltd26

Using RPSL to configure routers• Need to define “policy” for filtering

– Inbound from customers & peers– Outbound to customers & peers

• Need to be aware of shortcomings in router configuration and/or configuration generator– Command line length (on cisco this is 512 bytes)– Complexity of rules

© 2006, AARNet Pty Ltd27

AARNet’s filtering philosophy• Inbound

– Filter customer by prefix and AS path– Filter peer by prefix filter– Filter providers for prefixes longer than a /24– Don’t accept martians or bogons from anyone

• Outbound– Filter by BGP community, which indicates the class of the

prefix (customer, peer, etc)

© 2006, AARNet Pty Ltd28

Overall Prefix and Path Filtering

• Filter all customer prefixes on ingress• Filter all your advertisements on egress• Filter all bogons and martians• Filter/remove all private AS space

© 2006, AARNet Pty Ltd29

RtConfig & IRRToolSet• Version 4.0 supports RPSL• Generates cisco configurations• Contributed support for Bay’s BCC, Juniper’s Junos and

Gated/RSd• Creates route and AS path filters.• Can also create ingress/egress filters

© 2006, AARNet Pty Ltd30

AS7575 policy

• Whois -h whois.ra.net AS7575• An extract:import: {

from AS-ANY

action pref=5;community.append(7575:1001,7575:2017,7575:8002);

accept ANY AND NOT { 0.0.0.0/0^25-32 } AND NOT AS7575 AND NOT fltr-martian;

refine {

from AS20965 at 202.158.192.17

action community.append(7575:6002);

accept AS-GEANTNRN OR AS-EUMED;

© 2006, AARNet Pty Ltd31

Peer route set• sao:~/rpsl bhm$ whois -h whois.ra.net AS-GEANTNRN• as-set: AS-GEANTNRN• descr: The GEANT IP Service• members: AS20965• members: AS-ACONET, AS-BELNET, AS-CERNEXT, AS-DFNTOWINISP• members: AS-GARRTOGEANT, AS5408:AS-TO-GEANT, AS-JANETEURO• members: AS-HBONETEN, AS-RCCN, AS-RENATER, AS-RESTENA• members: AS-SWITCH, AS-SURFNET, AS-PLNET, AS1955• members: AS-REDIRIS, AS2107, AS2611, AS2852, AS-HEANET• members: AS-MACHBA, AS2108, AS-UNREN, AS3268, AS-ISTF• members: AS-LATNET-Geant, AS3221, AS-LITNET, AS-RBNET• members: AS-SANET2, AS-ROEDUNET, AS12046, AS-ULAKNET• members: AS3208, AS-NORDUNET• tech-c: DANT-RIPE• admin-c: RS-RIPE• mnt-by: DANTE-MNT

© 2006, AARNet Pty Ltd32

AS20965 Objectimport: from AS7575 action pref=100; community.append

(20965:7575); med=0; accept <AS7575:AS-CUSTOMER>

• Our peer can safely receive our routes and discard any erroneous prefixes that we advertise.

• But without this information we can only accept the routes advertised by the peer.

• We could erroneously advertise default!• We could originate hijacked routes and they would be

accepted• We could inject commodity routes into an R&E network

and disrupt traffic.

© 2006, AARNet Pty Ltd33

Juniper router rpsl config policy-statement rs-as20965 {

replace:

term prefixes {

from {

@RtConfig printPrefixRanges "\t\troute-filter %p/%l upto /24;\n" filter AS-GEANTNRN OR AS-EUMED OR AS2018

}

then accept;

}

}

© 2006, AARNet Pty Ltd34

extract

policy-statement as20965-ipv4-import { term as20965 { from policy rs-as20965; then { local-preference 95; community add research; community add router-tag; community add european; next policy; } } term reject { then reject; } }

© 2006, AARNet Pty Ltd35

Prefix policy policy-statement rs-as20495 {

term prefixes {

from {

route-filter 62.148.160.0/19 upto /24;

route-filter 66.164.200.0/21 upto /24;

route-filter 66.164.208.0/21 upto /24;

route-filter 80.69.160.0/20 upto /24;

route-filter 80.247.192.0/19 upto /24;

route-filter 82.112.32.0/19 upto /24;

route-filter 84.243.192.0/18 upto /24;

route-filter 84.244.128.0/18 upto /24;• ………

© 2006, AARNet Pty Ltd36

BGP policy complexity• 7575:1 Export external to AARNet with "no-export"• 7575:2 No export beyond AARNet• 7575:3 Prepend AS7575 once• 7575:4 Prepend AS7575 twice• 7575:5 Prepend AS7575 thrice• 7575:6 Blackhole traffic• 7575:7 Regional only• 7575:70 AARNet local preference 70• 7575:80 AARNet local preference 80• 7575:90 AARNet local preference 90• …and much more…

– Whois -h whois.ra.net AS7575 | grep remarks

© 2006, AARNet Pty Ltd37

Using RtConfig• RtConfig –cisco_use_prefix_lists < cpe-curtin-er1.rtconfig

• Redirect output to a file• Upload by tftp to the router• Done!

© 2006, AARNet Pty Ltd38

What about SBGP and SoBGP?

• At the moment it’s all about trust• There are implementations of BGP policy that make us

somewhat trustworthy and are being currently deployed• It isn’t perfect• But it is a start…

© 2006, AARNet Pty Ltd39

References• RPSL - RFC 2622

– http://www.faqs.org/rfcs/rfc2622.html• Using RPSL in Practice - RFC 2650

– http://www.faqs.org/rfcs/rfc2650.html• IRRToolSet

– ftp://ftp.isc.org.net/isc/IRRToolSet/ • RPSL Training Page

– http://www.isi.edu/ra/rps/training• RADB

– http://www.radb.net/

Thank you!

Any Questions?