BGP Multiple Origin AS (MOAS) Conflict Analysis
Xiaoliang Zhao, NCSU
S. Felix Wu, UC Davis
Allison Mankin, Dan Massey, USC/ISI
Dan Pei, Lan Wang, Lixia Zhang, UCLA
NANOG-23, October 23, 2001
NANOG 23 - Oakland 210/23/2001
Definition of MOAS
BGP routes include a prefix and AS path– Example: 131.179.0.0/16, Path: 4513, 11422, 11422, 52
Origin AS: the last AS in the path– In the above example: AS 52 originated the path
advertisement for prefix 131.179/16
Multiple Origin AS (MOAS): the same prefix announced by more than one origin AS
NANOG 23 - Oakland 310/23/2001
Example MOAS Conflicts
128.9.0.0/16Path: 226
128.9.0.0/16 nets
AS 4AS 226
128.9.0.0/16Path: 4
128.9.0.0/16Path: X, 4
AS XAS Y
128.9.0.0/16Path: Z, 226
AS Z
MOAS conflict !
Static or IGP learnedroute to 128.9/16
Valid MOAS case: 128.9/16 reachable either wayInvalid MOAS case: 128.9/16 reachable one way but not the other
NANOG 23 - Oakland 410/23/2001
Talk Outline
Measurement data shows that MOAS exists Some MOAS cases caused by faults Some MOAS cases due to operational need Important to distinguish the two
– proposed solutions
NANOG 23 - Oakland 510/23/2001
Measurement Data Collection
Data collected from the Oregon Route Views– Peers with >50 routers from >40 different ASes.– Our analysis uses data [11/08/9707/18/01]
(1279 days total) More than 38000 MOAS conflicts observed during
this time periodAt a given moment,– The Route Views server observed 1364 MOAS
conflicts – The views from 3 individual ISPs showed 30, 12 and
228 MOAS conflicts
NANOG 23 - Oakland 610/23/2001
year Median number increase rate #BGP table entries increase rate1998 683 520001999 810.5 18.7% 60000 15.40%2000 951 17.3% 80000 33.30%2001 1294 34.8% 109000 36%
MOAS Conflicts Do Exist
Max: 11842(11357 from a single AS)
Max: 10226(9177 from a single AS)
NANOG 23 - Oakland 710/23/2001
Histogram of MOAS Conflict Lifetime
Total # of days a prefix experienced MOAS conflict
# of
MO
AS
con
flic
ts
NANOG 23 - Oakland 810/23/2001
Distribution of MOAS Conflicts over Prefix Lengths
0
0.005
0.01
0.015
0.02
0.025
0.03
0.035
0.04
0.045
1 4 7
10 13 16 19 22 25 28 31
ratio of # MOAS entries over total routing entries for the same prefix length
NANOG 23 - Oakland 910/23/2001
Multi-homing without BGP Private AS number Substitution
Valid Causes of MOAS Conflicts
128.9/16Path: 11422,4
128.9/16Path: 226
131.179/16Path: 64512
131.179/16Path: X
131.179/16Path:Y
128.9/16 131.179/16
AS 64512
AS YAS X
AS 4
AS 11422AS 226
Static routeor IGP route128.9/16
Path: 4
NANOG 23 - Oakland 1010/23/2001
Invalid Causes of MOAS Conflicts
Operational faults led to large spikes of MOAS conflicts – 04/07/1998: one AS originated 12593 prefixes, out of
which 11357 were MOAS conflicts– 04/10/2001: another AS originated 9180 prefixes, out
of which 9177 were MOAS conflicts Falsely originated routes
– Errors– Intentional traffic hijacking
NANOG 23 - Oakland 1110/23/2001
Handling MOAS Conflicts
RFC 1930 recommends each prefix be originated from a single AS
Today’s routing practice leads to MOAS in normal operations
We must tell valid MOAS cases from invalid ones– Proposal 1: using BGP community attribute – Proposal 2: DNS-based solution
NANOG 23 - Oakland 1210/23/2001
BGP-Based Solution Define a new community attribute
– Listing all the ASes allowed to originate a prefix Attach this MOAS community-attribute to BGP
route announcement Enable BGP routers to detect faults and attacks
– At least in most cases, we hope!
NANOG 23 - Oakland 1310/23/2001
Comm. Attribute Implementation Example
router bgp 59 neighbor 1.2.3.4 remote-as 52 neighbor 1.2.3.4 send-community neighbor 1.2.3.4 route-map setcommunity outroute-map setcommunity match ip address 18.0.0.0/8 set community 59:MOAS 58:MOAS additive
Example configuration:
AS58
18/8, PATH<4>, MOAS{4,58,59}
AS59
18.0
.0.0
/8 18/8, PATH<58>, MOAS{58,59}
18/8, PATH<59>, MOAS{58,59}
18/8, PATH<52>, MOAS{52, 58}
AS52
NANOG 23 - Oakland 1410/23/2001
Implementation Considerations
Quickly and incrementally deployable– Generating MOAS community attribute: configuration
changes only– Detecting un-validated MOAS or a MOAS-CA conflict:
• Short term: observable from monitoring platforms• Longer term: adding into BGP update processing
But community attributes may be dropped by a transit AS due to local configurations or policies– time to fix the handling of community attributes?
NANOG 23 - Oakland 1510/23/2001
Another Proposal: DNS-based Solution Put the MOAS list in a new DNS Resource Record
ftp://psg.com/pub/dnsind/draft-bates-bgp4-nlri-orig-verif-00.txt by Bates, Li, Rekhter, Bush, 1998
$ORIGIN 18.bpg.in-addr.arpa....
AS 58 8 AS 59 8
...
Example configuration (zone file for 18.bgp.in-addr.arpa):
Query 18.bgp.in-addr.arpa: origin AS?
Response 18.bgp.in-addr.arpa AS 58 8 AS 59 8
EnhancedDNS service
MOAS detected for 18/8, query DNS to verify
NANOG 23 - Oakland 1610/23/2001
Issues to Consider for the DNS Solution
Provides a general prefix to origin AS mapping database
Complementary to Community-attribute Approach
– Check with DNS when community tag indicates a potential
problem
– DNSSEC, once available, authenticates the MOAS list
But requires changes to DNS and BGP
DNS may be vulnerable without DNSSEC
– When would DNSSEC be ready? Routing system querying naming system: circular
dependency?
NANOG 23 - Oakland 1710/23/2001
Summary
MOAS conflicts exist today – Some due to operational need; some due to faults
Blind acceptance of MOAS could be dangerous– An open door for traffic hijacking
We plan to finalize the solution and bring to IETF
Send all questions to [email protected]
For more info about FNIISC project:http://fniisc.nge.isi.edu