180 likes | 470 Views
BGP Multiple Origin AS (MOAS) Conflict Analysis. Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia Zhang , UCLA NANOG-23, October 23, 2001. Definition of MOAS. BGP routes include a prefix and AS path
E N D
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia Zhang, UCLA NANOG-23, October 23, 2001
Definition of MOAS • BGP routes include a prefix and AS path • Example: 131.179.0.0/16, Path: 4513, 11422, 11422, 52 • Origin AS: the last AS in the path • In the above example: AS 52 originated the path advertisement for prefix 131.179/16 • Multiple Origin AS (MOAS): the same prefix announced by more than one origin AS NANOG 23 - Oakland
Example MOAS Conflicts Static or IGP learned route to 128.9/16 128.9.0.0/16 Path: 4 128.9.0.0/16 Path: 226 128.9.0.0/16 Path: Z, 226 128.9.0.0/16 Path: X, 4 128.9.0.0/16 nets AS 4 AS 226 MOAS conflict ! AS X AS Z AS Y Valid MOAS case: 128.9/16 reachable either way Invalid MOAS case: 128.9/16 reachable one way but not the other NANOG 23 - Oakland
Talk Outline • Measurement data shows that MOAS exists • Some MOAS cases caused by faults • Some MOAS cases due to operational need • Important to distinguish the two • proposed solutions NANOG 23 - Oakland
Measurement Data Collection • Data collected from the Oregon Route Views • Peers with >50 routers from >40 different ASes. • Our analysis uses data [11/08/9707/18/01] (1279 days total) • More than 38000 MOAS conflicts observed during this time period At a given moment, • The Route Views server observed 1364 MOAS conflicts • The views from 3 individual ISPs showed 30, 12 and 228 MOAS conflicts NANOG 23 - Oakland
MOAS Conflicts Do Exist Max: 10226 (9177 from a single AS) Max: 11842 (11357 from a single AS) NANOG 23 - Oakland
Histogram of MOAS Conflict Lifetime # of MOAS conflicts Total # of days a prefix experienced MOAS conflict NANOG 23 - Oakland
Distribution of MOAS Conflicts over Prefix Lengths ratio of # MOAS entries over total routing entries for the same prefix length NANOG 23 - Oakland
Valid Causes of MOAS Conflicts Multi-homing without BGP Private AS number Substitution 128.9/16 Path: 226 128.9/16 Path: 11422,4 131.179/16 Path: X 131.179/16 Path:Y AS 226 AS Y AS X AS 11422 131.179/16 Path: 64512 Static route or IGP route 128.9/16 Path: 4 AS 64512 AS 4 128.9/16 131.179/16 NANOG 23 - Oakland
Invalid Causes of MOAS Conflicts • Operational faults led to large spikes of MOAS conflicts • 04/07/1998: one AS originated 12593 prefixes, out of which 11357 were MOAS conflicts • 04/10/2001: another AS originated 9180 prefixes, out of which 9177 were MOAS conflicts • Falsely originated routes • Errors • Intentional traffic hijacking NANOG 23 - Oakland
Handling MOAS Conflicts • RFC 1930 recommends each prefix be originated from a single AS • Today’s routing practice leads to MOAS in normal operations • We must tell valid MOAS cases from invalid ones • Proposal 1: using BGP community attribute • Proposal 2: DNS-based solution NANOG 23 - Oakland
BGP-Based Solution • Define a new community attribute • Listing all the ASes allowed to originate a prefix • Attach this MOAS community-attribute to BGP route announcement • Enable BGP routers to detect faults and attacks • At least in most cases, we hope! NANOG 23 - Oakland
Comm. Attribute Implementation Example 18/8, PATH<58>, MOAS{58,59} 18/8, PATH<59>, MOAS{58,59} 18/8, PATH<4>, MOAS{4,58,59} 18/8, PATH<52>, MOAS{52, 58} AS58 18.0.0.0/8 AS52 AS59 Example configuration: router bgp 59 neighbor 1.2.3.4 remote-as 52 neighbor 1.2.3.4 send-community neighbor 1.2.3.4 route-map setcommunity out route-map setcommunity match ip address 18.0.0.0/8 set community 59:MOAS 58:MOAS additive NANOG 23 - Oakland
Implementation Considerations • Quickly and incrementally deployable • Generating MOAS community attribute: configuration changes only • Detecting un-validated MOAS or a MOAS-CA conflict: • Short term: observable from monitoring platforms • Longer term: adding into BGP update processing • But community attributes may be dropped by a transit AS due to local configurations or policies • time to fix the handling of community attributes? NANOG 23 - Oakland
Another Proposal: DNS-based Solution MOAS detected for 18/8, query DNS to verify Query 18.bgp.in-addr.arpa: origin AS? Response 18.bgp.in-addr.arpa AS 58 8 AS 59 8 Example configuration (zone file for 18.bgp.in-addr.arpa): $ORIGIN 18.bpg.in-addr.arpa. ... AS 58 8 AS 59 8 ... • Put the MOAS list in a new DNS Resource Record ftp://psg.com/pub/dnsind/draft-bates-bgp4-nlri-orig-verif-00.txt by Bates, Li, Rekhter, Bush, 1998 Enhanced DNS service NANOG 23 - Oakland
Issues to Consider for the DNS Solution • Provides a general prefix to origin AS mapping database • Complementary to Community-attribute Approach • Check with DNS when community tag indicates a potential problem • DNSSEC, once available, authenticates the MOAS list • But requires changes to DNS and BGP • DNS may be vulnerable without DNSSEC • When would DNSSEC be ready? • Routing system querying naming system: circular dependency? NANOG 23 - Oakland
Summary • MOAS conflicts exist today • Some due to operational need; some due to faults • Blind acceptance of MOAS could be dangerous • An open door for traffic hijacking • We plan to finalize the solution and bring to IETF Send all questions to fniisc@isi.edu For more info about FNIISC project: http://fniisc.nge.isi.edu NANOG 23 - Oakland