Presentation is loading. Please wait.

Presentation is loading. Please wait.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

Published byCory Bailey Modified over 9 years ago

Similar presentations

Presentation on theme: "BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia."— Presentation transcript:

1 BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia Zhang, UCLA NANOG-23, October 23, 2001

2 NANOG 23 - Oakland210/23/2001 Definition of MOAS n BGP routes include a prefix and AS path –Example: 131.179.0.0/16, Path: 4513, 11422, 11422, 52 n Origin AS: the last AS in the path –In the above example: AS 52 originated the path advertisement for prefix 131.179/16 n Multiple Origin AS (MOAS): the same prefix announced by more than one origin AS

3 NANOG 23 - Oakland310/23/2001 Example MOAS Conflicts 128.9.0.0/16 Path: 226 128.9.0.0/16 nets AS 4 AS 226 128.9.0.0/16 Path: 4 128.9.0.0/16 Path: X, 4 AS X AS Y 128.9.0.0/16 Path: Z, 226 AS Z MOAS conflict ! Static or IGP learned route to 128.9/16 Valid MOAS case: 128.9/16 reachable either way Invalid MOAS case: 128.9/16 reachable one way but not the other

4 NANOG 23 - Oakland410/23/2001 Talk Outline n Measurement data shows that MOAS exists n Some MOAS cases caused by faults n Some MOAS cases due to operational need n Important to distinguish the two –proposed solutions

5 NANOG 23 - Oakland510/23/2001 Measurement Data Collection n Data collected from the Oregon Route Views –Peers with >50 routers from >40 different ASes. –Our analysis uses data [11/08/97  07/18/01] (1279 days total) n More than 38000 MOAS conflicts observed during this time period At a given moment, –The Route Views server observed 1364 MOAS conflicts –The views from 3 individual ISPs showed 30, 12 and 228 MOAS conflicts

6 NANOG 23 - Oakland610/23/2001 MOAS Conflicts Do Exist Max: 11842 (11357 from a single AS) Max: 10226 (9177 from a single AS)

7 NANOG 23 - Oakland710/23/2001 Histogram of MOAS Conflict Lifetime Total # of days a prefix experienced MOAS conflict # of MOAS conflicts

8 NANOG 23 - Oakland810/23/2001 Distribution of MOAS Conflicts over Prefix Lengths ratio of # MOAS entries over total routing entries for the same prefix length

9 NANOG 23 - Oakland910/23/2001 Multi-homing without BGPPrivate AS number Substitution Valid Causes of MOAS Conflicts 128.9/16 Path: 11422,4 128.9/16 Path: 226 131.179/16 Path: 64512 131.179/16 Path: X 131.179/16 Path:Y 128.9/16 131.179/16 AS 64512 AS Y AS X AS 4 AS 11422 AS 226 Static route or IGP route 128.9/16 Path: 4

10 NANOG 23 - Oakland1010/23/2001 Invalid Causes of MOAS Conflicts n Operational faults led to large spikes of MOAS conflicts –04/07/1998: one AS originated 12593 prefixes, out of which 11357 were MOAS conflicts –04/10/2001: another AS originated 9180 prefixes, out of which 9177 were MOAS conflicts n Falsely originated routes –Errors –Intentional traffic hijacking

11 NANOG 23 - Oakland1110/23/2001 Handling MOAS Conflicts n RFC 1930 recommends each prefix be originated from a single AS n Today’s routing practice leads to MOAS in normal operations n We must tell valid MOAS cases from invalid ones –Proposal 1: using BGP community attribute –Proposal 2: DNS-based solution

12 NANOG 23 - Oakland1210/23/2001 BGP-Based Solution Define a new community attribute –Listing all the ASes allowed to originate a prefix n Attach this MOAS community-attribute to BGP route announcement n Enable BGP routers to detect faults and attacks –At least in most cases, we hope!

13 NANOG 23 - Oakland1310/23/2001 Comm. Attribute Implementation Example router bgp 59 neighbor 1.2.3.4 remote-as 52 neighbor 1.2.3.4 send-community neighbor 1.2.3.4 route-map setcommunity out route-map setcommunity match ip address 18.0.0.0/8 set community 59:MOAS 58:MOAS additive Example configuration: AS58 18/8, PATH, MOAS{4,58,59} AS59 18.0.0.0/8 18/8, PATH, MOAS{58,59} 18/8, PATH, MOAS{52, 58} AS52

14 NANOG 23 - Oakland1410/23/2001 Implementation Considerations n Quickly and incrementally deployable –Generating MOAS community attribute: configuration changes only –Detecting un-validated MOAS or a MOAS-CA conflict: Short term: observable from monitoring platforms Longer term: adding into BGP update processing n But community attributes may be dropped by a transit AS due to local configurations or policies –time to fix the handling of community attributes?

15 NANOG 23 - Oakland1510/23/2001 Another Proposal: DNS-based Solution n Put the MOAS list in a new DNS Resource Record ftp://psg.com/pub/dnsind/draft-bates-bgp4-nlri-orig-verif-00.txt by Bates, Li, Rekhter, Bush, 1998 $ORIGIN 18.bpg.in-addr.arpa.... AS 58 8 AS 59 8... Example configuration (zone file for 18.bgp.in-addr.arpa): Query 18.bgp.in-addr.arpa: origin AS? Response 18.bgp.in-addr.arpa AS 58 8 AS 59 8 Enhanced DNS service MOAS detected for 18/8, query DNS to verify

16 NANOG 23 - Oakland1610/23/2001 Issues to Consider for the DNS Solution n Provides a general prefix to origin AS mapping database n Complementary to Community-attribute Approach –Check with DNS when community tag indicates a potential problem –DNSSEC, once available, authenticates the MOAS list nBut requires changes to DNS and BGP nDNS may be vulnerable without DNSSEC –When would DNSSEC be ready? nRouting system querying naming system: circular dependency?

17 NANOG 23 - Oakland1710/23/2001 Summary n MOAS conflicts exist today –Some due to operational need; some due to faults n Blind acceptance of MOAS could be dangerous –An open door for traffic hijacking n We plan to finalize the solution and bring to IETF Send all questions to fniisc@isi.edufniisc@isi.edu For more info about FNIISC project: http://fniisc.nge.isi.edu

Download ppt "BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
Dongkee LEE 1 An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, et al.

Dongkee LEE 1 An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, et al.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Www.huawei.com BGP Extensions for BIER draft-xu-idr-bier-extensions-01 Xiaohu Xu (Huawei) Mach Chen (Huawei) Keyur Patel (Cisco) IJsbrand Wijnands (Cisco)

BGP Extensions for BIER draft-xu-idr-bier-extensions-01 Xiaohu Xu (Huawei) Mach Chen (Huawei) Keyur Patel (Cisco) IJsbrand Wijnands (Cisco)
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Best Practices for ISPs

Best Practices for ISPs
June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD

June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Network Infrastructure Security Research at Colorado State University Dan Massey November 19, 2004.

Network Infrastructure Security Research at Colorado State University Dan Massey November 19, 2004.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.

Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.
10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,

10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.

10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.
Presented By: Hanping Feng Configuring BGP With Cisco IOS Software (Part 1)

Presented By: Hanping Feng Configuring BGP With Cisco IOS Software (Part 1)

Similar presentations

Ads by Google