Route Server Policies @ IXPs Euro
Transcription
Route Server Policies @ IXPs Euro
Route Server Policies @ IXPs Euro-IX 27, Berlin Agenda » Validation (at route servers) » Modification (applied at route servers) » Comparison (of existing implementations) 2 Validation: Next Hop » Why » Forgery of BGP updates » How » Validation of router’s IP with next hop IP in the BGP update » DE-CIX » Always on 3 Validation: IP Prefix Space (Bogons, Fullbogons) » Why » Mitigate IP prefix hijacking » Prevent misconfiguration » How » Bogon = Deny all private (RFC1918), reserved and default prefixes » Fullbogon = Deny all prefixes not yet assigned by RIRs » Use list from Team Cymru for both » DE-CIX » Bogon filtering always on 4 Validation: IP Prefix Length » Why » Misconfiguration » Avoid too specific prefixes » Avoid potentially leaked internal default routes » How » Enforce maximum and minimum prefix length for customer's BGP updates » DE-CIX » IPv4 Prefixes between /24 and /8 are allowed » IPv6 Prefixes between /48 and /19 are allowed » More specifics allowed for blackholing 5 Validation: Maximum Prefix Limit » Why » Mitigation of route leaks » How » Limit the maximum number of prefixes accepted by the RS per peer » Large scale (full table leak) » Small scale (partial customer misconfiguration) » DE-CIX » Default max prefix for IPv4 (170000) and IPv6 (12000) for all peers » Can be adapted by the customer via support 6 Validation: Enforce First AS » Why » Prevent hiding its own AS » Prevent misdirection of traffic » How » Check first segment in the AS_PATH with AS of peer » DE-CIX » Not available 7 Validation: AS Path Length » Why » Prevent misconfiguration » How » Deny all routes over certain AS-PATH length (e.g. 64) » DE-CIX » To be implemented 8 Validation: Private AS » Why » Prevent misconfiguration » How » Defined range of private AS numbers (64512 to 65534) » BGP updates with AS_PATH containing private ASes are discarded » DE-CIX » Always on 9 Validation: AS Filter List » Why » Prevent IP prefix hijacking due to route leaks » How » Use a list of Tier-1s to filter AS_PATH at the RS » Tier-1 are only allowed as first AS on AS_PATH » DE-CIX » To be implemented 10 Validation: Origin-AS And IP Prefix From IRR » Why » Mitigate IP prefix hijacking » Prevent misconfiguration » How » Only accept Origin-AS which are registered in the AS-SET » Only accept prefixes registered for a certain AS-SET / AS at an IRR » Can be implemented in two ways » one of them has to be right » each of them has to be right » DE-CIX » Always on, origin AS and prefix have to match each other 11 Validation: IP Prefix From RPKI » Why » Prevent IP prefix hijacking » Validate if a Origin-AS is allowed to announce a certain prefix » How » Complement the usual IP prefix validation of IRRs with a check of the ROAs for each Origin-AS » DE-CIX » Not yet available 12 Modification: Manual Policy Control » Why » Enable peers to disabled advertising to defined peers » How » Customer enters his peering policy (e.g. peering matrix) » The route server is configured accordingly » DE-CIX » To be implemented 13 Modification: Policy Control by BGP community » Why » Enable peers to control how to advertise routes at the IXP with the RS » How » Peers send specific BGP communities » The route server configuration processes these communities » DE-CIX » Do not announce a route to a certain peer 0:peer-as » Announce a prefix to a certain peer: 6695:peer-as » Do not announce a route to any peer: 0:6695 » Announce to all peers: 6695:6695 » support for 32bit ASNs available through extended BGP communities » example: (rt|ro) 0:peer-as 14 Modification: Policy Control by IRR RPSL » Why » In addition to only outbound policies (with BGP communities) enable inbound policies » To support 4-byte ASNs » How » Using import/import-via, export/export-via RPSL attributes in a IRR » DE-CIX » Not available yet 15 Modification: AS Path Prepending » Why » Influence routing decisions » How » The route server will add the customers or the IXPs AS to the AS_PATH » DE-CIX » Customer can configure to have DE-CIX AS in the AS_PATH » Customer AS prepending is not supported 16 Modification: Multipath » Why » Route server should forward more than one route for a prefix if available » Receiving side can choose between multiple pathes » How » No trivial solution » Extension of the BGP protocol » Multiple BGP sessions » Multiple route servers » Usage of BGP ADD_PATH » DE-CIX » Not available yet 17 Comparison AMS-IX (Falcon) DE-CIX LINX Netnod MSK-IX Validation IXP-Manager (Basic Template) Next Hop ✔ ✔ - - ✔ ✔ Prefix length - ✔ - - ✔ ✔ Prefix space (bogons) ✔ ✔ ✔ ✔ ✔ ✔ Max prefix per AS per Peer - per AS per Peer per AS IRR ✔ ✔ - - ✔ ✔ RPKI ✔ - - - - - Length ✔ - - - - - Enforce first AS ✔ - - - ✔ ✔ No private AS - ✔ - - ✔ AS filterlist - - - - ✔ - Manualy - - - - - - BGP communities ✔ ✔ ✔ ✔ ✔ ✔ IRR RPSL - - - - ✔ - AS-Path Prepending Customer AS Prepending - - - - ✔(multiple) - ✔ (multiple) ✔ (single) - - - - - - - - - - Basics IP Prefix AS-Path Modification Policy Control IXP AS Prepending Multipath 18 DE-CIX Management GmbH Lindleystr. 12 60314 Frankfurt Germany Phone +49 69 1730 902 0 [email protected]