1 / 20

An Analysis of BGP Multiple Origin AS (MOAS) Conflicts

An Analysis of BGP Multiple Origin AS (MOAS) Conflicts. Xiaoliang Zhao , NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia Zhang, UCLA IMW2001, November 1, 2001. Outline. Introduction of BGP Multiple Origin AS (MOAS) conflicts analysis

hobbsr
Download Presentation

An Analysis of BGP Multiple Origin AS (MOAS) Conflicts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia Zhang, UCLA IMW2001, November 1, 2001

  2. Outline • Introduction of BGP • Multiple Origin AS (MOAS) conflicts analysis • Summary and recent work IMW2001 - San Francisco

  3. Border Gateway Protocol 4 (BGP-4) • To exchange inter-domain routing information • Defined in RFC 1771, deployed since 1995 to support CIDR • Path Vector Routing Protocol • Includes the path information to the destination • Loop detection • Eliminates count-to-infinity problem, but still converge slowly [Labovitz97] • More flexibility for local policy design IMW2001 - San Francisco

  4. BGP operational environment • Autonomous System (AS): a set of routers under a single technical administration • e.g., AS4: ISI, AS3561: Cable & Wireless, etc. • Each AS, the originator, advertises its own networks to its neighboring ASs, the neighboring ASs will propagate those advertisements to the rest of the Internet • “I tell you, you tell your friends, and so on” • A BGP route lists a prefix (destination) and the path of ASs to reach that prefix • e.g., R=(p, <AS1, AS2, AS3>), and AS3 is the origin AS for the prefix p, AS2 provides the transit service for p. IMW2001 - San Francisco

  5. BGP route updates and MOAS conflicts 128.9.0.0/16 Path: 4 128.9.0.0/16 Path: 226 128.9.0.0/16 Path: Z, 226 128.9.0.0/16 Path: X, 4 128.9.0.0/16 nets AS 4 AS 226 MOAS conflict ! AS X AS Z AS Y IMW2001 - San Francisco

  6. Motivation • It is recommended [RFC 1930] that each prefix should be originated by a single AS with a few possible exceptions • However recommendation not followed in practice • We want to answer the question that “what are the reasons for MOAS conflicts and what are the impacts?” • Data talks... IMW2001 - San Francisco

  7. Measurement Data Collection • Data collected from the Oregon Route Views • Peers with >50 routers from >40 different ASes. • Our analysis uses data [11/08/9707/18/01] (1279 days total) • At a randomly selected moment, • The Route Views server observed 1364 MOAS conflicts • The views from 3 individual ISPs showed 30, 12 and 228 MOAS conflicts • More than 38000 MOAS conflicts observed during this time period. IMW2001 - San Francisco

  8. Example MOAS Data Conflict# prefix start date end date days origin ASs 7 12.0.0.0/8 01/28/98 02/01/98 5 7018+1757 02/03/98 04/14/98 68 7018+1757 04/16/98 04/26/98 11 7018+1757 05/12/98 05/12/98 1 7018+1290 total lifetime for conflict #7 = 85 days ... 234 128.9.0.0/16 09/25/98 10/09/98 15 226+4 12/01/98 02/04/99 63 226+4 02/06/99 04/26/99 78 226+4 04/28/99 08/04/99 94 226+4 08/07/99 09/01/00 352 226+4 09/03/00 11/13/00 68 226+4 11/15/00 11/21/00 7 226+4 11/23/00 11/30/00 8 226+4 12/02/00 12/12/00 11 226+4 12/14/00 12/26/00 13 226+4 12/28/00 07/15/01 190 226+4 07/17/01 - 2 226+4 total lifetime for conflict #234 = 901 days (total 38225 MOAS conflicts) IMW2001 - San Francisco

  9. MOAS Conflicts Do Exist Max: 10226 (9177 from a single AS) Max: 11842 (11357 from a single AS) IMW2001 - San Francisco

  10. Histogram of MOAS Conflict Lifetime # of MOAS conflicts Total # of days a prefix experienced MOAS conflict IMW2001 - San Francisco

  11. Distribution of MOAS Conflicts over Prefix Lengths ratio of # MOAS entries over total routing entries for the same prefix length IMW2001 - San Francisco

  12. Classification of MOAS conflicts • Given a MOAS conflict for prefix p and two associated AS paths: asp1=(x1,x2,…xn) and asp2=(y1,y2,…ym) PSI.net event • Classified into three categories: • OrginTranAS: xn=yj (j<m) • SplitView: xi=yj (i<n, j<m) • DistinctPaths: xiyj (1 i  n, 1 j  m) IMW2001 - San Francisco

  13. Valid Causes of MOAS Conflicts (1) • AS sets • typically only 12 prefixes out of 100K prefixes end with AS sets, and these AS sets were consistent with others • Anycast addresses • Exchange point addresses • E.g.: 198.32.136.0/24 was originated by ASes 2914, 3561, 4006, 6079, 6453, 6461 and 7018. • Few instances: 30 out of 38225 are identified as EP addresses • Lifetime: 1226 days out of 1279 days for 198.32.138.0/24 IMW2001 - San Francisco

  14. Valid Causes of MOAS Conflicts (2) Multi-homing without BGP Private AS number Substitution 128.9/16 Path: 226 128.9/16 Path: 11422,4 131.179/16 Path: X 131.179/16 Path:Y AS 226 AS Y AS X AS 11422 131.179/16 Path: 64512 Static route or IGP route 128.9/16 Path: 4 AS 64512 AS 4 128.9/16 131.179/16 IMW2001 - San Francisco

  15. Invalid Causes of MOAS Conflicts • Operational faults led to large spikes of MOAS conflicts • 04/07/1998: one AS originated 12593 prefixes, out of which 11357 were MOAS conflicts • 04/10/2001: another AS originated 9180 prefixes, out of which 9177 were MOAS conflicts • There are many smaller scale examples of falsely originated routes • Errors • Intentional traffic hijacking IMW2001 - San Francisco

  16. Summary • MOAS conflicts exist today • Some due to operational need; some due to faults • Blind acceptance of MOAS could be dangerous • An open door for traffic hijacking • A solution for determining MOAS validity is under development For more info about FNIISC project: http://fniisc.nge.isi.edu IMW2001 - San Francisco

  17. Recent Work: MOAS Solutions • Proposal 1: using BGP community attribute • Proposal 2: DNS-based solution • Solutions presented to NANOG 23 IMW2001 - San Francisco

  18. BGP-Based Solution • Define a new community attribute • Listing all the ASes allowed to originate a prefix • Attach this MOAS community-attribute to BGP route announcement • Enable BGP routers to detect faults and attacks • At least in most cases, we hope! IMW2001 - San Francisco

  19. Comm. Attribute Implementation Example 18/8, PATH<58>, MOAS{58,59} 18/8, PATH<59>, MOAS{58,59} 18/8, PATH<4>, MOAS{4,58,59} 18/8, PATH<52>, MOAS{52, 58} AS58 18.0.0.0/8 AS52 AS59 Example configuration: router bgp 59 neighbor 1.2.3.4 remote-as 52 neighbor 1.2.3.4 send-community neighbor 1.2.3.4 route-map setcommunity out route-map setcommunity match ip address 18.0.0.0/8 set community 59:MOAS 58:MOAS additive IMW2001 - San Francisco

  20. Another Proposal: DNS-based Solution MOAS detected for 18/8, query DNS to verify Query 18.bgp.in-addr.arpa: origin AS? Response 18.bgp.in-addr.arpa AS 58 8 AS 59 8 Example configuration (zone file for 18.bgp.in-addr.arpa): $ORIGIN 18.bpg.in-addr.arpa. ... AS 58 8 AS 59 8 ... • Put the MOAS list in a new DNS Resource Record ftp://psg.com/pub/dnsind/draft-bates-bgp4-nlri-orig-verif-00.txt by Bates, Li, Rekhter, Bush, 1998 Enhanced DNS service IMW2001 - San Francisco

More Related