630 likes | 730 Views
RPSL: Police’ing’ the Net. Anwar M. Haneef Electrical and Computer Engineering University of Massachusetts, Amherst. RFC-2622: Not the most fun thing to read on a Friday night. Aim of my talk. Not to make you expert network managers.
E N D
RPSL: Police’ing’ the Net Anwar M. Haneef Electrical and Computer Engineering University of Massachusetts, Amherst
Aim of my talk • Not to make you expert network managers • I want all of you to go back home, knowing that you have learnt the BASICS of a new language • Prepare you all for the next talk on the practical applications of RPSL
Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next
Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next
What is Routing Policy ? • Public description of the relationships between external BGP peers • Can describe internal BGP peer relationships
Routing Policy Unfortunately, Chun gets to do all the really COOL stuff….. Routing Policy • Who are the peers • What routes are • Originated by a peer • Imported from each peer • Exported to each peer • Preferred when multiple routes exist • What to do if no route exists
Routing Policy Example • AS1 originates route “d” • AS1 exports “d” to AS2, AS2 imports • AS2 exports “d” to AS3, AS3 imports • AS3 exports “d” to AS5, AS5 imports
Routing Policy Example • AS5 also imports “d” from AS4 • Which route does it prefer?
Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next
Why define a Routing Policy ? • Documentation • Allows automatic generation of router configurations • Provides routing security • Can peer originate the route? • Can peer act as transit for the route? • Provides a debugging aid • Compare policy versus reality No one ever does anything for documentation, but its good to have it
Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next
BGP Configuration • Too many routers • Too detailed, large & tedious • Consistency • Heavy consequences of mistakes ?!?!?!
Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • The Internet Routing Registry • RPSL – Introduction • RPSL – Objects • What’s next
IRR – What is it ? • Database of • IP networks, • DNS domains, • DNS domain Contact Persons and • IP routing policies • Data from the IRR may be used by anyone worldwide to help debug, configure, and engineer Internet routing and addressing. • Currently, the IRR provides the only mechanism for validating the contents of a BGP session or mapping an AS number to a list of networks.
Internet Routing Registry • APNIC, ALTDB, BELLCA, TELSTRA etc. • Policy and contact information
Internet Routing Registry Route: 128.9.0.0/ 16 descr: ISI-NET origin: AS226 notify: Prue@isi.edu mnt-by: LN-MAINT-MCI changed: Prue@isi.edu 990420 source: CW
Internet Routing Registry Internet Routing Registry person: Walt Prue address: USC/ Information Sciences Institute 4676 Admiralty Way Suite 1000 Marina del Rey, California USA phone: +1 310 822 1511 x89191 fax-no: +1 310 823 6714 e-mail: Prue@isi.edu nic-hdl: WP8 notify: Prue@isi.edu mnt-by: LN-MAINT-MCI changed: Prue@isi.edu 20000222 source: CW
BGP Configuration from IRR IRR RPSL RtConfig • RPSL: Abstract, high level, per-as policies • IRR: Benefit from others’ data & delegation • RtConfig: Details/ tedious aspects automated
Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next
Meet Mr. RPSL – An Introduction • RPSL allows a network operator to be able to specify routing policies at various levels in the Internet hierarchy; for example at the Autonomous System (AS) level • At the same time, policies can be specified with sufficient detail in RPSL so that low level router configurations can be generated from them. • RPSL is extensible; new routing protocols and new protocol features can be introduced at any time
Meet Mr. RPSL – An Introduction • Object oriented language • RPSL is based on RIPE-181, a language used to register routing policies and configurations in the IRR • Operational use of RIPE-181 has shown that it is sometimes difficult (or impossible) to express a routing policy which is used in practice • RPSL has been developed to address these shortcomings and to provide a language which can be further extended as the need arises • RPSL obsoletes RIPE-181
Meet Mr. RPSL – An Introduction • RPSL was designed so that a view of the global routing policy can be contained in a single cooperatively maintained distributed database to improve the integrity of Internet's routing • RPSL is not designed to be a router configuration language • RPSL is designed so that router configurations can be generated from the description of the policy for one autonomous system (aut-num class) combined with the description of a router (inet-rtr class), mainly providing router ID, autonomous system number of the router, interfaces and peers of the router, and combined with a global database mappings from AS sets to ASes (as-set class), and from origin ASes and route sets to route prefixes (route and route-set classes) • The accurate population of the RPSL database can help contribute toward such goals as router configurations that protect against accidental (or malicious) distribution of inaccurate routing information, verification of Internet's routing, and aggregation boundaries beyond a single AS
RPSL: Getting to know it • RPSL constructs are expressed in one or more database "objects" which are registered in one of the registries • Each database object contains some routing policy information and some necessary administrative data • When objects are registered in the IRR, they become available for others to query using a whois service • Uses RIPE database style (whois) objects
RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 NE Sasquatch Bainbridge Island, WE 98110 USA phone: +1 206 780 0431 # day time fax-no: +1 206 780 0653 e-mail: randy@psg.com nic-hdl: RB366 remarks: This object is automatically converted from RIPE181 mnt-by: RGNET-MAINT-MCI changed: randy@psg.com 19970614 source: MCI
Attribute name Attribute value Comment Continuation RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 NE Sasquatch Bainbridge Island, WE 98110 USA phone: +1 206 780 0431 # day time fax-no: +1 206 780 0653 e-mail: randy@psg.com nic-hdl: RB366 remarks: This object is automatically converted from RIPE181 mnt-by: RGNET-MAINT-MCI changed: randy@psg.com 19970614 source: MCI
Common Attributes for all classes descr: Short free text description of the object remarks: Free text comment attribute tech-c: Technical contact nic handles admin-c: Administrative contact nic handles notify: Emails to send notification of changes mnt-by: Maintainer authorized to do changes changed: <email><date> source: Registry
Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next
RPSL Classes • Person, Role, Maintainer • Route • Set classes: as-set, route-set • Autonomous System
RPSL Classes • Person, Role, Maintainer • Person and Role objects are for contact information • Maintainer objects are for authentication • Route • Set classes: as-set, route-set • Autonomous System
Person Class Person class attributes person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 NE Sasquatch Bainbridge Island, WE 98110 USA phone: +1 206 780 0431 # day time fax-no: +1 206 780 0653 e-mail: randy@psg.com nic-hdl: RB366 remarks: This object is automatically converted from RIPE181 mnt-by: RGNET-MAINT-MCI changed: randy@psg.com 19970614 source: MCI Common attributes Maintenance
The nic-hdl attributes of the person and role classes share the same name space. Role Class role: RIPE NCC Operations address: Singel 258 1016 AB Amsterdam The Netherlands phone: +31 20 535 4444 fax-no: +31 20 545 4445 e-mail: ops@ripe.net admin-c: CO19-RIPE tech-c: RW488-RIPE tech-c: JLSD1-RIPE nic-hdl: OPS4-RIPE notify: ops@ripe.net changed: roderik@ripe.net 19970926 source: RIPE
Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB
Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB
Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB
Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB
It defines access control for other objects in the database Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB
Auth Attribute auth: PGPKEY-23F5CE3 auth: CRYPT-PW lz1A7/JnfkTI auth: MAIL-FROM cengiz@isi.edu auth: MAIL-FROM .*@canet.ca auth: NONE
RPSL Classes • Person, Role, Maintainer • Route • Specifies origin AS for a route • Can indicate membership of a route set • Set classes: as-set, route-set • Autonomous System
Route Class route: 156.36.0.0/16 origin: AS2914 descr: my routes mnt-by: MAINT-RGNET tech-c: RB366 changed: randy@psg.com 19960829 source: RADB Policy Information Route 156.36.0.0/16 is originated by AS2914
Hmm… looks familiar, doesn’t it ? Inter-AS Routing • AS1 originates route “d” • AS1 exports “d” to AS2, AS2 imports • AS2 exports “d” to AS3, AS3 imports • AS3 exports “d” to AS5, AS5 imports
Route Class route: 156.36.0.0/16 origin: AS2914 descr: my routes mnt-by: MAINT-RGNET tech-c: RB366 changed: randy@psg.com 19960829 source: RADB Policy Information Route 156.36.0.0/16 is originated by AS2914
Some Notations AS Numbers AS2914 Address Prefixes 156.36.0.0/16 Route-set Names RS-VERIO AS-set Names AS-VERIO
Rules for Words • Words can have - or _ in the middle • RGNET-MAINT-MCI • Can have digits • RGNET-MAINT-MCI_ 1 • Case insensitive • rgnet-MaInT-MCI
RPSL Classes • Person, Role, Maintainer • Route • Set classes: route-set, as-set • Autonomous System
RPSL Classes • Person, Role, Maintainer • Route • Set classes: Route-set • Collects routes together with similar properties • Autonomous System
Route-Set route-set: rs-foo members: 128.9.0.0/16, 128.9.0.0/24, 128.8.0.0/16 descr: some address prefixes mnt-by: MAINT-RGNET tech-c: RB366 changed: randy@psg.com 19960829 source: RADB route-set: rs-bar members: 128.7.0.0/16,rs-foo
Route Set route-set: RS-BCMI2 descr: routes via BCM to be announced to I2 members: 128.249.0.0/16, 192.31.88.0/24,192.147.26.0/24 admin-c: JCY tech-c: SM346 mnt-by: MAINT-AS302 changed: smace@intt.org 20000213 source: demo
Indirect Members route-set: RS-ANS-IGP_ ONLY descr: ANS IGP aggregates mbrs-by-ref: ANY route: 207.25.17.0/24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS route: 192.157.69.0/24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS
Restricted Indirect Members route-set: RS-ANS-IGP_ ONLY descr: ANS IGP aggregates mbrs-by-ref: MNT-ANS, MNT-CENGIZ route: 207.25.17.0/24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS route: 192.157.69.0/24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS