IK2205

Inter-domain Routing Recitation 1 Voravit Tanyingyong, [email protected]

Outline • Recitation - Basic concepts recap • Assignments – Assignment 1 – Assignment 2 – Assignment 3

Course Panel members • End of January 2012 – Early February 2012 • Email to [email protected]

Basic concepts recap

IK2205, Fall 2008

Border Gateway Protocol (BGP) IGP

Domain 1

BGP

Domain 2 IGP

• Inter autonomous system routing protocol • Path vector protocol • exchange reachability information with other BGP systems • reachability information is used to construct a graph of AS connectivity, from which routing loops can be pruned

Fundamental operation neighbor/peer neighbor/peer Establishing BGP session (TCP 179) BGP speaker

OPEN messages UPDATE messages KEEPALIVE messages NOTIFICATION messages

BGP speaker

IBGP vs EBGP RTD

AS1

AS2 RTF

RTA

EBGP Multihop

EBGP Physical Logical

RTE

IBGP

RTC

AS3

This router does not run BGP

Location 1

Location 2 IBGP IBGP

Location 3 IBGP

RTB

BGP Routing Process—A Model

© 2001 Cisco Press

•

Pool of routes received from peers

•

Input policy engine for filtering and attribute manipulation

•

Decision process to select best routes

•

Pool of routes used by router

•

Output policy engine for filtering and attribute manipulation

•

Pool of routes that the router advertises

BGP Decision Process Summary 1. If next hop inaccessible, ignore route 2. Prefer route with largest weight •

3. 4. 5. 6. 7. 8. 9.

Weight is a Cisco proprietary parameter, local to the router

Prefer largest local preference value Prefer shortest AS_PATH Prefer lowest origin type (IGP, EGP, INCOMPLETE) Prefer lowest MED value (if from same AS) Prefer EBGP paths to IBGP paths Prefer shortest internal path to BGP NEXT_HOP Prefer route from lowest BGP ROUTER_ID •

Today: prefer route from first BGP ROUTER_ID (book outdated)

BGP path attribute • Type code 1:

ORIGIN

(RFC4271)

• Type code 2:

AS_PATH

(RFC4271)

• Type code 3:

NEXT_HOP

(RFC4271)

• Type code 4: (RFC4271)

MULTI_EXIT_DISC

• Type code 5:

LOCAL_PREF

(RFC4271)

• Type code 6:

ATOMIC_AGGREGATE

(RFC4271)

• Type code 7:

AGGREGATOR

(RFC4271)

• Type code 8:

COMMUNITY

(RFC1997)

BGP path attribute • Describe the characteristics of a prefix Category

BGP implementation

Well-known mandatory (transitive)

Must be recognized

Must be included in every UPDATE message

Well-known discretionary (transitive)

Must be recognized

May or may not be present in UPDATE message

Optional transitive

Not required

It should still be passed along with partial bit set if BGP speaker does not supported it

Optional nontransitive

Not required

It must be quietly ignored and not passed along to other BGP peers if it is unrecognized

BGP filtering • Allow you to control the send and receive of BGP updates • Different ways to filter BGP updates – Route Filtering – Path Filtering – BGP Community Filtering

BGP update vs Data traffic Outbound decision NetA

Stockholm

Which way do I send my traffic (outbound) to reach NetA

Traffic to NetA

Inbound decision

Traffic to NetB NetB

I want to receive traffic (inbound) for NetB via Stockholm link and for NetC via Lund link

Lund

NetA

Stockholm

Traffic to NetC NetC

Lund

Source: Internet Routing Architecture 2nd edition, Cisco Press

Redundancy, Symmetry, Load balancing • Redundancy – have multiple paths for the traffic

• Symmetry – Traffic leaves from and returns to the same point

• Load balancing – Capability to divide traffic optimally over multiple links

Controlling routing inside the AS • Interaction of Non-BGP routers with BGP routers • BGP policies conflicting with internal defaults

Controlling Large-Scale AS • Router Reflectors – Best path is propagated inside an AS based on the following rules • If route is received from non-client peer, reflect to client peers only • If route is received from a client peer, reflect to all non-client peers and to client peers – If route is received from EBGP peer, reflect to all client and nonclients peers (normal BGP behavior)

• Confederations – Dividing an AS into multiple sub-AS – Each sub-AS has its own ASN  EBGP between sub-ASes – Inside each sub-AS all rules of IBGP apply

Designing Stable Internets • Route Instabilities • BGP stability features – Controlling Route and Cache Invalidation – BGP Route Refresh – Route Dampening

Assignments (1-3)

IK2205, Fall 2008

Assingment 1 – Question 1 AS1 is going to have a peering session with its neighbor and AS1 has the BGP configuration of the network that you would like to inject into BGP as follow: router bgp 1 no synchronization network 172.16.2.0 mask 255.255.255.0 network 172.16.4.0 mask 255.255.255.0 network 172.16.6.0 mask 255.255.255.0 redistribute ospf 1 match external 1 external 2 redistribute static metric 10 no auto-summary

Here is an extract from routing table of AS1 border router 172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks C 172.16.8.1/32 is directly connected, Loopback0 s 172.16.7.0/24 [1/0] via 172.16.6.2 C 172.16.6.0/24 is directly connected, Ethernet1 O 172.16.5.0/24 [110/20] via 172.16.1.2, 00:22:40, Ethernet0 C 172.16.3.0/24 is directly connected, Serial0 s 172.16.2.0/24 [1/0] via 172.16.3.2 C 172.16.1.0/24 is directly connected, Ethernet0

Please write down your answer what are the networks that AS1 will advertise to the peer and with ORIGIN type will they be?

Assingment 1 – Question 1 AS1 is going to have a peering session with its neighbor and AS1 has the BGP configuration of the network that you would like to inject into BGP as follow: router bgp 1 no synchronization network 172.16.2.0 mask 255.255.255.0 network 172.16.4.0 mask 255.255.255.0 network 172.16.6.0 mask 255.255.255.0 redistribute ospf 1 match external 1 external 2 redistribute static metric 10 no auto-summary

Here is an extract from routing table of AS1 border router

Network

Origin

172.16.2.0

i

172.16.5.0

?

172.16.6.0

i

172.16.7.0

?

172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks C 172.16.8.1/32 is directly connected, Loopback0 s 172.16.7.0/24 [1/0] via 172.16.6.2 C 172.16.6.0/24 is directly connected, Ethernet1 O 172.16.5.0/24 [110/20] via 172.16.1.2, 00:22:40, Ethernet0 C 172.16.3.0/24 is directly connected, Serial0 s 172.16.2.0/24 [1/0] via 172.16.3.2 C 172.16.1.0/24 is directly connected, Ethernet0

Please write down your answer what are the networks that AS1 will advertise to the peer and with ORIGIN type will they be?

Assingment 1 – Question 2

•

AS_PATH prepend has an influence on how the path is chosen. Given scenario in the figure above, company A will prepend AS_PATH with different values according the table below. Assume that only AS_PATH attribute is considered for path selection process, you must identify which path is the shortest path for each ISP to reach company A in different cases according to the table below. (List all the best paths in case there are more than one best path)

Assingment 1 – Question 2 52A 1A

1A

A

42A 2A 2A A No prepend

Assingment 1 – Question 2 52A 1AA

AA

42A 1AA

42A 2A 2A A 1 prepend on link1

Assingment 1 – Question 2 52A 1AAA or 1 4 2 A AAA

42A

42A 2A 2A A 2 prepend on link1

Assingment 1 – Question 2 52A 142A AAAA

42A

42A 2A 2A A 3 prepend on link1

Assingment 1 – Question 2

1A

1A

A

41A 41A 2AA 2AA AA 1 prepend on link2

Assingment 1 – Question 2

1A

1A

A

41A 4 1 A 2 A A A or 241A AAA 2 prepend on link2

Assingment 1 – Question 2

1A

1A

A

41A 41A 241A AAAA 3 prepend on link2

Assingment 1 – Question 3 •

RTA, RTB, RTC, RTD each injects its 192.168.x.0/24 network into BGP.

•

RTE injects 192.168.4.0/24 into OSPF.

•

RTD redistributes routes learned from OSPF into BGP

•

Assume that there is no route filtering on any of the routers.

•

Write down all prefixes & NEXT_HOP of BGP routes RTC, RTD learn

Assingment 1 – Question 3 •

RTA, RTB, RTC, RTD each injects its 192.168.x.0/24 network into BGP.

•

RTE injects 192.168.4.0/24 into OSPF.

•

RTD redistributes routes learned from OSPF into BGP

•

Assume that there is no route filtering on any of the routers.

•

Write down all prefixes & NEXT_HOP of BGP routes RTC, RTD learn RTC Network

Next-hop

192.168.0.0/24

10.0.0.1

192.168.1.0/24

10.0.1.1

192.168.3.0/24

10.0.2.2

192.168.4.0/24

10.0.2.3

Assingment 1 – Question 3 •

RTA, RTB, RTC, RTD each injects its 192.168.x.0/24 network into BGP.

•

RTE injects 192.168.4.0/24 into OSPF.

•

RTD redistributes routes learned from OSPF into BGP

•

Assume that there is no route filtering on any of the routers.

•

Write down all prefixes & NEXT_HOP of BGP routes RTC, RTD learn RTC Network

Next-hop

192.168.0.0/24

10.0.0.1

192.168.1.0/24

10.0.1.1

192.168.3.0/24

10.0.2.2

192.168.4.0/24

10.0.2.3

RTD Network Next-hop 192.168.2.0/24

10.0.2.1

192.168.4.0/24

10.0.2.3

Assingment 1 – Question 4 ORIGIN is well-known mandatory attribute that defines the origin of the path information. The data octet can be IGP(0), EGP (1), or INCOMPLETE (2) AS_PATH is well-known mandatory attribute that is composed of a sequence of AS path segments. Each AS path segment is represented by a triple . NEXT_HOP is a well-known mandatory attribute that defines the IP address of the border router that should be used as the next hop to the destinations listed in the Network Layer Reachability field of the UPDATE message. MED is an optional nontransitive attribute that is a four-octet nonnegative integer. The value of this attribute may be used by a BGP speaker's decision process to discriminate among multiple exit points to a neighboring autonomous system. LOCAL_PREF is a well-known discretionary attribute that is a four-octet nonnegative integer. It is used by a BGP speaker to inform other BGP speakers in its own autonomous system of the originating speaker's degree of preference for an advertised route. ATOMIC_AGGREGATE is a well-known discretionary attribute of length 0. It is used by a BGP speaker to inform other BGP speakers that the local system selected a less-specific route without selecting a more-specific route that is included in it. AGGREGATOR is an optional transitive attribute of length 6. The attribute contains the last AS number that formed the aggregate route (encoded as two octets), followed by the IP address of the BGP speaker that formed the aggregate route (encoded as four octets). COMMUNITY is an optional transitive attribute of variable length. The attribute consists of a set of four octet values, each of which specifies a community. All routes with this attribute belong to the communities listed in the attribute.

Assingment 2 – Question 1 Arrange following checking rules in their respective order as they are evaluated in the BGP decision process: Answer 1. Check for the path that NEXT_HOP is accessible 2. Check for the path with the higest LOCAL_PREF 3. Check for the path with the shortest AS_PATH 4. Check for the path with the lowest origin type 5. Check for the path with the lowest multi-exit discriminator (MED) 6. Prefer eBGP over iBGP paths 7. Prefer the path with the lowest IGP metric to the BGP next hop 8. When both paths are external, prefer the path that was received first 9. Prefer the route that comes from the BGP router with the lowest router ID

Assingment 2 – Question 2 •

Given the scenario in the figure above, you are helping network administrator in AS5 to configure a basic BGP policy to accept only the aggregated prefixes from other ASes (accepting only /16 prefixes).

•

Your task is to use different types of BGP filtering; namely route filtering, path filtering, and community filtering to achieve desired BGP policy.

•

1: Using BGP Route Filtering

•

Identify the correct rules suitable for the given configuration on RTE and RTF as follow:

Assingment 2 – Question 2 (cont’d) Route filtering RTE

RTF

router bgp 5 neighbor 10.0.3.1 remote-as 3 neighbor 10.0.3.1 prefix-list 1 in !

router bgp 5 neighbor 10.0.4.1 remote-as 4 neighbor 10.0.4.1 distribution-list 1 in !

ip prefix-list 1 seq 10 permit 172.16.0.0/16 ip prefix-list 1 seq 20 permit 172.17.0.0/16 ip prefix-list 1 seq 30 permit 172.18.0.0/16

access-list 1 deny 172.19.1.0 0.0.0.255 access-list 1 permit 172.16.0.0 0.0.255.255 access-list 1 permit 172.17.0.0 0.0.255.255 access-list 1 permit 172.18.0.0 0.0.255.255

Path filtering BGP path filtering cannot be used to achieve our desire goal in this case because: It cannot selectively filter a subset of prefixes that have the same origin and traverse the exact same path Community filtering router bgp 5 neighbor 10.0.3.1 remote-as 3 neighbor 10.0.3.1 route-map comm1 in !

route-map comm1

match community 1

ip community-list 1 permit 11 ip community-list 1 permit 12 ip community-list 1 permit 31

router bgp 5 neighbor 10.0.4.1 remote-as 4 neighbor 10.0.4.1 route-map comm2 in !

route-map comm2

match community 2

ip community-list 2 permit 21 ip community-list 2 permit 22 ip community-list 2 permit 41

Assingment 2 – Question 3 NEXT_HOP concept in BGP. Answer NEXT_HOP concept in BGP follows one of the four forms: - For EBGP sessions, the next hop is the IP address of the neighbor that announced the route. - For IBGP sessions, for routes originated inside the AS, the next hop is the IP address of the neighbor that announced the route. - For routes injected into the AS via EBGP, the next hop learned from EBGP is carried unaltered into IBGP. The next hop is the IP address of the EBGP neighbor from which the route was learned. When the route is advertised on a multiaccess medium (such as Ethernet, Frame Relay, and so on), the next hop is usually the IP address of the interface of the router connected to the medium that originated the route.

Assingment 2 – Question 4 Many Internet Service Providers set a policy to filter out bogon prefixes. Explain what does “a bogon prefix” means? Where can you find the current allocated and reserved address blocks? Where can you find list of bogon prefixes? Answer A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPN or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks. Bogons are defined as Martians (private and reserved addresses defined by RFC 1918 and RFC 3330) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority. IANA maintains a convenient IPv4 summary page listing allocated and reserved netblocks (see http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml). Team CYMRU website (http://www.team-cymru.org/Services/Bogons/) includes additional links and resources to assist those who wish to properly filter bogon prefixes within their networks. It is important to realize that the Bogons list is NOT a static list. IP ranges are regularly added to, and more importantly, removed from the Bogons list. If you filter Bogons, please try to make sure that you have a plan for keeping it up-to-date, or within a short space of time you will be filtering legitimate traffic and creating work for network administrators everywhere.

Assingment 2 – Question 4 (cont’d) ANSWER • Private addresses • 198.18.0.0/15 This block has been allocated for use in benchmark tests of network interconnect devices.(See RFC 3330) • 172.16.0.0/24 • 240.0.0.0/4

Assingment 3 – Question 1 •

you must help AS2 to set up BGP policy by manipulating BGP attribute so that the traffic to/from AS1 will leave/arrive from link 10.0.0.0/30 during normal operation. Link 10.0.0.4/30 will only be used when link 10.0.0.0/30 is broken. Assume that currently both AS1 and AS2 have no policy configured on their routers.

PRIMARY MED 50 AS_PATH 2 LOCAL_PREF 200

BACKUP MED 100 AS_PATH 2 2 LOCAL_PREF 100

Assingment 3 – Question 1 (cont’d) • Set higher LOCAL_PREF on all routing updates received from link 10.0.0.0/30 than on routing update received on link 10.0.0.4/30. Set lower MED value on all routing updates advertised on link 10.0.0.0/30 than on routing update advertised on link 10.0.0.4/30. • Set higher LOCAL_PREF on all routing updates received from link 10.0.0.0/30 than on routing update received on link 10.0.0.4/30. Prepend AS_PATH on all routing updates advertised on link 10.0.0.4/30

Assingment 3 – Question 2 Customer1 is a customer of ISP1 while Customer2 is a customer of ISP2. Customer1 and Customer2 have a bilateral agreement under which the private link between the two customers will be used as a backup only in case of a failure of either primary link to the Internet. However, the ISPs should not use their customer as a primary transit to reach the other ISP’s customer during normal operation, i.e. ISP1 should reach customer2 via ISP2 and ISP2 should reach customer1 via ISP1 during normal operation. Assume that currently there is no policy configured on any AS. Each AS only accepts routing update with community attribute and other BGP attribute manipulation will be ignored. Each AS will set local preference to a received route according to the community value attached to it. Each AS uses community values in a similar way as defined in RFC1998. Mapping of community and local preference is shown in the table below:

Community None ASN:200 ASN:300

Local Preference 100 200 300

You must help the four ASes to configure their policy to achieve the desired traffic behavior as mentioned above.

Assingment 3 – Question 2 (cont’d) •

AS1 set community 3:300 to all routes advertised to AS3

•

AS1 set community 2:200 to all routes advertised to AS2

•

AS2 set community 4:300 to all routes advertised to AS4

•

AS2 set community 1:200 to all routes advertised to AS1

•

AS3 set community 1:300 to its own route when advertises to AS1

•

(AS3 set no community to transit routes (AS4’s routes) when advertises to AS1)

•

AS4 set community 2:300 to its own route when advertises to AS2

•

(AS4 set no community to transit routes (AS3’s routes) when advertises to AS2)

Assingment 3 – Question 2 (cont’d) •

when AS3 advertises routes to AS4 and vice versa, each AS should set community to none

•

when AS3 advertises transit routes (routes not originated locally) to AS1, it should set community to none

•

when AS4 advertises transit routes (routes not originated locally) to AS2, it should set community to none

•

when AS3 advertises its own originated routes to AS1, it should set community to 1:300

•

when AS4 advertises its own originated routes to AS2, it should set community to 2:300

Assingment 3 – Question 3 •

Given the figure below, AS1 has 4 routers RTA, RTB, RTC and RTD. They run IGP and can communicate properly internally. AS1 want to be connected to the outside world and has recently acquired two links to external network. One link will be used as primary link to send and receive traffic to/from external network during normal operation. The other link will be used as a backup link, which will be used only when the primary link fails. AS1 received default routes on both links. To achieve the desired policy, AS1's network administrator has configured BGP policy to set LOCAL_PREF = 300 on the default route received via primary link and set LOCAL_PREF = 200 on the default route received via backup link. In addition, the network administrator has configured to inject the default route into IGP on both RTA and RTB.

•

After applying the policy, the network administrator noticed that there is a loop between RTD and RTB.

Assingment 3 – Question 3 (cont’d) • Choose solution(s) that can be used to solve this problem while maintaining the desired policy (regarding primary/backup links) from the following alternatives: ANSWER • Fix the IGP metric so that traffic follow one path towards RTA out (by injecting default with very low IGP metric at RTA and much higher at RTB) • Make sure that only default route on primary link is injected to IGP and only until the primary link fail that the default route will be injected from the backup link

Assingment 3 – Question 4 •

Explain the terms closest-exit routing (hot potato routing) and best-exit routing (cold potato routing) in the context of BGP. What do you need to do with MED learned via EBGP in order to achieve these routings?

•

Answer

•

Closest-exit or hot-potato routing is when you try to route the traffic out of your network (AS) as quickly as possible while best-exit routing or cold-potato routing is when you try to hold on to the traffic as long as possible to ensure that it goes over certain paths within the AS before you send it out.

•

Hot potato routing can be achieved by not passing EBGP learned MED into IBGP or by not accepting EBGP learned MED at all. Cold potato routing can be achieved by passing the EBGP learned MED into IBGP.

•

You can find an explanation regarding MED and potatoes in RFC4277.

Assingment 3 – Question 4 (cont’d) •

Closest-ext routing is when you try to route the traffic out or your network (AS) as quickly as possible

•

Best-exit routing is when you try to hold on to the traffic as long as possible to ensure that it goes over certain paths within the AS before you send it out

•

Closest-exit is sometimes called hot-potato routing

•

To acheive hot potato routing, EBGP learned MED must be ignored

•

Most service provider usually uses hot-potato routing for transit traffic