slides - network systems lab @ sfu

advertisement
Practical and Configuration
issues of BGP and
Policy routing
Cameron Harvey
Simon Fraser University
BGP Overview

What is BGP?



BGP is described as “The glue that holds the
internet together”
eBGP routers advertise reachable routes their
neighbours
We have already learned that they do not
necessarily advertise all their routes. There is a
policy set by administrators to dictate routes to
advertise
BGP attributes


When making a BGP advertisement, there are
a number of attributes which may be
specified.
These attributes allow administrators to affect
the BGP routing policies
BGP attributes (2)




















Value Code Reference
----- --------------------------------- --------1 ORIGIN [RFC1771]
2 AS_PATH [RFC1771]
3 NEXT_HOP [RFC1771]
4 MULTI_EXIT_DISC [RFC1771]
5 LOCAL_PREF [RFC1771]
6 ATOMIC_AGGREGATE [RFC1771]
7 AGGREGATOR [RFC1771]
8 COMMUNITY [RFC1997]
9 ORIGINATOR_ID [RFC2796]
10 CLUSTER_LIST [RFC2796]
11 DPA [Chen]
12 ADVERTISER [RFC1863]
13 RCID_PATH / CLUSTER_ID [RFC1863]
14 MP_REACH_NLRI [RFC2283]
15 MP_UNREACH_NLRI [RFC2283]
16 EXTENDED COMMUNITIES [Rosen]
...
255 reserved for development
BGP Decisions Algorithm

BGP Decision Algorithm
1. Highest Local Preference
2. Lowest AS Path Length
3. Lowest Origin Type (0 iBGP, 1 eBGP, 2 Incomplete)
4. Smaller MED - Multi-Exit Discriminator (iff next hops
equal)
5. Lowest IGP Cost ( OSPF , RIP , etc)
6. Lowest Next Hop
7. Lowest BGP Identifier
8. Vendor-dependent Tie Break
Local Preference

This is used in iBGP




Setting the local preference to a higher value will
give this route preference.
Used with multiple exit points from AS
The highest Local Preference will be the default
exit point, even if this route has more hops.
In the case of router failure, the next highest
Local Preference exit is chosen
Lowest AS Path Length

BGP will choose the path with the least
number of AS hops

An AS may inflate the length of the AS path to
make the route look less attractive to other ASes.
It does so by adding its own AS number to the AS
path 1 or more times. This process is called AS
prepending.
Lowest Origin Type


This attribute is not used consistently among
AS’s.
This attribute is frequently ignored so that it
does not interfere with the MED attribute
MED - Multi-Exit Discriminator

MED is typically used by two AS’s with a peering
agreement. The values of the MED are part of the
agreement. An AS will advertise its preferred
gateway router with a lower MED. MED can be
used to help balance the
incoming traffic load.
Business Relations

With ISPs, it is the business relationships that are
most important in determining BGP policies

Two ISPs may agree to route each others traffic.
They may do so without compensation perhaps
because roughly equal amounts of traffic flows
between their networks. This is called a peering
relationship.
Business Relations (2)

Local preference can be manipulated to avoid
traffic congestion or to save money by routing
through ISPs with whom there is a peering
relationship

Set Local Preference value in range:



90-99 for customers
80-89 for peers
70-79 for providers
Business Relations (3)

Import Policy

A BGP router can filter the routes received from each of
its peers



Helps control router table size
Helps with security
Export Policy

A BGP router can:



Filter the routes advertised to its peers
Advertise transit routes to peers with whom it has a contract with
to provide such service
Selectively report reachability information

report a destination to some neighbors and not others
Router Table Size

BGP tables have been growing exponentially


Tables can have more than 300,000 entries
Measures have been implemented to mitigate
table growth


Prefix Aggregation
Filtering long prefixes
Security

BGP was built on trust and provides no security
guarantees



BGP does not validate an AS’s authority to announce
reachability information.
BGP does not ensure the authenticity of the path attributes
announced by an AS
In 1997 a small company inadvertently advertised
optimal connectivity to all Internet destinations



This claim was not validated in any way
Most Internet traffic got routed to this destination
Crippled the internet for ~2 hours
Security (2)


An AS can advertise a prefix or a longer prefix belonging to
another AS
Some internet traffic for this IP will now get re-routed to this
AS which can then do any of the following:
 Do nothing - Black-hole attack
 Impersonate - Obtain sensitive information
 Passwords
 Credit card numbers
 Forward to original destination - Interception attack
Security (3)

Solutions ???

Currently


Protection of the BGP TCP connection
Filtering of BGP announcements


Minimally effective unless all AS’s filter agressively.
Because this is labour intensive, most AS’s do not bother
Future Research



S-BGP (secure BGP)
soBGP (secure origin BGP)
IRV system (Interdomain Route Validation)
References








http://www.ima.umn.edu/talks/workshops/1-12-16.2004/rexford/hotpotato.pdf
http://www.cs.princeton.edu/~jrex/papers/policies.pdf
http://www.renesys.com/tech/notes/WP_BGP_rev6.pdf
http://en.wikipedia.org/wiki/Border_Gateway_Protocol
http://www.ftmsk.net/index.php?showtopic=1755
http://www.cs.purdue.edu/homes/ninghui/readings/TruSe_fall04/td-5ugj33.pdf
http://www.nanog.org/meetings/nanog45/presentations/Monday/Roisman_bgp_metric_N45.pdf
http://www.renesys.com/tech/notes/WP_BGP_rev6.pdf
Download