1 / 17

BGP Multiple Origin AS (MOAS) Conflict Analysis

BGP Multiple Origin AS (MOAS) Conflict Analysis. Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia Zhang , UCLA NANOG-23, October 23, 2001. Definition of MOAS. BGP routes include a prefix and AS path

hashim
Download Presentation

BGP Multiple Origin AS (MOAS) Conflict Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia Zhang, UCLA NANOG-23, October 23, 2001

  2. Definition of MOAS • BGP routes include a prefix and AS path • Example: 131.179.0.0/16, Path: 4513, 11422, 11422, 52 • Origin AS: the last AS in the path • In the above example: AS 52 originated the path advertisement for prefix 131.179/16 • Multiple Origin AS (MOAS): the same prefix announced by more than one origin AS NANOG 23 - Oakland

  3. Example MOAS Conflicts Static or IGP learned route to 128.9/16 128.9.0.0/16 Path: 4 128.9.0.0/16 Path: 226 128.9.0.0/16 Path: Z, 226 128.9.0.0/16 Path: X, 4 128.9.0.0/16 nets AS 4 AS 226 MOAS conflict ! AS X AS Z AS Y Valid MOAS case: 128.9/16 reachable either way Invalid MOAS case: 128.9/16 reachable one way but not the other NANOG 23 - Oakland

  4. Talk Outline • Measurement data shows that MOAS exists • Some MOAS cases caused by faults • Some MOAS cases due to operational need • Important to distinguish the two • proposed solutions NANOG 23 - Oakland

  5. Measurement Data Collection • Data collected from the Oregon Route Views • Peers with >50 routers from >40 different ASes. • Our analysis uses data [11/08/9707/18/01] (1279 days total) • More than 38000 MOAS conflicts observed during this time period At a given moment, • The Route Views server observed 1364 MOAS conflicts • The views from 3 individual ISPs showed 30, 12 and 228 MOAS conflicts NANOG 23 - Oakland

  6. MOAS Conflicts Do Exist Max: 10226 (9177 from a single AS) Max: 11842 (11357 from a single AS) NANOG 23 - Oakland

  7. Histogram of MOAS Conflict Lifetime # of MOAS conflicts Total # of days a prefix experienced MOAS conflict NANOG 23 - Oakland

  8. Distribution of MOAS Conflicts over Prefix Lengths ratio of # MOAS entries over total routing entries for the same prefix length NANOG 23 - Oakland

  9. Valid Causes of MOAS Conflicts Multi-homing without BGP Private AS number Substitution 128.9/16 Path: 226 128.9/16 Path: 11422,4 131.179/16 Path: X 131.179/16 Path:Y AS 226 AS Y AS X AS 11422 131.179/16 Path: 64512 Static route or IGP route 128.9/16 Path: 4 AS 64512 AS 4 128.9/16 131.179/16 NANOG 23 - Oakland

  10. Invalid Causes of MOAS Conflicts • Operational faults led to large spikes of MOAS conflicts • 04/07/1998: one AS originated 12593 prefixes, out of which 11357 were MOAS conflicts • 04/10/2001: another AS originated 9180 prefixes, out of which 9177 were MOAS conflicts • Falsely originated routes • Errors • Intentional traffic hijacking NANOG 23 - Oakland

  11. Handling MOAS Conflicts • RFC 1930 recommends each prefix be originated from a single AS • Today’s routing practice leads to MOAS in normal operations • We must tell valid MOAS cases from invalid ones • Proposal 1: using BGP community attribute • Proposal 2: DNS-based solution NANOG 23 - Oakland

  12. BGP-Based Solution • Define a new community attribute • Listing all the ASes allowed to originate a prefix • Attach this MOAS community-attribute to BGP route announcement • Enable BGP routers to detect faults and attacks • At least in most cases, we hope! NANOG 23 - Oakland

  13. Comm. Attribute Implementation Example 18/8, PATH<58>, MOAS{58,59} 18/8, PATH<59>, MOAS{58,59} 18/8, PATH<4>, MOAS{4,58,59} 18/8, PATH<52>, MOAS{52, 58} AS58 18.0.0.0/8 AS52 AS59 Example configuration: router bgp 59 neighbor 1.2.3.4 remote-as 52 neighbor 1.2.3.4 send-community neighbor 1.2.3.4 route-map setcommunity out route-map setcommunity match ip address 18.0.0.0/8 set community 59:MOAS 58:MOAS additive NANOG 23 - Oakland

  14. Implementation Considerations • Quickly and incrementally deployable • Generating MOAS community attribute: configuration changes only • Detecting un-validated MOAS or a MOAS-CA conflict: • Short term: observable from monitoring platforms • Longer term: adding into BGP update processing • But community attributes may be dropped by a transit AS due to local configurations or policies • time to fix the handling of community attributes? NANOG 23 - Oakland

  15. Another Proposal: DNS-based Solution MOAS detected for 18/8, query DNS to verify Query 18.bgp.in-addr.arpa: origin AS? Response 18.bgp.in-addr.arpa AS 58 8 AS 59 8 Example configuration (zone file for 18.bgp.in-addr.arpa): $ORIGIN 18.bpg.in-addr.arpa. ... AS 58 8 AS 59 8 ... • Put the MOAS list in a new DNS Resource Record ftp://psg.com/pub/dnsind/draft-bates-bgp4-nlri-orig-verif-00.txt by Bates, Li, Rekhter, Bush, 1998 Enhanced DNS service NANOG 23 - Oakland

  16. Issues to Consider for the DNS Solution • Provides a general prefix to origin AS mapping database • Complementary to Community-attribute Approach • Check with DNS when community tag indicates a potential problem • DNSSEC, once available, authenticates the MOAS list • But requires changes to DNS and BGP • DNS may be vulnerable without DNSSEC • When would DNSSEC be ready? • Routing system querying naming system: circular dependency? NANOG 23 - Oakland

  17. Summary • MOAS conflicts exist today • Some due to operational need; some due to faults • Blind acceptance of MOAS could be dangerous • An open door for traffic hijacking • We plan to finalize the solution and bring to IETF Send all questions to fniisc@isi.edu For more info about FNIISC project: http://fniisc.nge.isi.edu NANOG 23 - Oakland

More Related