Examination IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

Examination IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491 Date: October 22th 2007 at 9:00 13:00 SOLUTIONS

1. BGP messages (4p) Name the four message types in BGP. Briefly describe each message: What is its role in BGP, what mechanism does it implement? OPEN Initiate connection, exchange capabilities. Optional parameters used for capability negotiations. UPDATE Update information about routes. The message is partitioned into withdrawn routes, path attributes and network layer reachability information (NLRI). The path attributes apply to the NLRI defined. KEEPALIVE check liveness. The message is sent periodically to ensure that peers are reachable. TCP keepalives cannot be used since they (if enabled) are sent using longer intervals. NOTIFICATION signal errors. The message contains error codes and sub-codes that are defined for the BGP protocol. BGP messages are transferred reliably so in BGP one can assume that all messages are transferred to the other peer correctly. 2. Transport (5p) BGP peering is based on TCP (Transmission Control Protocol). Suppose an implementation of BGP would use UDP instead of TCP. (UDP is the User Datagram Protocol and is a simple datagram transport protocol using IP.) What would be the consequences? What mechanisms would have to be added to BGP? TCP is a reliable protocol. The consequences of using an unreliable transport protocol would be that BGP could no longer trust the transport layer to transfer the BGP data reliably. Packets could be lost, re-ordered or duplicated without BGP knowing it. The consequences of this would be very serious since route announcements or withdrawals could be dropped and lead to black-holing and illegal announcements. Note that UDP has the same checksum mechanism as TCP (but optional), so bit-errors in the payload would be detected in the same way as in TCP. Second, TCP has session control. It has mechanisms for opening, maintaining and closing sessions. This is not part of BGP (apart from the Open/notification messages) and would have to be added. Third, TCP has flow control, to not overrun the receiver buffers. This has to be added in BGP by using some feedback mechanism from the receiver. Further, without TCP, BGP would not adjust its sending rate to congestion in the network. Congestion detection may be optional, since it is not completely clear that it is always a benefit to have congestion control in this scenario, since this means that BGP would perform slower when there is more data traffic in the network. This could in fact mean that you could slow down BGP by overloading the network with other TCP flows. TCP also has an optional mechanism for authentication using an MD5 checksum mechanism.

Therefore, BGP would have to introduce new mechanisms in the protocol itself, for example by using message sequence numbers and ACKs, a sliding window protocol for flow control, loss and reordering detection, and optionally some congestion detection mechanism. 3. Attributes (5p) Name and describe five BGP path attributes. You should cover what the purpose is for each attribute and give a clarifying example of its use. The AS-PATH and NEXTHOP attributes should be included in the five attributes. Examples of attributes apart from AS_PATH and NEXTHOP are ORIGIN, MULTI_EXIT_DISC, LOCAL_PREF, ATOMIC_AGGREGATE, and COMMUNITY. There are also several other attributes that may be described from other than the base RFC. A brief description of each and an example is necessary for full points. (See book or lecture slides). 4. Decision process (6p) The BGP decision process is the process of selecting one single route out of several routes received from different peers (and even other protocols through route redistribution). There are several variants of the decision process used by different vendors, and even in different RFCs. However, the basic mechanism is the same. Describe the basic decision process in BGP. The decision process as described in the lecture notes is as follows (other variants may be accepted as well): 1. If next hop inaccessible, ignore route (this can actually be argued to be outside the decision process being an a priori condition) 2. Prefer highest local pref value 3. Prefer shortest AS_PATH 4. Prefer lowest origin type 5. Prefer lowest metric value (if from same AS) 6. Prefer routes from EBGP over IBGP 7. Prefer routes with lower IGP metric 8. Prefer routes from peer with lowest router id 9. Prefer routes from peer with lowest peer id 5. Transit traffic (6p) There are several ways of handling transit traffic through an autonomous system using IP routing. One way is to use an IGP (Interior routing protocol). Describe how you use an IGP for your transit traffic between EBGP border routers, and what drawbacks this has (in comparison with IBGP). If you use an IGP for transit traffic, you inject the external routes from EBGP into the IGP at the border routers. Using this technique it is

assumed that the border routers speak full mesh IBGP between each other. That is, the BR speak IBGP with each other, but not the internal routers. If the Brs do not speak IBGP between each other, mechanism to translate path attributes from BGP->IGP->BGP needs to be made, and this is much more difficult. For example, the AS_PATH needs to be conveyed correctly via the IGP do avoid BGP loops. The BGP routes injected into routes will be treated as external routes (in OSPF or ISIS) and need to be imported with appropriate metrics, for example by translating the AS_PATH length to OSPF metrics. When routes injected on one border reach another border router, that border router knows that it is safe to announce the prefix further, that is, synchronization between BGP and the IGP has been made. Drawbacks of this approach is (1) a large number of external routes will lead to a high memory consumption in the IGP. IGPs typically need much more memory for storing and transferring routes than BGP. The IGP mechanism to compute shortest path is often more CPU consuming as well (Dijkstra, etc) which leads to a slow convergence of the IGP. (2) The synchronization between the IGP and BGP needs to be made. Note however, that even though IGP is not used for transit traffic, it is still needed for next-hop reachability in a full-mesh IBGP transit network.

6. IBGP (10p) AS1 AS2 AS3 R4 R3 R2 R6 R7 R8 R1 R5 192.168.1.0/24 Study the network above that contains AS1, AS2 and AS3. BGP runs between each AS on all links(using physical one-hop peering) and also within each AS as full mesh IBGP(using virtual loopback peering). Each AS also runs an IGP. AS1 contains the network 192.168.1.0/24. 1. Which BGP peerings are present in the network above? Draw or write as text(1p) EBGP peerings: R3-R4, R1-R5, R7-R8. IBGP peerings: R1-R2, R2-R3, R1-R3, R4-R5,R4-R6,R4-R7,R5-R6,R5- R7,R6-R7. 2. Assume you configure AS1 and AS2 using BGP. Design the networks so that the traffic to 192.168.1.0/24 uses R3-R4 as primary connection, and R1-R5 as secondary. Describe a policy on how this may be achieved using BGP path attributes.(4p) Several techniques can be used, including MED, prefix pre-pending, and communities, and can also be combined with NO_EXPORT community. In all those scenarios it is the policies in R1 and R3 that are modified so that R4-R3 is preferred. For example,by letting R1 make extra prepends of AS1 to the AS_PATH as the route is announced externally, and spread within AS2. The key point is to make the traffic flow internally in AS2 to R4. Note that in the solution, traffic from R5 must also be sent via R3-R4 as first option. Use of LOCAL_PREF is typically more complex since you need to make a policy in R4/R5 as well. LOCAL_PREFs in AS1 is not meaningful for this question. 3. For the prefix 192.168.1.0/24 in AS2, write down proposed values of the AS_PATH and NEXTHOP attributes as they are announced by each router in the AS (ie R4, R5, R6 and R7). Write also down the values of any extra attributes that you may have used in your design in the previous exercise (2). Motivate your answer. You may have to add more information in order to complete this exercise (such as

interface addresses).(5p) This solution uses AS-path prepending (R1 prepends AS1 an extra time when announcing to R5). Assume IP1, IP3 and IP7 are the IP address on the external physical interface of R1, R3 and R7, respectively). Other solutions are possible. R4 announces 192.168.1.0/24 to R5, R6 and R7 using AS_PATH: AS1 and Nexthop: IP3. R5 may initially announce 192.168.1.0/24 to R4, R6 and R7 using AS_PATH: AS1 AS1 and nexthop: IP1.However, as soon as R5 receives the route from R4, it will consider that better (shorter AS_PATH) and since it is an IBGP route, not re-announce it internally. That is, R5 will not announce the prefix internally. However, R5 will now announce this prefix to R1 externally. R6 does not announce 192.168.1.0/24 since it has received this prefix from IBGP and it is not allowed to re-announce such a route via IBGP. R7 announces 192.168.1.0/24 to R8 using EBGP as follows: AS_PATH: AS2 AS1 and Nexthop: IP7. If MEDs or some other BGP attributes were used in the solution, then the values of these attributes would have to be included. 7. Route reflection (5p) What is route reflection, and why is it used? Which new attributes are introduced to provide route reflection and how are they used? Route reflection is a way to modify BGP's split-horizon rule so that a BGP node may be able to redistribute a route it has received from an IBGP neighbour. With the original IBGP full mesh requirement, all IBGP peers need to establish peering with every other IBGP peer, which leads to a high number of peerings, which leads to large RIBs (one adjribin/ adjribout for every peering), which in turn leads to high memory consumption and more processing to select routes. Route reflection establishes a hierarchy within an internal network. This hierarchy is defined of clusters consisting of clients. This leads to two new rules for redistribution: (1) If a route is received from a non-client peer (not within the cluster), reflect the route to all client peers; (2) If the route was received from a client, reflect it to all other clients and all nonclient peers. The two new attributes are CLUSTER_LIST (list of CLUSTER_IDs of all RR a route has passed through) and ORIGINATOR_ID(The original IBGP entry point can be a client for locally originated routes) which essentially are there to avoid loops within the internal network. 8. Communities (6p) Communities can be used as a general method to define the routing policy for an operator. Suppose a specific ISP has a set of of transit operators, a set of customers and a set of external peers with which it exchanges customer (non-transit) traffic. Describe how the ISP can use communities

to avoid being transit providers for such external peers. Describe using concrete examples. 9. VPNs (7p) A VPN (Virtual Private Network) comes in many variants. In this course we have studied provider-based VPNs, and we have labbed both L2VPNs (actually the correct term is VPWS for Virtual Private Wire Service) and L3VPNs. Compare L2VPN and L3VPN. What are the advantages and disadvantages of each, in relation to the other? The answer should cover scaling, configuration, complexity, at both the client and the provider. The important about the answer to this question is that the reasoning is coherent and correct. There may be several valid views and answers. The following is a very extensive proposal for an answer. L3VPN and L2VPN(VPWS) are both based on MPLS and BGP. In the lab we have also used RSVP as signaling protocol. In L2VPN the provider has to setup pseudo-wires between its sites, a configuration detail that is more difficult to maintain compared to the dynamic mechanism (the CEto-PE routing) in L3VPN. From a customer perspective one can argue that L2VPN is easier to configure than L3VPN since L2VPN is simply a pointto-point link, whereas for L3VPN the CE-to-PE routing need to be established and configured, typically by redistributing routes and maybe aggregating prefixes. However, you typically need to add VLANs for every new L2VPN which is a configuration complexity at the customer. In terms of scaling in terms of routes/memory, L2VPN typically scales better than L3VPN since no customer information(eg routes) are imported into the providers network. In L2VPN one has to set up pseudowires and this may be a tedious task if full-mesh is used between a large set of sites, but there is really no scaling consideration. L3VPN on the other hand may quickly lead to very large tables, especially if the provider has many customers, and if these customers have large routing tables, such as full-feed BGP. From a traffic scaling perspective, L3VPN is better, since L2VPN inherits the problem with the broadcast domains from LANs. That is, ARP requests and other broadcast traffic may flood the links. Additionally, loops may occur and one may have to run STP which leads to sub-optimal forwarding. If routers are used as endpoints to the pseudo-wires, however thos issues are not a problem. Finally, scaling with respect to connections is typically not an issue, since the state at each router is small. There are rally no scaling limitations from the customer's perspective in either solution. L3VPN is currently more popular in the market-place. From a security perspective the solutions are equivalent. 10. L3VPN (6p) 1. In L3VPN, what is the purpose of the route distinguisher? (1p) The route distinguisher (RD) is used to make the customer IP

prefixes unique within the providers network. The provider prepends the RD to the IP prefix and distributes it via MP-BGP internally. 2. In L3VPN, what is the purpose of route targets? (1p) Route targets (RT:s) are used to define a VPN. By tagging routes with RT:s (a route target is an extended BGP community attribute) and writing route target import rules, an operator may define how customer prefixes are exported and imported to a specific customer site (between BGP and a VRF). 3. How can route targets be used to create a full-mesh VPN? Give an example. (2p) One easy way is to make symmetric route targets for export and import so that the same (equal) RT is exported by all VRFs into BGP. For example, suppose a customer has three sites. Every site writes an export rule that tags all IP prefixes from that site with the same RT (eg 65001:3). The provider also writes an import rule at every site that imports all routes with that (same) RT (eg 65001:3). 4. How can route targets be used to create a hub-and-spoke VPN? Give an example(2p) In a hub-and-spoke VPN, all customer routes are announced via a central site (the hub). Reasons may be security, external routing, etc. In a hub-and-spoke VPN, the Pes at all customer sites (except the central) may tag its routes with a specific RT (such as 65001:1) when exporting the routes from the VRF to BGP. In the central hub, an import rule is defined that imports this RT (eg 65001:1). Further, after processing at the hub, the routes are re-announced, but now tagged with a new RT (eg 65001:2). All other sites use this RT in an import rule. In this way, all routes are first announced from the spokes, collected centrally and then re-announced to the spokes again.