practical everyday bgp filtering with as path …...practical everyday bgp filtering with as_path...
TRANSCRIPT
PracticaleverydayBGPfilteringwithAS_PATHfilters:PeerLocking
Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.
Part1
JobSnijders- Peerlocking- NANOG67
Anybodyknowhttp://puck.nether.net/bgp/leakinfo.cgi ?
https://www.nanog.org/meetings/nanog41/presentations/mauch-lightning.pdf
JobSnijders- Peerlocking- NANOG67
Whatarewetalkingabout?
JobSnijders- Peerlocking- NANOG67
Wikipediaproclaimed“bigboys”
7018,174,209,3320,3257,286,3356,3549,2914,5511,1239,6453,6762,12956,1299,701,2828,6461
NomorethentwooftheseshouldshowupinagivenAS_PATH,followingthe“Transit-Free”paradigm.
https://en.wikipedia.org/wiki/Tier_1_network#List_of_tier_1_networks
JobSnijders- Peerlocking- NANOG67
Non-scientificgraph- notmeanttopointfingers- ‘instigators’arenotalone(othersaccepttoo)- collectiveresponsibility tofilter- datafocussesonBGPupdates/uniqueprefixes- manyrouteleaksnotvisibleduetomax_prefix
Humans…
JobSnijders- Peerlocking- NANOG67
Peerlock-liteaka“bignetworks filter”
Assumingyou’llnotselltransittooneofthosebignetworksintheforeseeablefuture:rejectanyprefixesyoureceivefromyourcustomerswhichcontaina$bignetwork ASNanywhereintheAS_PATH.
ip as-path access-list 99 permit \_(174|209|286|701|1239|1299 \
|2828|2914|3257|3320|3356 \|3549|5511|6453|6461|6762 \|7018|12956)_
route-map ebgp-customer-in deny 1match as-path 99
JobSnijders- Peerlocking- NANOG67
Approachestopreventrouteleaks#1
• Networksshouldnotannouncereceivedprefixesoverpeeringtootherpeers– Fix:TagrouteswithBGPcommunitiesoningress,
executeonegress(recentNANOGthread)– Note:AlwayssetegressfilterstoREJECTprefixes
withoutany/thepropercommunities(failsafe)
JobSnijders- Peerlocking- NANOG67
Approachestopreventrouteleaks#2
• Onemustapplya“whitelist”ofprefixesacustomermayannounceoneverycustomersession– Fix:usebgpq3orsomeotherprefixfiltergenerator
• Con:– Customer’sAS-SETmightcontaintheentireinternet– thuswhenleakingafulltablestillallowingalottopass• https://github.com/job/irrtree• http://irrexplorer.nlnog.net/
JobSnijders- Peerlocking- NANOG67
Approachestopreventrouteleaks#3
• Maximumprefixsettingsonpeers+customers– Fix:ifunsure:justdoit– Note:automatetheadjustmentofmax_prefixsettingsforyourpeers!Onlyemailyourpeerwhenabsolutelyunsurewhattoconfigure.
• Con:doesnothelpagainstsmall/partialroute-leaks
JobSnijders- Peerlocking- NANOG67
PeerLock
JobSnijders- Peerlocking- NANOG67
TheHumanNetwork:Peerlockinginanutshell
WeknowPCCWisnotanupstreamforAT&T,weknowAT&TisnotanupstreamforPCCW,etc,etcetc.
Howdoweknowthis?Weemailedthem.
example:AS_PATH2914_3491_7018wouldbegarbage!
JobSnijders- Peerlocking- NANOG67
Peerlock schematicgoal
GivenASNsA,B,C,D,andEasourpeers.PeerAsubscribestothepeerlockidea(Protected ASN)andindicatesthatpeerBisan”Allowed Upstream”
OK: ^A_OK: ^B_A_NOTOK:^C_A_NOTOK:^D_A_NOTOK:^E_A_
JobSnijders- Peerlocking- NANOG67
Examplecases:
• Prevent_7018_routesfrombeingacceptedanywhereexceptondirect7018peering
• AllowonlyAS3356asupstreamforpeerPCCWglobally(wedon’t,butwecould)
JobSnijders- Peerlocking- NANOG67
Deploying&ManagingPeerlock
• “peerlock”isappliedonALLeBGP sessions(bothcustomersessionsandpeeringsessions)
• “peerlock”isentirelydynamicthroughNTT’snetworkmanagementwebinterface
• “peerlock”allowsforadvanced regionalexceptions/rules
• ITISRECOMMENDABLETHATBOTHPARTIESCONSENTTOPEERLOCK
JobSnijders- Peerlocking- NANOG67
ProtectedASN AllowedUpstream
InWhatRegion IgnoreConstraints
Active
3491 None Everywhere False True
7018 None Everywhere True True
65123 7018 US False True
4200000000 3491 Europe False True
4200000000 7018 US False True
UI/tableMockupRulesbasedapproach
JobSnijders- Peerlocking- NANOG67
RuleConstraints(unlessoverridden)1. BoththeProtected ASN andAllowed Upstream
MUSTbedirectlyconnectedwitheBGP sessionstotheAS2914backbone.
2. OnlyASNsthatconnectwithAS2914inmultipleregionsareeligibletobeusedasanAllowed Upstream.
3. TheAllowed Upstream fieldcanonlybesetto”None"incombinationwithin_what_region ”Everywhere”, iftheProtected ASN connectswithAS2914inmultipleregions.
4. AnAllowed Upstream canonlybespecifiedforaregioniftheAllowed Upstream connectswithAS2914withinthatregion.
JobSnijders- Peerlocking- NANOG67
OpenSourceProofofConceptconfigurationgenerator
Tofacilitateincalculatingwhattheproperas-path-setsare– I’vepublishedsomepythoncode.Thisisavariantwhatweusedtovalidatetheproductionimplementation.
https://github.com/job/peerlock
WARNING:codeisofHazyEngineeringQualityWINTHEPRIZE:I’vehiddenonebuginthescript
JobSnijders- Peerlocking- NANOG67
Thesearegenerated• perpeer• perregion
JobSnijders- Peerlocking- NANOG67
Exampleworkflow
1. Peeringteamengageswithpeerandseekspermission,proposesinitialruleset
2. Engineeringevaluatesiftheinitialproposedpeerlockruleswillbreaktheinternetornot
3. Deploytherulesetincoordinationwithpeer4. PeerscancontactyourNOCforchange
requests,youcommittotimelyresponses5. Engineeringapproves/denieschange
requeststopeer-lockrulesJobSnijders- Peerlocking- NANOG67
ExampleTechnicalDocumentationforoureBGP peers
1. Containsconfigurationexamples2. Terminology3. Disclaimer4. Defaultoperatingmode5. Howtorequestchanges/Whotocontact
http://instituut.net/~job/peerlock_manual.pdf
JobSnijders- Peerlocking- NANOG67
Part2
JobSnijders- Peerlocking- NANOG67
DroppingBogon ASNsMotivation:• OccurrencesofAS23456aremisconfigurationsorsoftwarebugs.
• Private/ReservedASNshavenoplaceintheglobalroutingtable
Weshouldnotrewardmisconfigurationsbyacceptingtheseroutes.Thenewparadigm:failhard&failfast.
NTTisnottheonlyone:GTT,AT&T,KPN&DE-CIXhavecommittedtooforJune/July2016.
JobSnijders- Peerlocking- NANOG67
WhatBogon ASNstodrop?AS2914willNOTacceptrouteannouncementsfromANYeBGPneighborswhichcontaina“Bogon ASN”anywhere intheAS_PATHoritsaggregateat.
Bogon ASNsaredefinedas:
02345664496– 1310714200000000– 4294967295
Basedon:RFC5398,RFC6996,RFC7300
ThispolicyiseffectivestartingJuly2016.http://www.us.ntt.net/support/policy/routing.cfm#bogon
JobSnijders- Peerlocking- NANOG67
Config examples
http://as2914.net/bogon_asns/configuration_examples.txt
Currentlyhaveconfigs forBIRD,IOSXR,JunOS,IOS(yuck)
policy-options {as-path-group bogon-asns {
as-path begin ".* 0 .*";as-path as_trans ".* 23456 .*";as-path reserved1 ".* [64496-131071] .*";as-path reserved2 ".* [4200000000-4294967295] .*";
}policy-statement import_from_ebgp {
term bogon-asns {from as-path-group bogon-asns;then reject;
}term .....
}}
JobSnijders- Peerlocking- NANOG67
Part3
JobSnijders- Peerlocking- NANOG67
Puttingitalltogether:Ingress
1. Dynamicmaximumprefixsettings2. RejectBogon prefixes (RFC1918,etc)3. RejectBogon ASNs (AS0/AS23456etc)4. RejectIXPprefixes (SomeIXPsubnets)5. RejectleakagewiththePeerlock filter6. MatchagainstIRRwhitelist (onlycustomers)7. Markascustomerroute (oraspeerroute)8. ScrubinternallysignificantBGPcommunities9. ApplyFeatures– (blackholing,trafficengineering,etc,onlyforcustomers)
JobSnijders- Peerlocking- NANOG67
Puttingitalltogether:egress
1. RejectBogon prefixes2. remove-private-AS3. Reject“bad”routes4. Acceptpeerroutes(oncustomersession)5. Acceptcustomerroutes (oneverysession)6. Doprepending(ifrequested&applicable)7. Scrubinternalcommunities8. Setnext-hop-self9. NormalizeMed
JobSnijders- Peerlocking- NANOG67
Questions,anytime,anywhere
Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.
JobSnijders- Peerlocking- NANOG67