Peering and Transit Tutorials: Practical Every Day BGP Filtering

PracticaleverydayBGPfilteringwithAS_PATHfilters:PeerLocking

job@ntt.net

Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.

JobSnijders- Peerlocking- AfPIF2016

Anybodyknowhttp://puck.nether.net/bgp/leakinfo.cgi ?

https://www.nanog.org/meetings/nanog41/presentations/mauch-lightning.pdf

Whatarewetalkingabout?

Wikipediaproclaimed“bigboys”

7018,174,209,3320,3257,286,3356,3549,2914,5511,1239,6453,6762,12956,1299,701,2828,6461

NomorethentwooftheseshouldshowupinagivenAS_PATH,followingthe“Transit-Free”paradigm.

https://en.wikipedia.org/wiki/Tier_1_network#List_of_tier_1_networks

Non-scientificgraph- notmeanttopointfingers- ‘instigators’arenotalone(othersaccepttoo)- collectiveresponsibility tofilter- datafocussesonBGPupdates/uniqueprefixes- manyrouteleaksnotvisibleduetomax_prefix

Humans…

Peerlock-liteaka“bignetworks filter”

Assumingyou’llnotselltransittooneofthosebignetworksintheforeseeablefuture:rejectanyprefixesyoureceivefromyourcustomerswhichcontaina$bignetwork ASNanywhereintheAS_PATH.

ip as-path access-list 99 permit \_(174|209|286|701|1239|1299 \

|2828|2914|3257|3320|3356 \|3549|5511|6453|6461|6762 \|7018|12956)_

route-map ebgp-customer-in deny 1match as-path 99

Approachestopreventrouteleaks#1

• Networksshouldnotannouncereceivedprefixesoverpeeringtootherpeers– Fix:TagrouteswithBGPcommunitiesoningress,

executeonegress(recentNANOGthread)– Note:AlwayssetegressfilterstoREJECTprefixes

withoutany/thepropercommunities(failsafe)

• Onemustapplya“whitelist”ofprefixesacustomermayannounceoneverycustomersession– Fix:usebgpq3orsomeotherprefixfiltergenerator

• Con:– Customer’sAS-SETmightcontaintheentireinternet– thuswhenleakingafulltablestillallowingalottopass• https://github.com/job/irrtree• http://irrexplorer.nlnog.net/

• Maximumprefixsettingsonpeers+customers– Fix:ifunsure:justdoit– Note:automatetheadjustmentofmax_prefixsettingsforyourpeers!Onlyemailyourpeerwhenabsolutelyunsurewhattoconfigure.

• Con:doesnothelpagainstsmall/partialroute-leaks

PeerLock

TheHumanNetwork:Peerlockinginanutshell

WeknowPCCWisnotanupstreamforAT&T,weknowAT&TisnotanupstreamforPCCW,etc,etcetc.

Howdoweknowthis?Weemailedthem.

example:AS_PATH2914_3491_7018wouldbegarbage!

Peerlock schematicgoal

GivenASNsA,B,C,D,andEasourpeers.PeerAsubscribestothepeerlockidea(Protected ASN)andindicatesthatpeerBisan”Allowed Upstream”

OK: ^A_OK: ^B_A_NOTOK:^C_A_NOTOK:^D_A_NOTOK:^E_A_

Examplecases:

• Prevent_7018_routesfrombeingacceptedanywhereexceptondirect7018peering

• AllowonlyAS3356asupstreamforpeerPCCWglobally(wedon’t,butwecould)

Deploying&ManagingPeerlock

• “peerlock”isappliedonALLeBGP sessions(bothcustomersessionsandpeeringsessions)

• “peerlock”isentirelydynamicthroughNTT’snetworkmanagementwebinterface

• “peerlock”allowsforadvanced regionalexceptions/rules

• ITISRECOMMENDABLETHATBOTHPARTIESCONSENTTOPEERLOCK

ProtectedASN AllowedUpstream

InWhatRegion IgnoreConstraints

Active

3491 None Everywhere False True

7018 None Everywhere True True

65123 7018 US False True

4200000000 3491 Europe False True

4200000000 7018 US False True

UI/tableMockupRulesbasedapproach

RuleConstraints(unlessoverridden)1. BoththeProtected ASN andAllowed Upstream

MUSTbedirectlyconnectedwitheBGP sessionstotheAS2914backbone.

2. OnlyASNsthatconnectwithAS2914inmultipleregionsareeligibletobeusedasanAllowed Upstream.

3. TheAllowed Upstream fieldcanonlybesetto”None"incombinationwithin_what_region ”Everywhere”, iftheProtected ASN connectswithAS2914inmultipleregions.

4. AnAllowed Upstream canonlybespecifiedforaregioniftheAllowed Upstream connectswithAS2914withinthatregion.

OpenSourceProofofConceptconfigurationgenerator

Tofacilitateincalculatingwhattheproperas-path-setsare– I’vepublishedsomepythoncode.Thisisavariantwhatweusedtovalidatetheproductionimplementation.

https://github.com/job/peerlock

WARNING:codeisofHazyEngineeringQualityWINTHEPRIZE:I’vehiddenonebuginthescript

Thesearegenerated• perpeer• perregion

Exampleworkflow

1. Peeringteamengageswithpeerandseekspermission,proposesinitialruleset

2. Engineeringevaluatesiftheinitialproposedpeerlockruleswillbreaktheinternetornot

3. Deploytherulesetincoordinationwithpeer4. PeerscancontactyourNOCforchange

requests,youcommittotimelyresponses5. Engineeringapproves/denieschange

requeststopeer-lockrules

ExampleTechnicalDocumentationforoureBGP peers

1. Containsconfigurationexamples2. Terminology3. Disclaimer4. Defaultoperatingmode5. Howtorequestchanges/Whotocontact

http://instituut.net/~job/peerlock_manual.pdf

DroppingBogon ASNsMotivation:• OccurrencesofAS23456aremisconfigurationsorsoftwarebugs.

• Private/ReservedASNshavenoplaceintheglobalroutingtable

Weshouldnotrewardmisconfigurationsbyacceptingtheseroutes.Thenewparadigm:failhard&failfast.

NTTisnottheonlyone:GTT,AT&T,KPN&DE-CIXhavecommittedtooforJune/July2016.

WhatBogon ASNstodrop?AS2914willNOTacceptrouteannouncementsfromANYeBGPneighborswhichcontaina“Bogon ASN”anywhere intheAS_PATHoritsaggregateat.

Bogon ASNsaredefinedas:

02345664496– 1310714200000000– 4294967295

Basedon:RFC5398,RFC6996,RFC7300

ThispolicyiseffectivestartingJuly2016.http://www.us.ntt.net/support/policy/routing.cfm#bogon

Config examples

http://as2914.net/bogon_asns/configuration_examples.txt

Currentlyhaveconfigs forBIRD,IOSXR,JunOS,IOS(yuck)

policy-options {as-path-group bogon-asns {

as-path begin ".* 0 .*";as-path as_trans ".* 23456 .*";as-path reserved1 ".* [64496-131071] .*";as-path reserved2 ".* [4200000000-4294967295] .*";

}policy-statement import_from_ebgp {

term bogon-asns {from as-path-group bogon-asns;then reject;

}term .....

Puttingitalltogether:Ingress

1. Dynamicmaximumprefixsettings2. RejectBogon prefixes (RFC1918,etc)3. RejectBogon ASNs (AS0/AS23456etc)4. RejectIXPprefixes (SomeIXPsubnets)5. RejectleakagewiththePeerlock filter6. MatchagainstIRRwhitelist (onlycustomers)7. Markascustomerroute (oraspeerroute)8. ScrubinternallysignificantBGPcommunities9. ApplyFeatures– (blackholing,trafficengineering,etc,onlyforcustomers)

Puttingitalltogether:egress

1. RejectBogon prefixes2. remove-private-AS3. Reject“bad”routes4. Acceptpeerroutes(oncustomersession)5. Acceptcustomerroutes (oneverysession)6. Doprepending(ifrequested&applicable)7. Scrubinternalcommunities8. Setnext-hop-self9. NormalizeMed

Questions,anytime,anywhere

job@ntt.net

Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.

Peering and Transit Tutorials: Practical Every Day BGP Filtering

Internet

Transcript of Peering and Transit Tutorials: Practical Every Day BGP Filtering

SDN-IP Peering using BGP

Inter-domain routing and BGP part II Olof Hagsand KTH/CSC · • Neighbor negotiation of IBGP and EBGP are the same – IBGP peering: within an AS – EBGP peering: between AS:s •

BGP Peering Strategy & Data - 2017. · PDF file28/02/2017 BGP Traffic Engineering, Andy Davidson 3 Complexity Life starts out very simply, “send traffic to peers if possible, then

BGP Route Filtering

PEERING: Virtualizing BGP at the Edge for Researchebk2141/papers/peering-conext19.pdf · 2020. 1. 27. · PEERING: Virtualizing BGP at the Edge for Research CoNEXT ’19, December

BGP Filtering Best Practices - Noction

Overlays and The Evolution of BGP Peering. Agenda BGP Issues – Overlay Networks – VPNs – ToR BGP…

1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on: jrex/papers/sigmetrics00.ps.

Deploying 32-bit ASNs - iNESftp.ines.ro/doc/isp-workshops/BGP Presentations/2-4byte-asns.pdf · configuration of 32-bit ASNs " BGP peering is configured as normal using the 32-bit

Deploying BGP Large Communities - Peering Forumpeeringforum.com/pastEvents/gpf12.0/greg_hankins_gpf-12.0... · 26.04.2017 · Deploying BGP Large Communities Greg Hankins greg.hankins@nokia.com

Day One: Deploying BGP Routing Security - Juniper Networks · 2020-04-07 · BGP, peering, routing security, and Internet routing. He also participates in IETF and is a board member

BGP Best Current Practices · 2017. 7. 26. · Cisco IOS Good Practices ! BGP in Cisco IOS is permissive by default ! Configuring BGP peering without using filters means: " All best

INOG:B - MARCH 7 2017 BGP Large Communities Attribute ...• IXPs facilitate multi-lateral BGP peering sessions • one network can peer with all the other networks at an exchange

Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk

Tracking network evolution process with netTransformer & Bulgarian Internet BGP Peering evolution from 2001 till now

Detecting Peering Infrastructure Outages in the Wild...Detecting peering infrastructure outages in the wild 54 159 outages in 5 years of BGP data 76% of the outages not reported in

BGP and peering at ABQG - University of New Mexico

BGP Filtering—Myths Legends and Reality€¦ · • Alcatel 7750 SR • Juniper (RE-4.0) Oct 23, 2005 BGP filtering: Myths Legends and Reality Page 21 Testing Results - Cisco •

BGP filtering - Zagreb 2013

BGP Best Current Practices - wiki.apnictraining.net · Cisco IOS Good Practices p BGP in Cisco IOS is permissive by default p Configuring BGP peering without using filters means: