The Benefit and Need of Standard Contribution for IXPs Jan Stumpf System Engineer.

Slides:



Advertisements
Similar presentations
Routing Basics.
Advertisements

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Making Route Servers Aware of Data Link Failure at IXPs Dr. Thomas King Manager R&D Discussion: Internet Draft.
1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
Analysis of BGP Routing Tables
Networking Theory (Part 1). Introduction Overview of the basic concepts of networking Also discusses essential topics of networking theory.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
Internet Routing (COS 598A) Today: Multi-Homing Jennifer Rexford Tuesdays/Thursdays 11:00am-12:20pm.
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
Border Gateway Protocol (BGP4) Rizwan Rehman, CCS, DU.
ROUTING ON THE INTERNET COSC Aug-15. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.
Jennifer Rexford Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks Stub.
Asymmetric Extended Route Optimization (AERO)
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Chapter 4. After completion of this chapter, you should be able to: Explain “what is the Internet? And how we connect to the Internet using an ISP. Explain.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)
RIPE64 Enum Working Group DE-CIX NGN Services.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
Border Gateway Protocol Presented BY Jay Purohit & Rupal Jaiswal GROUP 9.
HAIR: Hierarchical Architecture for Internet Routing Anja Feldmann TU-Berlin / Deutsche Telekom Laboratories Randy Bush, Luca Cittadini, Olaf Maennel,
BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
Copyright 2012 Kenneth M. Chipps Ph.D. Cisco CCNA Exploration CCNA 2 Routing Protocols and Concepts BGP Last Update
0 HKIX Hong Kong Internet eXchange Cheng, Che-Hoo Computer Services Center The Chinese University of Hong Kong
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
CS 447 Networks and Data Communication Department of Computer Science Southern Illinois University Edwardsville Fall, 2015 Dr. Hiroshi Fujinoki
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
1 VNIX UPDATE VIETNAM NATIONAL INTERNET EXCHANGE (VNIX) Presented at APNIC Sep, 2005 in Hanoi, Vietnam by Tran Kien MINISTRY OF POSTS AND TELEMATICS.
Peering Concepts and Definitions Terminology and Related Jargon.
T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.
Engineering Workshops Purposes of Neighbor Solicitation.
BLACKHOLE BGP Community for Blackholing T. King, C. Dietzel, J. Snijders, G. Doering, G. Hankins.
Routing protocols. 1.Introduction A routing protocol is the communication used between routers. A routing protocol allows routers to share information.
Introducing a New Concept in Networking Fluid Networking S. Wood Nov Copyright 2006 Modern Systems Research.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
1 Agenda for Today’s Lecture The rationale for BGP’s design –What is interdomain routing and why do we need it? –Why does BGP look the way it does? How.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Scaling IGP and BGP in Service Provider Networks.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Understanding BGP Path Attributes.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.
Dynamic P2P with BGP Route Servers BFD for data-plane verification Magnus Bergroth NORDUnet.
Routing Protocols COSC 541 Data Commun. System & Networks Yue Dou.
1 Chapter 4: Internetworking (IP Routing) Dr. Rocky K. C. Chang 16 March 2004.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
Border Gateway Protocol BGP-4 BGP environment How BGP works BGP information BGP administration.
ROUTING ON THE INTERNET COSC Jun-16. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.
Investigation of Traffic Dependencies between IXPs in Failure Scenarios APRICOT 2016, Peering Forum Auckland, New Zealand Arnold Nipper Chief.

أمن المعلومات لـ أ. عبدالرحمن محجوب حمد mtc.edu.sd أمن المعلومات Information Security أمن المعلومات Information Security  أ. عبدالرحمن محجوب  Lec (5)
InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.
CS 3700 Networks and Distributed Systems
Will Hargrave // LONAP BGP Session Culling Will Hargrave // LONAP UKNOF37 Manchester
Real Exam Questions Answers
CS 3700 Networks and Distributed Systems
Keeping local stuff local
Border Gateway Protocol
Layered Architectures
We Care About Data Quality at IXPs
COMP/ELEC 429/556 Introduction to Computer Networks
BGP Instability Jennifer Rexford
Presentation transcript:

The Benefit and Need of Standard Contribution for IXPs Jan Stumpf System Engineer

Agenda Definition IXP DE-CIX Facts and Details Need and Benefit of Standard Contribution Make Route Server Aware of Data Link Failure Commonly Agreed BGP Community for Blackholing 2

Definition IXP A physical network facility operated by a separate legal entity Interconnection of more than two independent Autonomous Systems (AS) Interconnection of ASes only Primarily facilitating the exchange of Internet traffic Distinct from an Internet access network or a transit network/carrier 3

DE-CIX Facts Operates Internet exchanges (IXs or IXPs) in –Frankfurt –Hamburg –Munich –New York –Dubai –more to come … Provides services such as peering: the settlement- free exchange of Internet traffic Connects almost 700 networks worldwide Strictly carrier- and data center-neutral 4

DE-CIX Frankfurt Founded in 1995 (Arnold Nipper co-founder) World‘s largest Internet exchange (4.0 Tbps peak, 2.3 Tbps average) Serves and connects 600+ networks Keeps 65,000+ active peering sessions Has 1GE, 10GE and 100GE ports connected Total capacity of 12Tbps Available in 18 data center facilities troughout the city of Frankfurt 5

Traffic Growth DE-CIX Frankfurt 6

eco Association Owner of DE-CIX 750+ members (such as AT&T, Brocade, Cisco, CloudFlare, Telekom, …) Representing its members’ interests in politics and in international bodies Offers legal support 7

Need of Standard Contribution DE-CIX is special in size –#customers, traffic, #router in IXP LAN IXP business is a niche but especially important Standard = Compatibility with many vendors Protocols not optimized for IXP use case 8

Benefit of Standard Contribution Selected examples: –Making Route Servers aware of data link failures –Commonly agreed BGP community for blackholing 9

Make Route Server Aware of Data Link Failure 10

Typical Scenario: BGP Session 11 Peer BPeer A BGP Data The control plane is able to detect the data plane failure.

Challenge: Route Server at IXPs 12 IXP Peer B /8, IP B Peer A /8, IP A Route Server BGP Data Problem: The control plane is not able to detect data plane failure any more. Data traffic is lost!

Solution 1.Client routers must have a means of verifying connectivity amongst themselves 2.Client routers must have a means of communicating the knowledge so gained back to the route server 13  Bidirectional Forwarding Detection, RFC 5880  North-Bound Distribution of Link-State and TE Information using BGP, Draft

Solution 14 IXP Peer B /8, IP B Peer A /8, IP A Route Server BGP /8  IP B NHIB: Nodes: B 1. Route Server: Next Hop Information Base (NHIB) updated 2. Client Router: Verify connectivity BFD connections are setup automatically BFD 3. Client Router: NHIB updated BGP /8 NHIB: Nodes: B Links: A->B 4. Route Server: Route selection All routes with next hop declared unreachable are excluded

Solution Bidirectional Forwarding Detection (BFD): –Hello packets are exchanged between two client routers (comparable to BGP Hello) –Rate: 1 packet / second, detection after 3 missing packets North-Bound Distribution of Link-State and TE Information using BGP (BGP-LS): –Model IXP network –Per peer: Next-Hop Information Base (NHIB) stores reachability for all next-hops 15

Data Link Failure 16 IXP Peer B /8, IP B Peer A /8, IP A Route Server 1. Client Router: Data link fail detected BFD 2. Client Router: NHIB updated BGP /8 NHIB: Nodes: B Links: 3. Route Server: Route selection All routes with next hop declared unreachable are excluded BGP NHIB: Nodes: B

Commonly Agreed BGP Community for Blackholing 17

The Problem: Massive DDoS Attack 18 IXP DDoS IXP Port Congestion If an IXP customer is hit by a massive DDoS attack its port can get congested and impact legitimate traffic

A Solution: Blackholing #19 Blackhole server: answer ARP requests Blackhole IP = Blackhole MAC IXP DDoS ACL Preparation IXP: 1.ACL: Block Blackhole MAC 2.Blackhole server for ARP For the IP prefix for which a blackholing is triggered all traffic is discarded at the IXP. Traffic for other IP prefixes gets through without any congestion. 19 BGP: Announce IP prefix under attack: Next Hop = Blackhole IP

Customer: How to Trigger Blackholing The customer announces the IP prefix under attack with the next hop IP address set to the blackholing IP address Blackholing works with bi-lateral and multi-lateral (route server) peerings Limited acceptance of /32 IP prefixes. < /24 is preferred. Route server: policy control to whitelist/blacklist a particular ASN can be used 20

Number of Prefixes Blackholed

Well-Known BGP Community for Blackholing Currently, many IXPs provide the blackholing feature Triggering is implemented differently at various IXPs (e.g. BGP community, next hop IP address (DE-CIX) ) A commonly agreed trigger is preferred: Well-known BGP community for blackholing All IXPs offering the blackholing feature voted on a tech mailing list for: 65535:666 – is a reserved ASN – 65535:666 = 0xFFFF029A is in the well-known BGP community space but unused – 666 is often used to trigger blackholing on transit networks An Internet Draft is currently coined – support is highly appreciated #22 BGP: Announce Prefix with Next Hop = Black-Hole IP Tag: 65535:666 22

Conclusion Two examples showed need for Standard Contribution –BFD Standardization for making it possible for Hardware vendors to implement the feature –Commonly Agreed BGP Community for Blackholing Standardization for easy triggering of the feature Higher goal: for the good of the Internet 23

Questions, Comments, Feedback? 24

DE-CIX Management GmbH Lindleystr Frankfurt Germany Phone