Upload
internet-society
View
188
Download
7
Embed Size (px)
Citation preview
PracticaleverydayBGPfilteringwithAS_PATHfilters:PeerLocking
Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.
Part1
JobSnijders- Peerlocking- AfPIF2016
Anybodyknowhttp://puck.nether.net/bgp/leakinfo.cgi ?
https://www.nanog.org/meetings/nanog41/presentations/mauch-lightning.pdf
JobSnijders- Peerlocking- AfPIF2016
Whatarewetalkingabout?
JobSnijders- Peerlocking- AfPIF2016
Wikipediaproclaimed“bigboys”
7018,174,209,3320,3257,286,3356,3549,2914,5511,1239,6453,6762,12956,1299,701,2828,6461
NomorethentwooftheseshouldshowupinagivenAS_PATH,followingthe“Transit-Free”paradigm.
https://en.wikipedia.org/wiki/Tier_1_network#List_of_tier_1_networks
JobSnijders- Peerlocking- AfPIF2016
Non-scientificgraph- notmeanttopointfingers- ‘instigators’arenotalone(othersaccepttoo)- collectiveresponsibility tofilter- datafocussesonBGPupdates/uniqueprefixes- manyrouteleaksnotvisibleduetomax_prefix
JobSnijders- Peerlocking- AfPIF2016
Humans…
JobSnijders- Peerlocking- AfPIF2016
Peerlock-liteaka“bignetworks filter”
Assumingyou’llnotselltransittooneofthosebignetworksintheforeseeablefuture:rejectanyprefixesyoureceivefromyourcustomerswhichcontaina$bignetwork ASNanywhereintheAS_PATH.
ip as-path access-list 99 permit \_(174|209|286|701|1239|1299 \
|2828|2914|3257|3320|3356 \|3549|5511|6453|6461|6762 \|7018|12956)_
route-map ebgp-customer-in deny 1match as-path 99
JobSnijders- Peerlocking- AfPIF2016
Approachestopreventrouteleaks#1
• Networksshouldnotannouncereceivedprefixesoverpeeringtootherpeers– Fix:TagrouteswithBGPcommunitiesoningress,
executeonegress(recentNANOGthread)– Note:AlwayssetegressfilterstoREJECTprefixes
withoutany/thepropercommunities(failsafe)
JobSnijders- Peerlocking- AfPIF2016
Approachestopreventrouteleaks#2
• Onemustapplya“whitelist”ofprefixesacustomermayannounceoneverycustomersession– Fix:usebgpq3orsomeotherprefixfiltergenerator
• Con:– Customer’sAS-SETmightcontaintheentireinternet– thuswhenleakingafulltablestillallowingalottopass• https://github.com/job/irrtree• http://irrexplorer.nlnog.net/
JobSnijders- Peerlocking- AfPIF2016
Approachestopreventrouteleaks#3
• Maximumprefixsettingsonpeers+customers– Fix:ifunsure:justdoit– Note:automatetheadjustmentofmax_prefixsettingsforyourpeers!Onlyemailyourpeerwhenabsolutelyunsurewhattoconfigure.
• Con:doesnothelpagainstsmall/partialroute-leaks
JobSnijders- Peerlocking- AfPIF2016
PeerLock
JobSnijders- Peerlocking- AfPIF2016
TheHumanNetwork:Peerlockinginanutshell
WeknowPCCWisnotanupstreamforAT&T,weknowAT&TisnotanupstreamforPCCW,etc,etcetc.
Howdoweknowthis?Weemailedthem.
example:AS_PATH2914_3491_7018wouldbegarbage!
JobSnijders- Peerlocking- AfPIF2016
Peerlock schematicgoal
GivenASNsA,B,C,D,andEasourpeers.PeerAsubscribestothepeerlockidea(Protected ASN)andindicatesthatpeerBisan”Allowed Upstream”
OK: ^A_OK: ^B_A_NOTOK:^C_A_NOTOK:^D_A_NOTOK:^E_A_
JobSnijders- Peerlocking- AfPIF2016
Examplecases:
• Prevent_7018_routesfrombeingacceptedanywhereexceptondirect7018peering
• AllowonlyAS3356asupstreamforpeerPCCWglobally(wedon’t,butwecould)
JobSnijders- Peerlocking- AfPIF2016
Deploying&ManagingPeerlock
• “peerlock”isappliedonALLeBGP sessions(bothcustomersessionsandpeeringsessions)
• “peerlock”isentirelydynamicthroughNTT’snetworkmanagementwebinterface
• “peerlock”allowsforadvanced regionalexceptions/rules
• ITISRECOMMENDABLETHATBOTHPARTIESCONSENTTOPEERLOCK
JobSnijders- Peerlocking- AfPIF2016
ProtectedASN AllowedUpstream
InWhatRegion IgnoreConstraints
Active
3491 None Everywhere False True
7018 None Everywhere True True
65123 7018 US False True
4200000000 3491 Europe False True
4200000000 7018 US False True
UI/tableMockupRulesbasedapproach
JobSnijders- Peerlocking- AfPIF2016
RuleConstraints(unlessoverridden)1. BoththeProtected ASN andAllowed Upstream
MUSTbedirectlyconnectedwitheBGP sessionstotheAS2914backbone.
2. OnlyASNsthatconnectwithAS2914inmultipleregionsareeligibletobeusedasanAllowed Upstream.
3. TheAllowed Upstream fieldcanonlybesetto”None"incombinationwithin_what_region ”Everywhere”, iftheProtected ASN connectswithAS2914inmultipleregions.
4. AnAllowed Upstream canonlybespecifiedforaregioniftheAllowed Upstream connectswithAS2914withinthatregion.
JobSnijders- Peerlocking- AfPIF2016
OpenSourceProofofConceptconfigurationgenerator
Tofacilitateincalculatingwhattheproperas-path-setsare– I’vepublishedsomepythoncode.Thisisavariantwhatweusedtovalidatetheproductionimplementation.
https://github.com/job/peerlock
WARNING:codeisofHazyEngineeringQualityWINTHEPRIZE:I’vehiddenonebuginthescript
JobSnijders- Peerlocking- AfPIF2016
Thesearegenerated• perpeer• perregion
JobSnijders- Peerlocking- AfPIF2016
Exampleworkflow
1. Peeringteamengageswithpeerandseekspermission,proposesinitialruleset
2. Engineeringevaluatesiftheinitialproposedpeerlockruleswillbreaktheinternetornot
3. Deploytherulesetincoordinationwithpeer4. PeerscancontactyourNOCforchange
requests,youcommittotimelyresponses5. Engineeringapproves/denieschange
requeststopeer-lockrules
JobSnijders- Peerlocking- AfPIF2016
ExampleTechnicalDocumentationforoureBGP peers
1. Containsconfigurationexamples2. Terminology3. Disclaimer4. Defaultoperatingmode5. Howtorequestchanges/Whotocontact
http://instituut.net/~job/peerlock_manual.pdf
JobSnijders- Peerlocking- AfPIF2016
Part2
JobSnijders- Peerlocking- AfPIF2016
DroppingBogon ASNsMotivation:• OccurrencesofAS23456aremisconfigurationsorsoftwarebugs.
• Private/ReservedASNshavenoplaceintheglobalroutingtable
Weshouldnotrewardmisconfigurationsbyacceptingtheseroutes.Thenewparadigm:failhard&failfast.
NTTisnottheonlyone:GTT,AT&T,KPN&DE-CIXhavecommittedtooforJune/July2016.
JobSnijders- Peerlocking- AfPIF2016
WhatBogon ASNstodrop?AS2914willNOTacceptrouteannouncementsfromANYeBGPneighborswhichcontaina“Bogon ASN”anywhere intheAS_PATHoritsaggregateat.
Bogon ASNsaredefinedas:
02345664496– 1310714200000000– 4294967295
Basedon:RFC5398,RFC6996,RFC7300
ThispolicyiseffectivestartingJuly2016.http://www.us.ntt.net/support/policy/routing.cfm#bogon
JobSnijders- Peerlocking- AfPIF2016
Config examples
http://as2914.net/bogon_asns/configuration_examples.txt
Currentlyhaveconfigs forBIRD,IOSXR,JunOS,IOS(yuck)
policy-options {as-path-group bogon-asns {
as-path begin ".* 0 .*";as-path as_trans ".* 23456 .*";as-path reserved1 ".* [64496-131071] .*";as-path reserved2 ".* [4200000000-4294967295] .*";
}policy-statement import_from_ebgp {
term bogon-asns {from as-path-group bogon-asns;then reject;
}term .....
}}
JobSnijders- Peerlocking- AfPIF2016
Part3
JobSnijders- Peerlocking- AfPIF2016
Puttingitalltogether:Ingress
1. Dynamicmaximumprefixsettings2. RejectBogon prefixes (RFC1918,etc)3. RejectBogon ASNs (AS0/AS23456etc)4. RejectIXPprefixes (SomeIXPsubnets)5. RejectleakagewiththePeerlock filter6. MatchagainstIRRwhitelist (onlycustomers)7. Markascustomerroute (oraspeerroute)8. ScrubinternallysignificantBGPcommunities9. ApplyFeatures– (blackholing,trafficengineering,etc,onlyforcustomers)
JobSnijders- Peerlocking- AfPIF2016
Puttingitalltogether:egress
1. RejectBogon prefixes2. remove-private-AS3. Reject“bad”routes4. Acceptpeerroutes(oncustomersession)5. Acceptcustomerroutes (oneverysession)6. Doprepending(ifrequested&applicable)7. Scrubinternalcommunities8. Setnext-hop-self9. NormalizeMed
JobSnijders- Peerlocking- AfPIF2016
Questions,anytime,anywhere
Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.
JobSnijders- Peerlocking- AfPIF2016