Peering and Transit Tutorials: Practical Every Day BGP Filtering

PracticaleverydayBGPfilteringwithAS_PATHfilters:PeerLocking

[email protected]

Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.

Part1

JobSnijders- Peerlocking- AfPIF2016

Anybodyknowhttp://puck.nether.net/bgp/leakinfo.cgi ?

https://www.nanog.org/meetings/nanog41/presentations/mauch-lightning.pdf


Whatarewetalkingabout?


Wikipediaproclaimed“bigboys”

7018,174,209,3320,3257,286,3356,3549,2914,5511,1239,6453,6762,12956,1299,701,2828,6461

NomorethentwooftheseshouldshowupinagivenAS_PATH,followingthe“Transit-Free”paradigm.

https://en.wikipedia.org/wiki/Tier_1_network#List_of_tier_1_networks


Non-scientificgraph- notmeanttopointfingers- ‘instigators’arenotalone(othersaccepttoo)- collectiveresponsibility tofilter- datafocussesonBGPupdates/uniqueprefixes- manyrouteleaksnotvisibleduetomax_prefix


Humans…


Peerlock-liteaka“bignetworks filter”

Assumingyou’llnotselltransittooneofthosebignetworksintheforeseeablefuture:rejectanyprefixesyoureceivefromyourcustomerswhichcontaina$bignetwork ASNanywhereintheAS_PATH.

ip as-path access-list 99 permit \_(174|209|286|701|1239|1299 \

|2828|2914|3257|3320|3356 \|3549|5511|6453|6461|6762 \|7018|12956)_

route-map ebgp-customer-in deny 1match as-path 99


Approachestopreventrouteleaks#1

• Networksshouldnotannouncereceivedprefixesoverpeeringtootherpeers– Fix:TagrouteswithBGPcommunitiesoningress,

executeonegress(recentNANOGthread)– Note:AlwayssetegressfilterstoREJECTprefixes

withoutany/thepropercommunities(failsafe)



• Onemustapplya“whitelist”ofprefixesacustomermayannounceoneverycustomersession– Fix:usebgpq3orsomeotherprefixfiltergenerator

• Con:– Customer’sAS-SETmightcontaintheentireinternet– thuswhenleakingafulltablestillallowingalottopass• https://github.com/job/irrtree• http://irrexplorer.nlnog.net/



• Maximumprefixsettingsonpeers+customers– Fix:ifunsure:justdoit– Note:automatetheadjustmentofmax_prefixsettingsforyourpeers!Onlyemailyourpeerwhenabsolutelyunsurewhattoconfigure.

• Con:doesnothelpagainstsmall/partialroute-leaks


PeerLock


TheHumanNetwork:Peerlockinginanutshell

WeknowPCCWisnotanupstreamforAT&T,weknowAT&TisnotanupstreamforPCCW,etc,etcetc.

Howdoweknowthis?Weemailedthem.

example:AS_PATH2914_3491_7018wouldbegarbage!


Peerlock schematicgoal

GivenASNsA,B,C,D,andEasourpeers.PeerAsubscribestothepeerlockidea(Protected ASN)andindicatesthatpeerBisan”Allowed Upstream”

OK: ^A_OK: ^B_A_NOTOK:^C_A_NOTOK:^D_A_NOTOK:^E_A_


Examplecases:

• Prevent_7018_routesfrombeingacceptedanywhereexceptondirect7018peering

• AllowonlyAS3356asupstreamforpeerPCCWglobally(wedon’t,butwecould)


Deploying&ManagingPeerlock

• “peerlock”isappliedonALLeBGP sessions(bothcustomersessionsandpeeringsessions)

• “peerlock”isentirelydynamicthroughNTT’snetworkmanagementwebinterface

• “peerlock”allowsforadvanced regionalexceptions/rules

• ITISRECOMMENDABLETHATBOTHPARTIESCONSENTTOPEERLOCK


ProtectedASN AllowedUpstream

InWhatRegion IgnoreConstraints

Active

3491 None Everywhere False True

7018 None Everywhere True True

65123 7018 US False True

4200000000 3491 Europe False True

4200000000 7018 US False True

UI/tableMockupRulesbasedapproach


RuleConstraints(unlessoverridden)1. BoththeProtected ASN andAllowed Upstream

MUSTbedirectlyconnectedwitheBGP sessionstotheAS2914backbone.

2. OnlyASNsthatconnectwithAS2914inmultipleregionsareeligibletobeusedasanAllowed Upstream.

3. TheAllowed Upstream fieldcanonlybesetto”None"incombinationwithin_what_region ”Everywhere”, iftheProtected ASN connectswithAS2914inmultipleregions.

4. AnAllowed Upstream canonlybespecifiedforaregioniftheAllowed Upstream connectswithAS2914withinthatregion.


OpenSourceProofofConceptconfigurationgenerator

Tofacilitateincalculatingwhattheproperas-path-setsare– I’vepublishedsomepythoncode.Thisisavariantwhatweusedtovalidatetheproductionimplementation.

https://github.com/job/peerlock

WARNING:codeisofHazyEngineeringQualityWINTHEPRIZE:I’vehiddenonebuginthescript


Thesearegenerated• perpeer• perregion


Exampleworkflow

1. Peeringteamengageswithpeerandseekspermission,proposesinitialruleset

2. Engineeringevaluatesiftheinitialproposedpeerlockruleswillbreaktheinternetornot

3. Deploytherulesetincoordinationwithpeer4. PeerscancontactyourNOCforchange

requests,youcommittotimelyresponses5. Engineeringapproves/denieschange

requeststopeer-lockrules


ExampleTechnicalDocumentationforoureBGP peers

1. Containsconfigurationexamples2. Terminology3. Disclaimer4. Defaultoperatingmode5. Howtorequestchanges/Whotocontact

http://instituut.net/~job/peerlock_manual.pdf


Part2


DroppingBogon ASNsMotivation:• OccurrencesofAS23456aremisconfigurationsorsoftwarebugs.

• Private/ReservedASNshavenoplaceintheglobalroutingtable

Weshouldnotrewardmisconfigurationsbyacceptingtheseroutes.Thenewparadigm:failhard&failfast.

NTTisnottheonlyone:GTT,AT&T,KPN&DE-CIXhavecommittedtooforJune/July2016.


WhatBogon ASNstodrop?AS2914willNOTacceptrouteannouncementsfromANYeBGPneighborswhichcontaina“Bogon ASN”anywhere intheAS_PATHoritsaggregateat.

Bogon ASNsaredefinedas:

02345664496– 1310714200000000– 4294967295

Basedon:RFC5398,RFC6996,RFC7300

ThispolicyiseffectivestartingJuly2016.http://www.us.ntt.net/support/policy/routing.cfm#bogon


Config examples

http://as2914.net/bogon_asns/configuration_examples.txt

Currentlyhaveconfigs forBIRD,IOSXR,JunOS,IOS(yuck)

policy-options {as-path-group bogon-asns {

as-path begin ".* 0 .*";as-path as_trans ".* 23456 .*";as-path reserved1 ".* [64496-131071] .*";as-path reserved2 ".* [4200000000-4294967295] .*";

}policy-statement import_from_ebgp {

term bogon-asns {from as-path-group bogon-asns;then reject;

}term .....

}}


Part3


Puttingitalltogether:Ingress

1. Dynamicmaximumprefixsettings2. RejectBogon prefixes (RFC1918,etc)3. RejectBogon ASNs (AS0/AS23456etc)4. RejectIXPprefixes (SomeIXPsubnets)5. RejectleakagewiththePeerlock filter6. MatchagainstIRRwhitelist (onlycustomers)7. Markascustomerroute (oraspeerroute)8. ScrubinternallysignificantBGPcommunities9. ApplyFeatures– (blackholing,trafficengineering,etc,onlyforcustomers)


Puttingitalltogether:egress

1. RejectBogon prefixes2. remove-private-AS3. Reject“bad”routes4. Acceptpeerroutes(oncustomersession)5. Acceptcustomerroutes (oneverysession)6. Doprepending(ifrequested&applicable)7. Scrubinternalcommunities8. Setnext-hop-self9. NormalizeMed


Questions,anytime,anywhere

[email protected]

Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.


Internet

Peering and Transit Tutorials: Practical Every Day BGP Filtering