1.01k likes | 1.14k Views
CIS 185 CCNP ROUTE Ch. 6 Border Gateway Protocol Solution for ISP Connectivity – Part 1. Rick Graziani Cabrillo College graziani@cabrillo.edu Last Updated: Fall 2010. Materials. Book:
E N D
CIS 185 CCNP ROUTECh. 6 Border Gateway Protocol Solution for ISP Connectivity – Part 1 Rick Graziani Cabrillo College graziani@cabrillo.edu Last Updated: Fall 2010
Materials • Book: • Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide: Foundation learning for the ROUTE 642-902 Exam • By Diane Teare • Book • ISBN-10: 1-58705-882-0 • ISBN-13: 978-1-58705-882-0 • eBook • ISBN-10: 0-13-255033-4 • ISBN-13: 978-0-13-255033-8
Terms • What is an IGP (Interior Gateway Protocol)? • Routing protocol used to exchange routing information within an autonomous system. • RIP, IGRP, EIGRP, OSPF, IS-IS • What is an EGP (Exterior Gateway Protocol)? • Routing protocol used to exchange routing information between autonomous systems. • BGP (Border Gateway Protocol) is an Interdomain Routing Protocol (IDRP), which is also known as an EGP. • BGP - is a path vector routing protocol. • What is an Autonomous System ? • (From RFC 1771) “A set of routers under the single technical administration, using an IGP and common metrics to route packets within the AS, and using an EGP to route packets to other AS’s.”
BGP version 4 (BGP-4) (latest version of BGP) • It is defined in Requests for Comments (RFC) 4271, A Border Gateway Protocol (BGP-4). • As noted in this RFC, the classic definition of an AS is “A set of routers under a single technical administration, using an Interior Gateway Protocol (IGP) and common metrics to determine how to route packets within the AS, and using an inter-AS routing protocol to determine how to route packets to other [autonomous systems].” • Extensions to BGP-4 (known as BGP4+) includes IPv6.
BGP Use Between Autonomous Systems • Main goal is to provide an interdomain routing systems that guarantees the loop-free exchange of routing information between AS’s. • BGP is a successor to Exterior Gateway Protocol (EGP). (Note the dual use of the EGP acronym.) • BGP-4 is a classless routing protocols so it supports: • VLSM • CIDR • There are more than 300,000 CIDR blocks • Without CIDR full Internet routing tables would contain more than 2,000,000 entries.
Comparison with Other Scalable Routing Protocols • BGP does not look at speed for the best path. • BGP is a policy-based routing protocol that allows an AS to control traffic flow using multiple BGP attributes. • Routers exchange network reachability information, called path vectors or attributes • These include a list of the full path of BGP AS numbers that a router should take to reach a destination network.
When to use BGP and when not to use BGP Use BGP when the effects of BGP are well understood and one of the following conditions exist: • The AS allows packets to transit through it to reach another AS (transit AS). • The AS has multiple connections to other AS’s. • The flow of traffic entering or exiting the AS must be manipulated. • This is policy based routing and based on attributes.
When to use BGP and when not to use BGP Do not use BGP if you have one or more of the following conditions: • A single connection to the Internet or another AS • No concern for routing policy or routing selection • A lack of memory or processing power on your routers to handle constant BGP updates • A limited understanding of route filtering and BGP path selection process • Low bandwidth between AS’s
Who needs BGP? • Not as many internetworks as you may think. • “You should implement BGP only when a sound engineering reason compels you to do so, such as when the IGPs do not provide the tools necessary to implement the required routing policies or when the size of the routing table cannot be controlled with summarization.” • “The majority of the cases calling for BGP involve Internet connectivity – either between a subscriber and an ISP or (more likely) between ISPs.” • “Yet even when interconnecting autonomous systems, BGP might be unnecessary.” Jeff Dolye, Routing TCP/IP Vol. II
Overview of autonomous systems • AS - A group of routers that share similar routing policies and operate within a single administrative domain. • An AS can be a: • Collection of routers running a single IGP (Single company) • Collection of routers running different protocols all belonging to one organization (ISP) • In either case, the outside world views the entire Autonomous System as a single entity.
Overview of autonomous systems AS Numbers • Assigned by an Internet registry or a service provider. • Between 1 and 65,535. • 0 - Reserved • 1 through 64,495 – Assignable for public use • 64,512 through 65,535 - Privateuse • This is similar to RFC 1918 IP addresses. • 65,535 - Reserved • Because of the finite number of available AS numbers, an organization must present justification of its need before it will be assigned an AS number.
Today, the Internet Assigned Numbers Authority (IANA) is enforcing a policy whereby organizations that connect to a single provider and share the provider's routing policies use an AS number from the private pool, 64,512 to 65,535.
RFC 4893 BGP Support for Four-Octet AS Number Space describes 32 bit AS numbers the anticipated depletion of current BGP 16-bit AS numbers • http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_C11_516823.html • http://www.potaroo.net/tools/asn16/ • http://www.iana.org/assignments/as-numbers/as-numbers.xml
Using BGP • BGP dynamically exchanges routing information • BGP reacts to topology changes including those changes beyond a customer-to-ISP link failure.
Connection Redundancy • The ISP connection can also be made redundant. • A customer can be connected to a single ISP or to multiple ISPs.
Single-homed autonomous systems • Single-homed system AS • One Link per ISP, One ISP • Only one exit point to outside networks. • Often referred to as stub networks or stubs. • Usually use a default route to handle all traffic destined for non-local networks. • BGP is not normally needed in this situation
Single-homed autonomous systems IGP Option • IGP: Both the provider and the customer use an IGP to share information regarding the customer's networks. • Customer: • Sends public network address • Receives default route
Single-homed autonomous systems BGP Option • In a single-homed autonomous system the customer's routing policies are an extension of the policies of the provider. • Internet number registries are unlikely to assign public AS number. • AS number from the private pool of AS numbers, 64,512 to 65,535. • The provider will strip off these numbers when advertising the customer's routes towards the core of the Internet. (later)
Dual Homed Option 3 Dual-homed AS • Two or more links per ISP, One ISP • Same options as single-homed • Additional advantages: • Primary and backup link functionality • Load Balancing
Single Multi-homed Multi-homed or Single Multi-homed • One link per ISP, two or more ISPs • Typically recommended to run BGP • Options: (more later on these) • ISP1 and ISP2: Full Internet routes • ISP1: Full Internet routes; ISP2: Partial updates (selected) • ISP1: Default route; ISP2: Partial updates (selected)
http://bgp.potaroo.net/ 10/31/2010 • Caution in receiving full Internet routes: • Over 300,000 summarized routes (over 2,000,000 un-summarized) • 100,000 routes require about 70 MB of RAM for the BGP table
Dual Multi-homed Dual Multi-homed • Two or more links per ISP, Two or more ISPs • Similar options as Single Multi-homed • Same benefits as single multi-homed but with enhanced resiliency.
Using BGP in an Enterprise Network • External BGP (EBGP) - When BGP is running between routers in different autonomous systems. • Internal BGP (IBGP) - When BGP is running between routers in the same AS. • Understanding how BGP works is important to avoid creating problems for your AS as a result of running BGP.
Transit AS • Multihomed system • More than one exit point to outside networks. • May be a: • Transit • Non-transit AS • Transit traffic - Traffic that has a source and destination outside the AS. • Transit AS - allows transit traffic • Non-transit AS - does not allow transit traffic. • Advertises only its own routes to both the providers • Does not advertise routes it learned from one provider to another. • Therefore, ISP1 will not use AS 24 to reach destinations that belong to ISP2 and visa versa.
AS 65500 is learning routes from both ISP-A and ISP-B via EBGP • Also running IBGP on all of its routers. (later) • Learns about routes and chooses the best way to each one based on the configuration of the routers in the AS and the BGP routes passed from the ISPs. • If one of the connections to the ISPs goes down, traffic will be sent through the other ISP.
Transit AS • AS 65500 wants to have a redundant Internet connection, but does not want to act as a transit AS between ISP-A and ISP-B. • AS 65500 learns from ISP-A is the route to 172.18.0.0/16. • If that route is: • Propagated through AS 65500 using IBGP • And mistakenly announced to ISP-B • Then ISP-B might decide that the best way to get to 172.18.0.0/16 is through AS 65500, instead of through the Internet. • AS 65500 would then be considered a transit AS (an ISP) • Not a very undesirable situation • Careful BGP configuration is required to avoid this situation.
Default Route Default Route + ISP1 Routes Default Route Default Route + ISP2 Routes All Internet Routes • If an organization has determined that it will perform multihoming with BGP, three common ways to do this are as follows: • Each ISP passes only a default route to the AS • The default route is passed to the internal routers. • Each ISP passes only a default route and provider-owned specific routes to the AS • These routes can be passed to internal routers, or all internal routers in the transit path can run BGP and pass these routes between them. • Each ISP passes all routes to the AS • All internal routers in the transit path run BGP and pass these routes between them. All Internet Routes
Multihoming with Default Routes from All Providers AS 65500 Networks Send 0.0.0.0/0 Send 0.0.0.0/0 • First multihoming option is to receive only a default route from each ISP. ? • Both edge routers learn a default route from their attached ISP • Propagate it into the routing domain via an IGP • Requires the least resources • AS 65500 propagates its “owned” routes to both ISPs • If a router within the AS learns about multiple default routes, the local IGP installs the best default route into the routing table. • This does allow AS 65500 the capability of adding new customers (new networks) without relying on upstream provider. • Otherwise ISP would have to create the network and add a static route pointing to AS 65500
Multihoming with Default Routes and Partial Table from All Providers AS 65500 Networks Sends ISPB Prefixes and 0.0.0.0/0 Sends ISPA Prefixes and 0.0.0.0/0 • Both ISPs pass default routes plus select specific routes to the AS. • The internal routers of the customer can receive these routes via: • Redistribution into IGP • IBGP transit path (later) • The internal routers route packets: • ISP A networks via ISP A • ISP B networks via ISP B • Default routes via nearest edge router (possible suboptimal routing)
Multihoming with Full Routes from All Providers • All ISPs pass all routes to the AS • IBGP is run on at least all the routers in the transit path in this AS. • Requires a lot of resources within the AS because it must process all the external routes. AS 65500 Networks Sends all Internet Routes Sends all Internet Routes • The internal routers of the customer can receive these routes via: • Redistribution into IGP (ex: OSPF): Not recommended! • IBGP transit path (later): We’ll say this is the case. • The ISP that a specific router within AS 64500 uses to reach the external networks is determined by the IBGP protocol. • The routers in AS 64500 can be configured to influence the path to certain networks. • For example, Router A and Router B can influence the outbound traffic from AS 64500. (Later - Attributes)
BGP Path Vector Characteristics Path Advertised: 64520 64600 64700 Networks in AS 64700: 192.168.24.0 192.168.25.0 172.20.0.0 • IGP routing protocols use metrics to determine best path. • Cost (Bandwidth), BW+DLY-REL-Load, Hop Count • BGP routers exchange network reachability information, called path vectors, made up of path attributes • The path vector information includes a list of the full path of BGP AS numbers (hop-by-hop) necessary to reach a destination network. • Other attributes include: • IP address of the next-hop AS (the next-hop attribute) • How the network was introduced into BGP (the origin code attribute) • And more… later!
AS Path information is used to construct a graph of loop-free AS’s and to identify routing policies (later) • AS 64512: AS Path to 192.168.24.0 = 64520 > 64600 > 64700 • BGP AS Path is guaranteed to be loop free. • BGP router does not accept a routing update that already includes its own AS number in the AS Path list.
Loop Free Path • AS_PATH • List of AS numbers associated with a BGP route • One of several path attributes associated with each route. • Path attributes will be discussed in much more detail later. • We will discuss how BGP chooses best path later. • The shortest inter-AS path is very simply determined by the least number of AS numbers. • In this example, AS7 will choose the shortest path (4, 2, 1). • We will see later what happens with equal cost paths.
Loop Free Path Routing Loop Avoidance • Route loops can be easily detected when a router receives an update containing its local AS number in the AS_PATH. • When this occurs, the router will not accept the update, thereby avoiding a potential routing loop.
Possible paths for AS 64512 to reach networks in AS 64700, through AS 64520: • 64520 64600 64700 • 64520 64600 64540 64550 64700 • 64520 64540 64600 64700 • 64520 64540 64550 64700 • AS 64512 does NOT see all these possibilities. • AS 64520 advertises to AS 64512 only its best path: • 64520 64600 64700 (assuming no other policies supersede AS Path) • AS 64512 could also get a best path from AS 64530 • AS 64512 would then decide which path is best (via 64530 or via 64520) based on its own AS policies.
Multihomed nontransit autonomous systems Here are the networks you can reach through me. I will try and make it so that you prefer me. Here are the networks you can reach through me. We have a choice on which way to send our traffic. • Incoming route advertisements influence your outgoing traffic, and outgoing advertisements influence your incoming traffic.
Multihomed nontransit autonomous systems These are the networks you can reach through me. I will include ISP1 networks but include my AS number multiple times so you may prefer another route. These are the networks you can reach through me, but I will not include ISP2 networks. • Incoming route advertisements influence your outgoing traffic, and outgoing advertisements influence your incoming traffic.
BGP Hazards – Inadvertent Transit Domain • We inadvertently advertise routes learned from ISP2 to ISP1. • ISP1 customers will see our network as the best path to ISP2 customers. • We have become a transit domain for packets from ISP1 to ISP2. • More later…
BGP Hazards – Doyle, Routing TCP/IP BGP Peering • Creating a BGP “peering” relationship involves an interesting combination of trust and mistrust. • You must trust the network administrator on that end to know what they are doing. • At the same time, if you are smart, you will take every practical measure to protect yourself in the event that a mistake is made on the other end. • “Paranoia is your friend.”
BGP Hazards – Doyle, Routing TCP/IP • Your ISP will show little patience with you if you make mistakes in your BGP configuration. • Suppose, for example, that through some misconfiguration you advertise 207.46.0.0/16 to your ISP. • On the receiving side, the ISP does not filter out this incorrect route, allowing it to be advertised to the rest of the Internet. • This particular CIDR block belongs to Microsoft, and you have just claimed to have a route to that destination. • A significant portion of the Internet community could decide that the best path to Microsoft is through your domain. • You will receive a flood of unwanted packets across your Internet connection and, more importantly, you will have black-holed traffic that should have gone to Microsoft. • They will be neither amused nor understanding.
YouTube Hijacking: A RIPE NCC RIS case study • This presentation is taken from RIPE NCC web site. • For more detailed information, please consult this web site: • http://www.ripe.net/news/study-youtube-hijacking.html • Movie: BBC Report • Movie: RIPE NCC • The following presentation is an accurate representation of what took place, but using a simplified topology. • On Sunday, 24 February 2008, Pakistan Telecom (AS17557) started an unauthorised announcement of the prefix 208.65.153.0/24. • One of Pakistan Telecom's upstream providers, PCCW Global (AS3491) forwarded this announcement to the rest of the Internet, which resulted in the hijacking of YouTube traffic on a global scale.
Before, during and after Sunday, 24 February 2008 Internet BGP • DNS servers resolve www.youtube.com to: • 208.65.153.251 • 208.65.153.253 • 208.65.153.238
Before, during and after Sunday, 24 February 2008 Internet BGP 208.65.152.0/22 YouTube summarizes (CIDR) its /24 networks as a single /22: 208.65.152.0/24 11010000. 01000001.10011000.00000000 208.65.153.0/24 11010000. 01000001.10011001.00000000 208.65.154.0/24 11010000. 01000001.10011010.00000000 -------------------------------------- 208.65.152.0/22 11010000. 01000001.10011000.00000000
Before, during and after Sunday, 24 February 2008 Internet BGP 208.65.152.0/22 Before, during and after Sunday, 24 February 2008: • AS36561 (YouTube) announces 208.65.152.0/22. • Note that AS36561 also announces other prefixes, but they are not involved in the event.
Before, during and after Sunday, 24 February 2008 Internet 2 hops 1 hop BGP 4 hops 3 hops 208.65.152.0/22 BGP • Unless other policies are used, routers will choose the shortest AS path. • This is a simplification of BGP, assuming shortest AS-Path is being used. 3 hops 1 hop 2 hops
Before, during and after Sunday, 24 February 2008 ip route 206.63.153.0 255.255.255.0 null0 www.youtube.com 206.65.153.0/24 Internet 2 hops 1 hop BGP 4 hops 3 hops 208.65.152.0/22 Pakistan Telecom • Wants to block traffic within it’s own AS from going to www.youtube.com. • Note: Details of how they did this is not known at them time this presentation was created. • Most likely they created a route within their own AS that sent any traffic to 208.65.153.0/24 (DNS address for www.youtube.com) to a non-existent network, in effect denying their own customers access to www.youtube.com. • Their mistake was that they propagated this route to PCCW Global. 3 hops 1 hop 2 hops
Sunday, 24 February 2008, 18:47 (UTC) Internet 2 hops 1 hop 2 hops 3 hops BGP 4 hops 3 hops 208.65.152.0/22 1 hop 208.65.153.0/24 Sunday, 24 February 2008, 18:47 (UTC): • AS17557 (Pakistan Telecom) starts announcing the more specific route of 208.65.153.0/24. • AS3491 (PCCW Global) propagates the announcement. • Routers around the world receive the announcement, and YouTube traffic is redirected to Pakistan. 3 hops 1 hop 2 hops 4 hops 2 hops 3 hops
Internet Routed traffic to youtube.com BGP ? 208.65.152.0/22 208.65.153.0/24 • Why do the ISP routers forward traffic to Pakistan Telecom? • When a router receives packets for 208.65.153.251 which path will it choose? • Routers will learn about both 208.65.153.0/24 and 208.65.152.0/22 networks and install the both routes in their routing tables. • When a router receives packets for 208.65.153.251 it will choose the longest prefix match (more specific match): 208.65.153.0/24 • 24 bits is a longer (better) match than 22 bits Dest IP = 208.65.153.251
Sunday, 24 February 2008, 20:07 (UTC): Internet Routed traffic to youtube.com BGP 208.65.152.0/22 208.65.153.0/24 208.65.153.0/24 Sunday, 24 February 2008, 20:07 (UTC): • AS36561 (YouTube) starts announcing the same, more specific prefix of 208.65.153.0/24. • With two identical prefixes in the routing system, BGP policy rules, such as preferring the shortest AS path, determine which route is chosen. • This means that AS17557 (Pakistan Telecom) continues to attract some of YouTube's traffic.