Presentation is loading. Please wait.

Presentation is loading. Please wait.

Route filtering using IRRs APAN Net Eng Singapore - 19 July 2006

Similar presentations


Presentation on theme: "Route filtering using IRRs APAN Net Eng Singapore - 19 July 2006"— Presentation transcript:

1 Route filtering using IRRs APAN Net Eng Singapore - 19 July 2006 Bruce.Morgan@aarnet.edu.au

2 © 2006, AARNet Pty Ltd2 AARNet3 National Network STM-64c (10Gbps) Backbone Dual PoPs with divergent paths in major cities Dual and divergent STM-1s to NT & Tasmania DWDM network –Providing backbone –Providing multiple GigE to regional areas Provides Commodity and R&E traffic to customers

3 © 2006, AARNet Pty Ltd3 AARNet3 Network

4 © 2006, AARNet Pty Ltd4 AARNet3 International Network Multiple trans Pacific circuits –2 x STM-64c for research and education –4 x STM-4c (4 x 622Mbps) for commodity (LA &PA) –2 x STM-1 (155 Mbps) to Seattle Connections to Europe and Asia –2 x 2 x STM-1 to Singapore –STM-4 to Frankfurt

5 © 2006, AARNet Pty Ltd5 AARNet3 International Connectivity

6 © 2006, AARNet Pty Ltd6 Commodity Provision International commodity from –Palo Alto –Los Angeles –Seattle –Frankfurt Domestic commodity in –Sydney –Melbourne –Adelaide –Canberra –Brisbane –Perth etc etc

7 © 2006, AARNet Pty Ltd7 AARNet PoPs our footprint… 17 Domestic –Sydney (3) –Melbourne (2) –Brisbane (2) –Adelaide (2) –Perth (3) –Canberra (2) –Hobart (1) –Darwin (1) –Alice Springs (1) 7 International –Seattle –Palo Alto –Los Angeles –Hawai’i –Suva –Singapore –Frankfurt

8 © 2006, AARNet Pty Ltd8 The AARNet3 environment Currently over 100 routers deployed A mix of Juniper and Cisco routers –Juniper M320s at the core –Cisco routers at the customer edge –Link speeds varying from STM-64c to STM-4s and STM-1s for long haul –10GbE intra PoPs and GbE connections from PoPs but still some managed services and legacy ATM

9 © 2006, AARNet Pty Ltd9 The BGP environment 17 commodity transit connections Over 200 peers both commodity and R&E Most peerings are bilateral, a few (3) are multilateral Some 20 peerings with external international R&E networks Over 200 iBGP peerings Over 250 IPv4 prefixes advertised and growing… IPv6 enabled IPv4/IPv6 multicast enabled

10 © 2006, AARNet Pty Ltd10 How do we manage this complexity? Very hard to manage on an ad-hoc basic with such diversity –Easy to make big mistakes with manual configurations Needs an overall policy that manages router BGP configurations Needs cross vendor router support AARNet uses IRRs and RPSL to manage this

11 © 2006, AARNet Pty Ltd11 BGP trust and security In BGP security is an afterthought –BGP was designed originally to address routing between trusted networks - the element of trust is not true of the internet today –MD5 encryption is gaining more acceptance but still encryption is not fully deployed –Filtering is an add on and is often very loosely deployed –This has the potential to cause disruption

12 © 2006, AARNet Pty Ltd12 BGP Misconfigurations Estimated that 1% of the routing table prefixes are misconfigured each day* –This churn increases the load on routers by 10% in bursts –Routing is surprisingly resilient with only 4% of these misconfigurations affecting connectivity/reachability of sites. –But when it hits it can be severe, especially when there is little protection in place - AS7007 incident * Mahajan, Wetherall, Anderson - Understanding BGP Misconfiguration SIGCOMM 2002 http://www.cs.washington.edu/homes/ratul/bgp/bgp-misconfigs.pdf

13 © 2006, AARNet Pty Ltd13 Route Hijacking A prefix is announced that does not belong to the originating AS Can be done by misconfiguration Can be done maliciously –Spammers –DOS attacks Short-Lived Prefix Hijacking on the Internet –Peter Boothe, James Hiebert, Randy Bush http://www.nanog.org/mtg-0602/pdf/boothe.pdf “ We can identify between 26 and 95 hijacking instances in Route-Views data for December 2005 Many more misconfigs and false alarms than purposeful hijackings - 750+ ”

14 © 2006, AARNet Pty Ltd14 How trusting are we with BGP? Do we really trust others announcements? Would we deploy black hole community tags with them to protect the network from DOS attacks? We need to increase the trust level by developing public policy and consistent actions. To trust we need to be trustworthy

15 © 2006, AARNet Pty Ltd15 How we went about it Need to identify which IRR to use –AARNet uses RADB. –Others run their own for control Need to decide what degree of filtering is desired –Prefix filters –AS path filters –Both! Register a maintainer object at chosen IRR –Usually a “manual” process and could be multi-stage if PGP key authentication required

16 © 2006, AARNet Pty Ltd16 What is RPSL? Object oriented language Structured whois objects Refinement of RIPE 181 (and it’s predecessors) based on operational experience Describes things interesting to routing policy –Prefixes –AS Numbers –Relationships between BGP peers –Management responsibility

17 © 2006, AARNet Pty Ltd17 Maintainer Object mntner: MAINT-ASAARNET descr: Maintainers for AARNet and AARNet member objects admin-c: CS3692 tech-c: GT342-AU upd-to: irrcontact@aarnet.edu.au mnt-nfy: irrcontact@aarnet.edu.au auth: PGPKEY-FAD8C612 auth: PGPKEY-23B7F8EF remarks: Australian Academic and Research Network http://www.aarnet.edu.au/ http://www.aarnet.edu.au/ mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20040113 source: RADB Maintainer objects used for authentication Multiple authentication methods NONE, MAIL-FROM, CRYPT-PW, PGPKEY

18 © 2006, AARNet Pty Ltd18 Route Object Use CIDR length format Specifies origin AS for a route Can indicate membership of a route set route: 134.7.0.0/16 descr: Curtin University of Technology origin: AS7575 mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20050818 source: RADB

19 © 2006, AARNet Pty Ltd19 Route Set Object route-set: AS7575:RS-UNSW descr: University of New South Wales members: 129.94.0.0/16, 149.171.0.0/16, 203.10.48.0/24, 203.20.160.0/24, 203.20.160.0/19 remarks: List of routes accepted from AS7570 admin-c: MP151 tech-c: ANOC-AP mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20050427 source: RADB Collects routes together with similar properties

20 © 2006, AARNet Pty Ltd20 AS Set Object (1) Collect together Autonomous Systems with shared properties Can be used in policy in place of AS as-set: AS7575:AS-EDGE descr: AARNet3 customers AS set members: AS1851, AS4822, AS6262, AS7575, AS7645, AS9383, AS10148, AS17498, AS23654, AS23719, AS23859, AS24101, AS24313, AS24390, AS24431, AS24433, AS24434, AS24436, AS24437, AS24490, AS37978, AS38083 remarks: List of customers on AARNet3 using public AS numbers remarks: http://www.aarnet.edu.auhttp://www.aarnet.edu.au admin-c: MP151 tech-c: ANOC-AP mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20060713 source: RADB

21 © 2006, AARNet Pty Ltd21 AS Set Object (2) as-set: AS7575:AS-CUSTOMER descr: AARNet3 customers AS set members: AS7575:AS-EDGE, AS7575:AS-RNO remarks: List of customers on AARNet3 using public AS numbers remarks: http://www.aarnet.edu.auhttp://www.aarnet.edu.au admin-c: MP151 tech-c: ANOC-AP mnt-by: MAINT-ASAARNET changed: nobody@aarnet.edu.au 20060715 source: RADB RPSL has hierarchical names Our customer base is in AS7575:AS-CUSTOMER

22 © 2006, AARNet Pty Ltd22 Whois queries whois –h whois.ra.net AS7575:CUSTOMER –members: AS7575:AS-EDGE, AS7575:AS-RNO whois –h whois.ra.net AS7575:AS-EDGE –members: AS1851, AS4822, AS6262, AS7575, AS7645, AS10148, AS17498, AS23654, AS23719, AS24101, AS24390, AS24431, AS24433, AS24434, AS24436, AS24437 whois –h whois.ra.net \!gAS1851 –192.43.227.0/24 129.127.0.0/16 192.43.229.0/24 203.9.156.0/24 129.127.0.0/16 192.43.228.0/24 192.43.229.0/24 203.9.156.0/24

23 © 2006, AARNet Pty Ltd23 AS Route Sets bhm$ whois -h whois.ra.net AS7575:AS-RESEARCH as-set: AS7575:AS-RESEARCH descr: AARNet3 peer R&E network AS set members: AS47, AS73, AS293, AS668, AS2153, AS6360, AS6509, AS7539, AS7610, AS11537, AS20965, AS23796, AS32361, AS38018 remarks: R&E networks peering with AARNet3 If the AS’s we peer with used an IRR to specify their route sets then we could create prefix-filters against our peers. Peers can create prefix-filters from our existing policy except for transit peerings (see above!) And it’s all available publicly documented.

24 © 2006, AARNet Pty Ltd24 Autonomous System Object Routing Policy Description object Most important components are –import –export These define the incoming and outgoing routing announcement relationships Instant Documentation! whois –h whois.ra.net AS7575

25 © 2006, AARNet Pty Ltd25 Use of RPSL Use RtConfig v4 (part of RAToolSet from ISC) to generate filters based on information stored in our routing registry –Avoid filter errors (typos) –Filters consistent with documented policy (need to get policy correct though) –Currently we use RAToolSet v 4.7.1 –Need to script our own tools for Juniper

26 © 2006, AARNet Pty Ltd26 Using RPSL to configure routers Need to define “policy” for filtering –Inbound from customers & peers –Outbound to customers & peers Need to be aware of shortcomings in router configuration and/or configuration generator –Command line length (on cisco this is 512 bytes) –Complexity of rules

27 © 2006, AARNet Pty Ltd27 AARNet’s filtering philosophy Inbound –Filter customer by prefix and AS path –Filter peer by prefix filter –Filter providers for prefixes longer than a /24 –Don’t accept martians or bogons from anyone Outbound –Filter by BGP community, which indicates the class of the prefix (customer, peer, etc)

28 © 2006, AARNet Pty Ltd28 Overall Prefix and Path Filtering Filter all customer prefixes on ingress Filter all your advertisements on egress Filter all bogons and martians Filter/remove all private AS space

29 © 2006, AARNet Pty Ltd29 RtConfig & IRRToolSet Version 4.0 supports RPSL Generates cisco configurations Contributed support for Bay’s BCC, Juniper’s Junos and Gated/RSd Creates route and AS path filters. Can also create ingress/egress filters

30 © 2006, AARNet Pty Ltd30 AS7575 policy Whois -h whois.ra.net AS7575 An extract: import: { from AS-ANY action pref=5;community.append(7575:1001,7575:2017,7575:8002); accept ANY AND NOT { 0.0.0.0/0^25-32 } AND NOT AS7575 AND NOT fltr-martian; refine { from AS20965 at 202.158.192.17 action community.append(7575:6002); accept AS-GEANTNRN OR AS-EUMED;

31 © 2006, AARNet Pty Ltd31 Peer route set sao:~/rpsl bhm$ whois -h whois.ra.net AS-GEANTNRN as-set: AS-GEANTNRN descr: The GEANT IP Service members: AS20965 members: AS-ACONET, AS-BELNET, AS-CERNEXT, AS-DFNTOWINISP members: AS-GARRTOGEANT, AS5408:AS-TO-GEANT, AS-JANETEURO members: AS-HBONETEN, AS-RCCN, AS-RENATER, AS-RESTENA members: AS-SWITCH, AS-SURFNET, AS-PLNET, AS1955 members: AS-REDIRIS, AS2107, AS2611, AS2852, AS-HEANET members: AS-MACHBA, AS2108, AS-UNREN, AS3268, AS-ISTF members: AS-LATNET-Geant, AS3221, AS-LITNET, AS-RBNET members: AS-SANET2, AS-ROEDUNET, AS12046, AS-ULAKNET members: AS3208, AS-NORDUNET tech-c: DANT-RIPE admin-c: RS-RIPE mnt-by: DANTE-MNT

32 © 2006, AARNet Pty Ltd32 AS20965 Object import: from AS7575 action pref=100; community.append (20965:7575); med=0; accept Our peer can safely receive our routes and discard any erroneous prefixes that we advertise. But without this information we can only accept the routes advertised by the peer. We could erroneously advertise default! We could originate hijacked routes and they would be accepted We could inject commodity routes into an R&E network and disrupt traffic.

33 © 2006, AARNet Pty Ltd33 Juniper router rpsl config policy-statement rs-as20965 { replace: term prefixes { from { @RtConfig printPrefixRanges "\t\troute-filter %p/%l upto /24;\n" filter AS-GEANTNRN OR AS-EUMED OR AS2018 } then accept; }

34 © 2006, AARNet Pty Ltd34 extract policy-statement as20965-ipv4-import { term as20965 { from policy rs-as20965; then { local-preference 95; community add research; community add router-tag; community add european; next policy; } term reject { then reject; }

35 © 2006, AARNet Pty Ltd35 Prefix policy policy-statement rs-as20495 { term prefixes { from { route-filter 62.148.160.0/19 upto /24; route-filter 66.164.200.0/21 upto /24; route-filter 66.164.208.0/21 upto /24; route-filter 80.69.160.0/20 upto /24; route-filter 80.247.192.0/19 upto /24; route-filter 82.112.32.0/19 upto /24; route-filter 84.243.192.0/18 upto /24; route-filter 84.244.128.0/18 upto /24; ………

36 © 2006, AARNet Pty Ltd36 BGP policy complexity 7575:1 Export external to AARNet with "no-export" 7575:2 No export beyond AARNet 7575:3 Prepend AS7575 once 7575:4 Prepend AS7575 twice 7575:5 Prepend AS7575 thrice 7575:6 Blackhole traffic 7575:7 Regional only 7575:70 AARNet local preference 70 7575:80 AARNet local preference 80 7575:90 AARNet local preference 90 …and much more… –Whois -h whois.ra.net AS7575 | grep remarks

37 © 2006, AARNet Pty Ltd37 Using RtConfig RtConfig –cisco_use_prefix_lists < cpe-curtin-er1.rtconfig Redirect output to a file Upload by tftp to the router Done!

38 © 2006, AARNet Pty Ltd38 What about SBGP and SoBGP? At the moment it’s all about trust There are implementations of BGP policy that make us somewhat trustworthy and are being currently deployed It isn’t perfect But it is a start…

39 © 2006, AARNet Pty Ltd39 References RPSL - RFC 2622 –http://www.faqs.org/rfcs/rfc2622.html Using RPSL in Practice - RFC 2650 –http://www.faqs.org/rfcs/rfc2650.html IRRToolSet –ftp://ftp.isc.org.net/isc/IRRToolSet/ftp://ftp.isc.org.net/isc/IRRToolSet/ RPSL Training Page –http://www.isi.edu/ra/rps/training RADB –http://www.radb.net/

40 Thank you! Any Questions?


Download ppt "Route filtering using IRRs APAN Net Eng Singapore - 19 July 2006"

Similar presentations


Ads by Google