BGP Tutorial. John S. Graham

Transcription

1 BGP Tutorial John S. Graham

2 What s In Store? Routing Architectures BGP Basics Path Selection (many examples) BGP State Machine Multiprotocol Extensions Multicast Routing Covered Layer-III VPN Omitted

3 Cisco Architecture IP Routing Table /16 Metric: Next-Hop: /12 Metric: Next-Hop: /8 Metric: Next-Hop: BGP EIGRP Static OSPF RIP Export Import

4 Juniper Architecture BGP IS-IS OSPF /12 Metric 1: Metric 2: Next Hop: Area: AS-Path: Community: Level: Static Export Import RIP

5 BGP Schematic (IPv4 Unicast) /16 inet.0 < > BGP Table <> Routing Table < > < /12 BGP Path Selection Routing Policy

6 The Autonomous System Collection of routers under one administrative control Single internal routing protocol Identified using an AS Number AS100 AS200

7 AS Numbers An ASN is a 16-bit number 1 through are assigned by RIRs through are for private use and should never appear on the Internet Numbers 0 and are reserved AS used to represent 4-byte ASN to routers unable to handle the new standard All major routing platforms now support 32-bit ASN: Interesting contrasts between European and USbased R&E networks

8 Test 4-Byte ASN Operated by Force10 Networks Advertises /24 Accessible via Internet2 CPS Check the AS-Path on your network! 4-Byte ASN can be expressed as: AS-Plane = AS-Dot = Thanks to Brent R. Sweeny for advice

9 ISP Routing Components Interior Gateway Protocol (IGP) Internal BGP (ibgp) Routes customer prefixes around internal infrastructure Is NOT congruent with physical connectivity External BGP (ebgp) Prefix interchange with customers Most routing policy located here

10 Routing Components Depicted Circuit A.4 Router A A.0 A.1 IS-IS Adjacency ibgp Peering ebgp Peering D.4 Router D D.0 B.0 B.1 Router B D.3 B.2 C.3 Router C C.0 C.2 Router E E.0

11 Attribute Classes Well-Known Optional Mandatory Discretionary Transitive Non-Transitive AS_PATH LOCAL_PREF COMMUNITY MED NEXT_HOP ATOMIC_ AGGREGATE AGGREGATOR CLUSTER_LIST ORIGIN ORIGINATOR_ID MP_REACH_NLRI MP_UNREACH_NLRI

12 The AS_PATH Attribute / / / AS100 detects its own AS in the path from AS500 and ignores the prefix / /

13 Which is the Better Path?

14 The NEXT_HOP Attribute B.2 C.2 C.3 D.3 B.1 A.1 Router SELF = NO NEXT_HOP SELF = YES A B A.1 A.1 C A.1 B.0 D C.3 C.3

15 The LOCAL_PREF Attribute Graphic used with kind permission of Philip Smith, Cisco Systems

16 Multi-Exit Discriminator Graphic used with kind permission of Philip Smith, Cisco Systems

17 MED: Metric Confusion MED is non-transitive and optional Some implementations send learned MED to ibgp peers by default and others do not Some implementations send MEDs to ebgp peers by default while others do not Default metric varies by vendor No explicit metric implies or No explicit metric implies zero

18 ebgp vs ibgp 1. Uses AS_PATH for loop avoidance 2. NEXT_HOP is modified 3. Peers must be directly connected 4. MED is reset 5. LOCAL_PREF is never advertised 1. Chinese whispers prohibited 2. NEXT_HOP is unchanged 3. Peers not necessarily directly connected 4. MED is propagated 5. LOCAL_PREF always advertised

19 Internal Peering Topologies Daisy Chain (Wrong) Full Mesh (Allowed) Route Reflector (Allowed)

20 How Are Prefixes Passed Around? On any given router only the best path for a prefix is passed to other peers Best path learned via ebgp Advertised to all other ebgp peers Advertised to ibgp peers Best path learned via ibgp Advertised onto ebgp peers Not advertised to other ibgp peers

21 The Golden Rule Never redistribute routes from the IGP into BGP Never redistribute routes from BGP into the IGP

22 Best Route Selection Longest prefix always wins regardless of routing protocol Source of routing information Connected > Static > ebgp > {IGP} > ibgp BGP ignores received prefixes if There is no route to the NEXT_HOP The AS_PATH contains the local AS number Not synchronized (Cisco IOS only)

23 BGP Path Vector Algorithm 1. {Highest WEIGHT} 2. Highest LOCAL_PREF is Preferred 3. Shortest AS_PATH 4. Lowest ORIGIN Code 5. Lowest MED 6. Prefer prefix received from ebgp peer over ibgp peer 7. Path with lowest metric to NEXT_HOP (aka Metric2) 8. Lowest ROUTER_ID 9. Shortest CLUSTER_LIST 10. Lowest neighbor IP address

24 Interior Gateway Protocol (IGP) Can be OSPF or IS-IS Prefer IS-IS Doesn t require IP or ANY Layer-III (e.g. CLNS) protocol to work Routes IPv6 with no more effort than IPv4 Routes ISP infrastructure addresses: Router /32 loopback Point-to-point backbone /30 or /31 subnets (Customer assigned link networks) (IXP assigned address for public peerings) Other infrastructure addresses such as management networks Simple and invariant configuration compared with an enterprise network Adjacencies follow physical backbone connectivity Non-backbone interfaces run IGP passively Metric Based on route miles Can be adjusted for traffic engineering purposes Complex sub-divisions (areas, levels) unnecessary Principal job of IGP is determining least-cost path between any two routers

25 Static ibgp; Dynamic IGP Within Internet2: 1. Next Hop for customer prefixes in RIB provided by ibgp and does not change if backbone circuit fails. 2. Entry in FIB provided by IS-IS and depends on backbone connectivity.

26 Route Reflection KANS CHIC ATLA HOUS LOSA NEWY SALT SEAT WASH

27 Route Reflection Rules Prefix received from a client Reflect to all client peers apart from the sender Reflect to all non-client peers Prefix received from a non-client peer Reflect to all client peers

28 Loop Prevention for RR ibgp speaker receives a prefix with the ORIGINATOR_ID attribute equal to its own ROUTER_ID Route reflector receives a prefix with the CLUSTER_LIST attribute containing its own CLUSTER_ID

29 Progress of Route Reflection 1. External Prefix advertised to both RR 2. Prefix reflected to all client peers 3. Prefix passed between RR but ignored due to CLUSTER_LIST attribute

30 ibgp Tracks the IGP Metric WASH ATLA HOUS KANS SALT SEAT LOSA / /16 BUFF CHIC NEWY NEWY 1000 LOSA SEAT SALT KANS HOUS ATLA WASH

31 NREN and Internet2 Metric = 2932 Metric = 2019

32 Possible Layer-II Connectivity Internet2 and NREN routers directly connected Connection through a VLAN on a single peering switch Connection via VLAN that traverses multiple Layer-II and optical devices

33 Internet2 Connection at NGIX-W GE OC192 VLAN GE 10GE OC192 10GE VLAN 166 OC192

34 Prefer the 10G-Connected Path Internet2 router in Seattle Associate a high LOCAL_PREF with prefixes received on external peering with NREN Internet2 router in Salt Lake City Receives NREN prefixes over ibgp peering with Seattle with high LOCAL_PREF Now prefers ibgp to SEAT over ebgp via NGIX-W

35 Boomerang Prefixes CHIC NEWY GLBX GPN KANS /16 RRMA RRMA

36 Boomerang Prefixes 2/2 Loop is prevented by AS_PATH attribute Suppressing boomerang prefixes: Advertise the prefix to the echoing peer Attach NO_EXPORT community to transiting peer Request echoing peer to filter their outbound (sub-optimal)

37 Redundant Connections Multiple Peerings with Internet2 Set the MED on prefixes sent to I2 Use communities to change the LOCAL_PREF on I2 Allow both peerings with I2 to float Advertise prefixes both directly to I2 and through another RON

38 Use of MED: Internet2 & ESNet /16 [0] /16 [1001] /16 [1000] /16 [278] 905

39 ESNet Send MEDs /16 [1] /16 [1000] /16 [0] /16 [905] 905

40 Bidirectional MED Causing Asymmetric Routing Fermi UPenn UPenn Fermi

41 What If I2 Doesn t Send MEDs? ESNet use their IGP Metric Traffic remains on ESNet backbone only until it reaches a router with an I2 peering. ESNet use LOCAL_PREF on One Peering A single (congested?) egress from ESNet for all traffic to Internet2-connected destinations Different I2 Prefixes Receive High LOCAL_PREF at Different Locations Same effect as MEDs, but implementation far more manual and complex

42 Introducing Prefixes Into BGP 1. Use network statement 1. With auto-summary disabled 2. With auto-summary configured 2. Configure aggregate routing 3. Use route maps to redistribute 1. Prefixes learned from an IGP 2. Static routes

43 1.1 The network Statement (Cisco) router bgp 87 no auto-summary network ! ip route Null There is no mask following the prefix in the network statement as we are advertising a classful network 2. The static route serves two important purposes: 1. The prefix will not be advertised by BGP unless there is an exact match in the IP routing table 2. Traffic sent to non-existent IP addresses in the range will be silently dropped. This avoids wasting b/w sending ICMP Unreachables and is a valuable defense against scanners and DDoS attacks.

44 1.2 Using auto-summary router bgp 87 auto-summary network (Cisco) 1. The prefix will be advertised by BGP providing there is at least one contained prefix in the IP routing table 2. This IGP-learned prefix can be any length; it does not have to match the classful network that BGP is being asked to advertise 3. Use this command: show ip route longer-prefixes to check whether there is an IGP-learned route. If there are none, then BGP will not advertise the /16 parent

45 3.2 Redistribute Static (Juniper) policy-options { policy-statement ORIGINATE { term Seed { from { protocol static; route-filter /16 exact; } then accept; } } } routing-options { static { route /16 discard; } }

46 Aggregation Scenario Internet2 or NLR 10/8 Regional Network / / /16 Universities

47 Prefix Leaking Problem router bgp 400 network neighbor remote-as 100 neighbor remote-as 200 neighbor remote-as 300 neighbor remote-as 500! ip route Null0 200 Router D

48 (Faking) Aggregation Use the NO_EXPORT Community Not the best choice as the problem and its solution reside in different domains Filter outbound prefixes to NLR/Internet2 A straightforward robust solution Deploy route aggregation Downstream problems could cause routing flaps on peering with Internet2

49 Configuring Aggregation (Cisco) router bgp 400 neighbor remote-as 100 neighbor remote-as 200 neighbor remote-as 300 neighbor remote-as 500 aggregate-address summary-only Router D

50 Configuring Aggregation (JunOS) routing-options { aggregate { route /8 discard passive community 65535:65281; } } policy-options policy-statement ORIGINATE { term AGGREGATE_to_BGP { from protocol aggregate; then accept; } } protocols bgp group ISP { export ORIGINATE; peer-as 400; neighbor { } }

51 Global NOC Recommendation Use a network statement to originate ARIN allocations to Internet2 Configure a supporting static route Disable the auto-summary capability Filter more specific contained prefixes using an outbound route-map applied to the peering with Internet2 or NLR

52 Steering Inbound Traffic (1/2) [ I] [ I] /16 [ I] /16 [ I]

53 Steering Inbound Traffic (2/2) LOCAL_PREF = 100 LOCAL_PREF = / / /16

54 Global Routing Flap Analysis 1/3 show route aspath-regex ".* * " table commodity.inet.0 commodity.inet.0: destinations, routes ( active, 0 holddown, 5 hidden) + = Active Route, - = Last Active, * = Both /21 *[BGP/170] 05:29:58, localpref 200, from AS path: I > to via ge-0/1/0.1, label-switched-path LL640Lo0.0- >CTC640lo0.0 to via xe-2/0/0.111, label-switched-path LL640Lo0.0- >CTC640lo0.0 [BGP/170] 16:42:14, MED 208, localpref 200 AS path: I > to via so-1/0/

55 Global Routing Flap Analysis 2/ *[47868] 1299

56 Global Routing Flap Analysis 3/3 Graphics used with kind permission of Renesys and Earl Zmijewski

57 Functions Served by Communities 1. Assign prefixes to pre-defined groups (local significance only) 2. Control how prefix is advertised by peer 3. Control your peer s LOCAL_PREF for the specific prefix 4. Signal peer to prepend multiple AS numbers to AS_PATH 5. Blackhole all traffic to specific prefix

58 Expressing A Community JunOS & Cisco New Format 11537:260 Cisco Old Format A community is just a 32-bit number 2. By convention, the most-significant 16 bits represent an AS number 3. To convert from new to old formats 1. Multiply the high 16-bits by Add the low 16-bits to the result

59 BGP Communities on Internet2 Classify prefixes Directly connected participants Sponsored SEGP Adjust Internet2 LOCAL_PREF Request Internet2 to black-hole a prefix (Prevent ISP from advertising prefix to specified upstream peers)

60 Well-Known Communities NO-EXPORT 65535:65281 Do not advertise to any ebgp peer NO-ADVERTISE 65535:65282 Do not advertise to any peer NO-EXPORT- SUBCONFED 65535:65283 Do not advertise beyond local AS (confederations only) NO-PEER 65535:65284 Do not advertise to bi-lateral peer

61 Using Communities (1/5) / / / : : / / /16

62 NO-EXPORT Community / /24 +NO-EXPORT / / /24 +NO-EXPORT

63 Security Diversion Routing Table Interface Inbound Packet A C L Null 0 Routers are optimized for packet forwarding; not packet filtering Routing to Null saves valuable CPU cycles

64 Customer-Triggered Blackhole Inbound Prefix Static Route 11537:911 No 11537:911 Yes Prefix > /24 Prefix > /24 Yes Discard No Forward Redistribute Into BGP ISP Customer

65 Customer-Triggered Blackhole (ISP interface Null0 no ip unreachables Perspective; Cisco IOS) ip policy-list BLACKHOLE permit match ip address prefix-list 24_TO_32 match community 10! ip community-list 10 permit !! ip prefix-list 24_TO_32 seq 5 permit /0 ge 24!! route-map CUSTOMER_IN permit 10 match policy-list BLACKHOLE set community no-export set interface Null0

66 Customer-Triggered Blackhole (Customer Perspective; JunOS) routing-options { static { route /32 { discard; community 11537:911; } } } policy-options { policy-statement ORIGINATE { term BLACKHOLE { from { protocol static; route-filter /0 prefix-length-range /24-/32; community BLACKHOLE; } then accept; } term { } } }

67 Customer-Side Policy: IOS vs JunOS Juniper Blackhole prefix statically routed to Discard Attach a community tag to the static route Cisco IOS Blackhole prefix statically routed to Null0 Add the new prefix to the blackhole prefix list Existing route-map Redistributes blackhole prefix list into BGP Attaches the correct community

68 Recommended Routing Policy Should be implemented Reject any prefix with a private AS in the AS_PATH Reject bogon prefixes (following slide) Consider implementing Assign higher LOCAL_PREF to Internet2 or NLR prefixes than to commodity. Max prefixes limit on some peers

69 LOCAL_PREF Gotcha LOCAL_PREF = / /17 Indiana Gigapop /26

70 Bogon Prefixes Prefix Reason RFC /0 Default / /12 Private / /8 Loopback /8 Link Local /24 IANA Reserved /32 6 to 4 relay /15 Network device benchmarking /4 Multicast group addresses /4 Class E addresses

71 BGP Messages Type Description References 1 Open RFC Update RFC Notification RFC Keepalive RFC Route-Refresh RFC 2918

72 The BGP Update Message Unfeasible Routes Length Withdrawn Routes Length Prefix P BGP Header Total Path Attributes Length Type Data Path Attributes Length M Value NLRI Length Prefix N N >= M

73 BGP State Machine Established Open-Sent Open-Confirm Connect Active Idle

74 BGP Convergence Scenarios Both BGP processes immediately transition from Established to Active The router connected via the unaffected circuit blackholes traffic for up to 90 seconds

75 Anatomy of Brief Outage 1. Link between ESNet and MANLAN Goes Down 2. ESNet router sends NOTIFICATION which is not received 3. Peering on Internet2 remains Established even though ESNet side is Down 4. Link between ESNet and MANLAN is restored before KEEPALIVE timer expires on Internet2 5. ESNet router negotiates new TCP virtual circuit with Internet2 router 6. The peering on Internet2 resets

76 Source-Specific Multicast (S,G) Join (S,G) Join S G IGMPv3 Join G R

77 Multicast Routing Unicast traffic AS400 <> AS200 Multicast traffic AS400 <> AS200 Unicast and Multicast IPv4 Prefixes Unicast IPv4 Prefixes

78