bgp-WoRkShOP Arturo Servin | Carlos Martínez

Acknowledges Special thanks to Phillip Smith (APNIC) and Alvaro Retana (Cisco Systems) whose material has provided an invaluable input for the creation of this presentation.

HOW THE INTERNET WORKS

IP address, where they come from? Sometimes the distribution is done through National Internet Registries (NIRs) Regional Internet Registris (RIRs) distribute IPv4, IPv6 and Autonomous System Numbers Standards Central Registry Distribution Allocations and Assignments End user * * Distribution

Regional Internet Registries

Autonomous System Numbers Collection of networks with same routing policy Single routing protocol Possibly multiple IGPs Usually under single ownership, trust and administrative control Identified by a unique 32-bit integer (ASN)

ASNs ASN ASN ASN 65537

More about ASNs Historically 2 bytes – 1 to But they were to run out and now are 4 bytes (RFC 4893) –

Special ASNs – 0 and reserved – , documentation (RFC5398) – Private use – Representation of 4 bytes ASNs in 2 bytes world

IGP vs EGP IGP – Interior Gateway Protocol – Exchange routes within an Autonomous Systems – Carries information about internal prefixes. – OSPF, ISIS, EIGRP, etc EGP – Exterior Gateway Protocol – Exchange routes between Autonomous Systems – BGP is standard EGP today – Connecting with outside networks

IGP vs EGP (more) IGP – Interior Gateway Protocol – Sub-second convergence – Generally Automatic discovery – Generally trust your IGP routers – Routes go to all IGP routers EGP – Exterior Gateway Protocol – Decoupled from the IGP – Specifically configured

Internet Routing BGP selects routes according to a decision algorithm and the values of some route “attributes” AS_PATH is the list of autonomous systems where an UPDATE has gone through

Internet Routing ASN 6057 announces /16 ASN 6057 announces /16 The prefix /16 is propagated with BGP to the Internet ASN 8158 receives /16 ASN 8158 receives /16 Atributos: /16 AS_PATH ASN1 ASN3 ASN6057 Atributos: /16 AS_PATH ASN1 ASN3 ASN6057

Transit and Peering Transit – Traffic and prefixes originating from one AS are carried across an intermediate AS to reach their destination AS – Usually for a fee Peering – Private interconnect between two ASNs – Usually for no fee

Transit and Peering ASN ASN ASN Peering ASN Transit

Peering in an Internet Exchange Point (IXP) Internet Exchange Point – Common interconnect location where several ASNs exchange routing information and traffic ASN ASN ASN ASN 65539

INTRO TO BGP

Border Gateway Protocol A Routing Protocol used to exchange routing information between different networks Exterior gateway protocol Described in RFC4271 – RFC4276 gives an implementation report on BGP – RFC4277 describes operational experiences using BGP Works on TCP port 179 Path Vector Protocol

More about BGP Learns multiple paths via internal and external BGP speakers – Initial exchange of entire table Incremental Updates – Picks THE bestpath and installs it in the IP forwarding table – Policies applied by influencing the bestpath selection Keepalive messages exchanged Many options for policy enforcement Classless Inter Domain Routing (CIDR) Widely used for Internet backbone

Neighbors BGP speakers – Internal (iBPG) if they are in the same ASN – External (eBGP) if they are in different ASN ASN ASN eBGP iBGP

Where to use BGP: Stub Network ASN 65536, Transit Provider ASN 65538, Customer Only one exit for customer Not really need to add BGP

Multihomed Network ASN ASN ASN ASN Transit Providers Peering in IXP Different situations possible Multiple links to same ISP Secondary for only backup Load share between primary and secondary Selectively use different ISPs Peering at IXP

BGP State-Machine BGP States 1 - Idle 2 - Connect 3 - Active 4 - OpenSent 5 - OpenConfirm 6 - Established BGP Events 1 - BGP Start 2 - BGP Stop 3 - BGP Transport connection open 4 - BGP Transport connection closed 5 - BGP Transport connection open failed 6 - BGP Transport fatal error 7 - ConnectRetry timer expired 8 - Hold Timer expired 9 - KeepAlive timer expired 10 - Receive OPEN message 11 - Receive KEEPALIVE message 12 - Receive UPDATE messages 13 - Receive NOTIFICATION message

Basic config IPv4 router bgp xxxx neighbor a.b.c.d. remote- as neighbor X:X:X:X::X … network A.B.C.D. mask no synchronization exit address-family IPv6 no bgp4 default unicast bgp router-id a.b.d.f router bgp xxxx neighbor X:X:X:X::X remote- as … neighbor X:X:X:X::X … address-family ipv6 neighbor X:X:X:X::X activate neighbor X:X:X:X::X … network 2001:DB8::/32 no synchronization exit address-family

Basic Config (IPv4 eBGP) Router A router bgp network mask neighbor remote-as Router B router bgp network mask neighbor remote-as ASN ASN / / Be careful, this need filters!! Do not try it in production yet!!

Basic Config (IPv4 iBGP) Router A router bgp neighbor remote-as Router B router bgp network mask neighbor remote-as ip route null 0 ASN /

More about iBGP BGP peer within the same AS Not required to be directly connected IGP takes care of inter-BGP speaker connectivity iBGP speakers must be fully meshed: – They originate connected networks – They pass on prefixes learned from outside the ASN – They do not pass on prefixes learned from other iBGP speakers

Verifying Operation Summary of BGP – Show ip bgp summary – Show bgp ipv6 [unicast|multicast] summary Routing table – Show ip bgp (empty shows all the routes) – Show bgp ipv6 [unicast|multicast]

Show command example sh ip bgp BGP table version is 11, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> N / i *> V / i *> V i *> V i I / ?

More show commands Verifying neighbors – Show ip bgp neighbor – Show bgp ipv6 [unicast|multicast] neighbor – Show ip bgp ] neighbor advertised- routes – Show bgp ipv6 [unicast|multicast] neighbor advertised-routes – Show ip bgp neighbor routes – Show bgp ipv6 [unicast|multicast] neighbor routes – Show ip bgp neighbor received-routes – Show bgp ipv6 [unicast|multicast] neighbor received-routes

ATTRIBUTES

What’s an attribute Part of a BGP Update Describes the characteristics of prefix It can either be transitive or non-transitive Some are mandatory, some optional Well known mandatory attributes, Well known discretionary attributes, Optional transitive attributes, Optional non-transitive attributes

Routes attributes sh ip bgp BGP table version is 11, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> N / i *> V / i *> V i *> V i I / ?

List of attributes (but not worry, we just need AS_PATH for now) ValueCodeReference 0 Reserved 1 ORIGIN [RFC4271] 2 AS_PATH [RFC4271] 3 NEXT_HOP [RFC4271] 4 MULTI_EXIT_DISC RFC4271] 5 LOCAL_PREF [RFC4271] 6 ATOMIC_AGGREGATE [RFC4271] 7 AGGREGATOR [RFC4271] 8 COMMUNITY [RFC1997] ValueCodeReference 9 ORIGINATOR_ID[RFC4456] 10 CLUSTER_LIST [RFC4456] 14 MP_REACH_NLRI [RFC4760] 15 MP_UNREACH_NLRI [RFC4760] 16 EXTENDED COMMUNITIES [RFC4360] 17 AS4_PATH [RFC6793] 18 AS4_AGGREGATOR [RFC6793]!

Decision Process in BGP #Step 1Verify if NEXT HOP is reachable 3Select route with the highest LOCAL PREFERENCE 4Select route with locally originated 5Select shortest AS_PATH 6Select lowest origin code (IGP < EGP < Incomplete) 7Select path with the lowest MED 8Select eBGP paths over iBGP 9Select path with the lowest IGP metric to the NEXT HOP 10Select the oldest path 11Select path with the lowest Router_ID

AS-Path Sequence of ASes a route has traversed Mandatory transitive attribute Used for: – Loop detection – Applying policy

ASN ASN ASN ASN ASN :db8::/ :db8::/ :db8::/ AS-Path Example Best Path

Next-hop eBGP: address of external neighbour iBGP: NEXT_HOP from eBGP (but it could be changed) Mandatory non-transitive attribute ASN :db8::1 ASN NH=2001:db8::1 2001:db8:1:10 NH=2001:db8::1

Next-hop (cont.) To avoid carring external next-hop IP addresses use command: next-hop self – neighbor x.x.x.x next-hop-self Use loopbacks as NH in iBGP

Origin The origin of the prefix Historical attribute used in transition from EGP to BGP Transitive and Mandatory Attribute Three values: IGP, EGP, incomplete – IGP – generated by BGP network statement – EGP – generated by EGP – incomplete – redistributed from another routing protocol

Aggregator Conveys the IP address of the router or BGP speaker generating the aggregate route Optional & transitive attribute Created by using “aggregate-address”: router bgp aggregate-address

Local Preference Indication of preferred path to exit the local AS Non-transitive and optional attribute Global to the local AS Paths with highest LOCAL-PREF are most desirable (default = 100)

Local Preference Example ASN ASN Set local pref to 110 Set local pref to 150 ASN Traffic to 2001:db8::/32 exits to ASN ASN :db8::/32

Example router bgp bgp router-id neighbor 2001:db8::1 remote-as neighbor 2001:db8::1 update-source Loopback0 address-family ipv6 neighbor 2001:db8::1 activate neighbor 2001:db8::1 next-hop-self neighbor 2001:db8::1 route-map LOCAL_PREF out exit-address-family ipv6 prefix-list 10 seq 5 permit 2001:db8::/32 ! route-map LOCAL_PREF permit 10 match ipv6 address prefix-list 10 set local-preference 150 ! route-map LOCAL_PREF permit 20

Multi-Exit Discriminator (MED) Indication (to external peers) of the preferred path into an AS – Used in multiple entry AS – Non-transitive & optional attribute Determines best path for inbound traffic Comparable if paths are from same AS Path with lowest MED wins, default = 0 (RFC4271)

Communities Communities are described in RFC1997 Transitive and Optional Attribute 32 bit integer, Represented as two 16 bit integers (RFC1998) Common format is :xx 0:0 to 0:65535 and 65535:0 to 65535:65535 are reserved

Communities (Cont.) Used to group destinations, each destination could be member of multiple communities Very useful in applying policies within and between Ases It is like a tag applied to an update. Typical communities: – Destinations learned from customers – Destinations learned from ISPs or peers – Destinations in VPN

Well-Know communities Several well known communities – communities communities no-export = do not advertise to eBGP peers (65535:65281) no-advertise = do not advertise to any peer (65535:65282) local-AS = do not advertise outside local AS (used with confederations)

Example Set community Set community 65536:200 router bgp neighbor remote-as neighbor send-community neighbor route-map set_community out ! route-map set_community 10 permit match ip address 1 set community 65536:200 ! access-list 1 permit

Example Set local pref Set local pref based on community router bgp neighbor remote-as neighbor route-map filter_on_community in ! route-map filter_on_community 10 permit match community 1 set local-preference 150 ! ip community-list 1 permit 65537:150

FILTERING, POLICIES AND SCALING BGP

Applying Policies with BGP As we have seen in some examples Policy-based on AS path, community or prefix Rejecting/accepting selected routes Set attributes to influence path selection Use – Prefix-list (filters prefixes) – Filter-list (filters Ases) – Route-maps and communities

Prefix-list Per-peer prefix filter, inbound or outbound Allows coverage for ranges of prefix lengths (ge, le) Based upon network numbers in NLRI (using familiar IPv4 address/mask format) ip prefix-list list-name [seq seq-value] permit|deny network/len [ge ge-value] [le le-value]

Examples Deny default route ip prefix-list EG deny /0 Permit the prefix /8 ip prefix-list EG permit /8 Deny the prefix /12 ip prefix-list EG deny /12 In 192/8 allow up to /24 ip prefix-list EG permit /8 le 24

Example router bgp neighbor 2001:cafe::1 remote-as ! address-family ipv6 neighbor 2001:cafe::1 activate neighbor 2001:cafe::1 prefix-list IPv6-BOGUS in exit-address-family ! ipv6 prefix-list IPv6-BOGUS deny 2001:db8::/32 le 128 ipv6 prefix-list IPv6-BOGUS permit 2002::/16 ipv6 prefix-list IPv6-BOGUS deny 2002::/16 le 128 ipv6 prefix-list IPv6-BOGUS deny 0000::/8 le 128 ipv6 prefix-list IPv6-BOGUS deny fe00::/9 le 128 ipv6 prefix-list IPv6-BOGUS deny ff00::/8 le 128 ipv6 prefix-list IPv6-BOGUS permit 0::/0 le 48 ipv6 prefix-list IPv6-BOGUs deny 0::/0 le 128

Regular expressions. Match one character * Match any number of preceding expression + Match at least one of preceding expression ^ Beginning of line $ End of line \ Escape a regular expression character _ Beginning, end, white-space, brace | Or () brackets to contain expression [] brackets to contain number ranges

Examples of Regular Expressions.* Match anything ^$ Match routes local to this AS (as-path is empty) _65536$ Originated by (as-path ends with 65536) ^65536_ Received from (as-path starts with 65536) _65536_ is somewhere in the as-path _65536_65537_ Passing through then 65537

More examples ^[0-9]+$ Match AS_PATH length of one ^[0-9]+_[0-9]+$ Match AS_PATH length of two ^[0-9]*_[0-9]+$ Match AS_PATH length of one or two ^[0-9]*_[0-9]*$ Match AS_PATH length of one or two (will also match zero) ^[0-9]+_[0-9]+_[0-9]+$ Match AS_PATH length of three _(65536|65537)_ Match anything which has gone through AS65536 or AS65537 _65536 (_.+_) 65537$ Match anything of origin AS65536 and passed through AS65537

Filter-lists Filter routes based on AS path, Inbound or Outbound router bgp network mask neighbor filter-list 5 out neighbor filter-list 6 in ! ip as-path access-list 5 permit ^65536$ ip as-path access-list 6 permit ^65539$

Route-maps A sequence of statements Has “line” numbers, each line is a separate condition/action if match then do expression and exit else if match then do expression and exit else etc Route-map “continue” let us apply multiple conditions and actions in one route-map

Example Route-maps route-map sample permit 10 match ip address prefix-list list-one set local-preference 120 ! route-map sample permit 20 match ip address prefix-list list-two set local-preference 80 ! route-map sample permit 30

Controlling Inbound Traffic  The first rule of controlling inbound traffic… – You do not have ultimate control of how traffic enters your AS – Your peers may have outbound policies that will override all of your attempts to influence inbound traffic So, what can you do? – Leaking specific routes – MED – AS-PATH Prepending

AS Path Prepends ASN ASN ASN ASN :db8::/ :db8::/ :db8::/ Prepend No Prepend

AS Path Prepends Use your own AS number when prepending otherwise BGP loop detection may cause disconnects router bgp neighbor 2001:cafe::1 remote-as address-family ipv6 neighbor 2001:cafe::1 activate neighbor 2001:cafe::1 route-map SETPATH out ! route-map SETPATH permit 10 set as-path prepend

No-export Community ASN :db8::/32 ASN2 ASN1 2001:db8::/ :db8:100::/40 No-export 2001:db8:200::/40 No-export 2001:db8::/ :db8:100::/ :db8::/ :db8:200::/40 ASN 65537

No Export Community router bgp neighbor 2001:cafe::1 remote-as address-family ipv6 neighbor 2001:cafe::1 activate neighbor 2001:cafe::1 route-map set_community out exit-address-family ! route-map set_community permit 10 match ip address prefix-list NO-EXPORT set community no-export ! route-map set_community permit 20 ! ipv6 prefix-list NO-EXPORT permit 2001:db8:100:/40

Order of policy application For inbound updates: – Route-map – Filter-list – Prefix-list For outbound updates: – Prefix-list – Filter-list – Route-map

Route-reflectors BGP cannot advertise a path from one iBGP to another. iBGP has no way to detect loops (as opposite to eBGP that uses AS-PATH) iBGP requieres a full-mesh, but that does not scale Route-reflectors are central points to distribute routes among iBGP peers

BEST PRACTICES

Loopbacks Loopback peering promotes stability If the link between two neighbors fails – Without loopback, peering to the interface IP would bring down the BGP session – With loopback, Peering to a loopback allows the session to stay up Used to load-balance traffic over multiple links In iBGP make sure there is an IGP route to loopbacks

Loopbacks router bgp bgp log-neighbor-changes no bgp default ipv4-unicast bgp router-id ! neighbor 2001:db8:3::1 remote-as neighbor 2001:db8:3::1 update-source Loopback0 ! address-family ipv6 neighbor 2001:db8:3::1 activate no synchronization network 2001:db8:100::/40 network 2001:db8:200::/40 exit-address-family Ipv6 route 2001:db8:3::1 serial0 ASN ASN :db8:100::/ :db8:1:: :db8:1:: :db8:2::1 loopback0 2001:db8:3::1 loopback0 Serial0

Routing Table Growth Fuente:

Disaggregation ASN 3 ASN 1 ASN 2 ASN :db8::/ :db8::/ :db8:100::/ :db8::/ :db8:100::/ :db8::/32 ASN2 ASN1 2001:db8::/40 ASN2 ASN1 2001:db8:100:/40 ASN2 ASN1

Aggregation Just announce the aggregate to your peers Use prefix-list to control what it gets out from your network and what it gets to it. Use no-export communities Try to avoid to disaggregate as much as possible

Example router bgp network mask network mask network mask neighbor remote-as neighbor route-map set_community out neighbor remote-as neighbor prefix-list ANNOUCE-OUT out ! route-map set_community permit 10 match ip address prefix-list NO-EXPORT set community no-export ! route-map set_community permit 20 ! ip prefix-list NO-EXPORT permit /16 ip prefix-list NO-EXPORT permit /16 ! ip prefix-list ANNOUNCE-OUT permit /8 ! ip route null 0 Apply no-export to this neighbor To this one just announce the aggragate

Receiving and sending prefixes Always apply outbound filters to announce only your prefixes and your customers Always apply inbound filters, you never know what it may come in from your peers Not doing this produces problems such as “Route-hijacking” and “Route-leaks”

Filtering special IPv4/IPv6 addresses You can add these addresses to your input filters to avoid receive invalid announces Examples of these prefixes are /8, /16, 2001:db8::/32 Check RFC 6890 for details Cisco, Juniper and other ACLs templates in: – cymru.org/Services/Bogons/http.html

IPv6 special addresses ipv6 prefix-list IPv6-BOGUS deny 2001:db8::/32 le 128 ipv6 prefix-list IPv6-BOGUS permit 2002::/16 ipv6 prefix-list IPv6-BOGUS deny 2002::/16 le 128 ipv6 prefix-list IPv6-BOGUS deny 0000::/8 le 128 ipv6 prefix-list IPv6-BOGUS deny fe00::/9 le 128 ipv6 prefix-list IPv6-BOGUS deny ff00::/8 le 128 ipv6 prefix-list IPv6-BOGUS permit 0::/0 le 48 ipv6 prefix-list IPv6-BOGUs deny 0::/0 le 128

Stable Prefixes Use static routes to keep your routes stable and independent of interface changes Use loopbacks to peer with your neighbors – With iBGP use them as next-hop, it avoids to carry external routes in your IGP – With eBGP it increases stability

INTERNET EXCHANGE POINTS

Recall: Transit and Peering ASN ASN ASN Peering ASN Transit

Transit and Peering Transit – Traffic and prefixes originating from one AS are carried across an intermediate AS to reach their destination AS – Usually for a fee Peering – Private interconnect between two ASNs – Usually for no fee

Peering in an Internet Exchange Point (IXP) Internet Exchange Point – Common interconnect location where several ASNs exchange routing information and traffic ASN ASN ASN ASN 65539

Recommendations and Best Practices Only announce your aggregates and your customer aggregates at IXPs Only accept the aggregates which your peer is entitled to originate Never carry a default route on an IXP (or private) peering router Failing to do so leads to route-hijacks and leaks

Route Hijacking This occurs when a participant in the Internet Routing announces a prefix for which it has no authority Malicious or by operational errors More know cases: – Pakistan Telecom vs. You Tube (2008) – China Telecom (2010) – Google in Eastern Europe (various AS, 2010) – Latin American cases (beginning 2011)

Route-Hijacking AS announces /24 ASN 8158 receives /16 y /24 ASN 8158 receives /16 y / /16 AS_PATH ASN1 ASN3 ASN /24 AS_PATH ASN1 ASN /16 AS_PATH ASN1 ASN3 ASN /24 AS_PATH ASN1 ASN15358 AS 6057 announces /16 ASN 8158 receives /16 ASN 8158 receives /16

Leaks There is not a standard definition of leaks But it happens when an ASN “leaks” non- customer or self-originated routes to other peers. The effects is to give transit to those networks for the peers of the ASN

Simple Topology Layer 2 fabric N^N BGP relations ASN ASN ASN ASN 65539

Route-server It allows to scale the BGP mesh All prefixes sent to a Route Server are usually distributed to all ASNs that peer with the Route Server BGP configuration to peer with a Route Server is the same as for any other ordinary peer Do not forget inbound and outbound filters too

Topology with route-server ASN ASN ASN ASN Route-server

Thanks! Questions?