ROUTE FILTERING: If you accept free beer, expect an hangover Thomas Mangin AS30740 Linx 57, 21 st of may 2007.

Slides:



Advertisements
Similar presentations
Cisco To Juniper Thomas Mangin Exa Networks LINX 51.
Advertisements

How to Multi-Home Avi Freedman VP Engineering AboveNet Communications.
An Operational Perspective on BGP Security Geoff Huston February 2005.
1 San Diego, California 25 th February BGP made easy John van Oppen Spectrum Networks / AS11404.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK
Changed made by MF on 29/10/04 Delete Change Add –All slides Obtained Geoff Huston’s review – done on 26/10/2004 Obtained Doc Team’s proof read - done.
1 Using RPSL in Practice Chun Zhang Nov 2, 2000 ECE 697F: Special Topics - Internet Routing.
Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 6: Border Gateway Protocol.
RPSL - Practical Tool for ISPs? 14th APNIC Open Policy Meeting Kitakyushu, Japan Andy Linton.
R OUTING IN THE INTERNET. A UTONOMOUS SYSTEM ( AS ) Collections of routers that has the same protocol, administative and technical control Intra-AS routing.
BGP Attributes and Path Selections
Route Servers: What, Why, and How? Andy Davidson Allegro Networks / LONAP August 2014 Peer 2.0/SFO.
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.
CS 3830 Day 29 Introduction 1-1. Announcements r Quiz 4 this Friday r Signup to demo prog4 (all group members must be present) r Written homework on chapter.
Lecture 4: BGP Presentations Lab information H/W update.
APNIC Internet Routing Registry An introduction to the IRR TWNIC Meeting, 3 December 2003 Nurani Nimpuno, APNIC.
BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
BGP in practice Sabri Berisha What The Hack 2005.
Engineering Workshops Router Configuration. Engineering Workshops Cisco Router Configuration Rule #1: What Would v4 do? –Enable routing ipv6 unicast-routing.
Juniper ESCR Tesco Day 3. Overview Day #1 Maintenance and monitoring Routing protocols Lab Day #2 Introduction to Juniper devices Junos CLI System and.
The New Policy for Enterprise Networking Robert Bays Chief Scientist June 2002.
MPLS on UW System Network Michael Hare. Purpose of presentation As I didn't really understand MPLS going in, I thought it would be useful to share what.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Autonomous System Numbers How to describe Routing Policy.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Outbound Route Filtering.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Applying Route-Maps as BGP Filters.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Introducing Confederations.
Border Gateway Protocol. Intra-AS v.s. Inter-AS Intra-AS Inter-AS.
Rob Lister UKNOF24 17 January 2013 IXPs and Robust Configuration aka. “interesting” configs we have seen…
The Benefit and Need of Standard Contribution for IXPs Jan Stumpf System Engineer.
BGP Route Server Proof of Concept Magnus Bergroth NORDUnet.
AS Numbers - Again Geoff Huston APNIC October 2009
Introduction Hello, Good Afternoon
MBGP and Customer Routes
Configuring DHCP Relay Configuration Example
Exploiting Layer 2 By Balwant Rathore.
Connecting an Enterprise Network to an ISP Network
Boarder Gateway Protocol (BGP)
Border Gateway Protocol
The BGP Visibility Scanner
BGP Route Server Proof of Concept
AUT-NUM Maintenance Linx has seen a massive increase in the number of peers This mean new sessions to your routers And many update to RIPE to update your.
Border Gateway Protocol
IPv6 Autoconfiguration Plug & Play Dream or Security Nightmare
Goals of soBGP Verify the origin of advertisements
Traffic Volume Dependencies between IXPs
BGP supplement Abhigyan Sharma.
Introduction to Networking
Introduction to Networking
We Care About Data Quality at IXPs
Interdomain Traffic Engineering with BGP
Everybody Leaks Alexander Azimov.
Module Summary BGP is a path-vector routing protocol that allows routing policy decisions at the AS level to be enforced. BGP is a policy-based routing.
Route Servers: An AMS-IX Introspective
Jessica Yu ANS Communication Inc. Feb. 9th, 1998
Geoff Huston APNIC August 2009
MANRS for IXPs Why we did it? What did we do?
BGP Multiple Origin AS (MOAS) Conflict Analysis
Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny
Validating MANRS of a network
Presentation transcript:

ROUTE FILTERING: If you accept free beer, expect an hangover Thomas Mangin AS30740 Linx 57, 21 st of may 2007

Why I am standing here ? ● First hand experience with a Leak two weeks ago – Sending a full routing table all my linx peers – And transit providers – Since on more leak was announced on the Linx mailing-list – If you dig the linx-ops archive, leak is an industry sport ● Maxed our linx port quickly.. – Traffic mainly going to Level3 – Surely local-preference to blame –... and peers

What should have happened ● Nothing should have happened – I should have not leaked, but I did.. – Transit providers handled the leak gracefully thanks to filters, as did some peers ● And then NOTHING – The routes should have been filtered inbound – Or max-prefix should have killed the session ● Two layers of protection failed, or were absent, on both side !

Protect yourself and your peers Protect your peers from your leak or be ready... ● John will have do a repeat of this talk ● Worse, you will spend days with sessions in active (shameless plug to 31 peers out of 138) Protect yourself. ● I will do some maintenance work tomorrow night ● Nobody's perfect.. It only takes a few hours to prevent further leaks. ● If I done it....

Protect your peers : Identify your transit routes Routes can be identified by and manipulated using: (1) outbound as-path filtering refuse to announce your transit (2) community to decide what to announce (3) prefixes : refuse announce bogons refuse announce small prefixes refuse announce known range (ix, etc.) (4) do not propagate private-asn

as-path filtering -outbound /* define the routes we have learned from transit (example) */ as-path routes-level *; as-path routes-sprint 1239.*; /* create a policy blocking their distribution */ [edit policy-options] policy-statement no-transit { term remove-path { from { protocol bgp; as-path [ routes-level3 route-sprint ]; } then reject; } /* make sure that no linx peer will ever get them again */ [edit protocols bgp group linx] export [ no-transit ];

community tagging /* define a communtiy to identify routes learned from transit */ community route-transit members 174:1239; /* create a policy to apply this community to a route */ policy-statement tag-transit { then { community add route-transit; } /* make sure all routes from transit have that community */ [edit protocols bgp group transit] import [ tag-transit tag-transit-provider-specific ]; (repeat with peers)

community filtering /* define a policy rejecting routes identified as transit */ [edit policy-options] policy-statement export-transit { term remove-peering { from { protocol bgp; community route-transit; } then reject; } term remove-peering... term remove-community... term prepend-one-time... } /* and make sure no linx peer sees it */ [edit protocols bgp group linx] export [ export-peering export-linx ]; Do not do typo with your community definition without (1).. it hurts..

Those route no-one should have /* match and refuse any route smaller/longer than a /24 */ [edit policy-options] policy-statement no-small-prefixes { from { route-filter /0 prefix-length-range /25-/32 reject; } then reject; } /* bogon, rfc1819, etc. */ [edit policy-options] policy-statement no-bogons { from { route-filter /4 orlonger reject; }

Those routes no-one should have /* Linx LAN */ policy-statement no-ix { from { route-filter /22 orlonger reject; } then reject; } /* should never get in or out */ [edit protocols bgp group linx] export [ no-small-prefixes no-ix no-bogons ]; import [ no-small-prefixes no-ix no-bogons ];

Protect yourself Do not trust your peer /mainly/ if you are peering with me: (1) use max-prefix to limit the number of route a peer can send you it is cheap, fast and works (2) refuse route with an as-path.. of a “T1” coming from peers of your customers from peer or transit with reserved ASN (3) Create inbound route filters

Max-Prefix Max-prefix will shutdown a session should the ebgp speaker send you more than a predefined number of routes (was it necessary to say it ?) neighbor xxx { description "AS-ACCEPTED | Peer name | | AS-SENT"; family inet { unicast { prefix-limit { maximum 150; teardown 80; } peer-as 1234; }

as-path filtering -outbound /* define the routes you will never see through peers */ as-path leaked-sprint ".{1,}1239.*"; as-path leaked-telia ".{1,}1299.*"; /* create a policy blocking their distribution */ [edit policy-options] policy-statement no-leak { term remove-path { from { protocol bgp; as-path [ leaked-telia leaked-spring ]; } then reject; } /* make sure that no linx peer will ever get them again */ [edit protocols bgp group linx] import [ no-leak ];

as-path filtering outbound Limitations : On cisco this works great as the count is performed on prefix accepted On juniper not as good the counting is done on prefix received (before any kind of filtering) Please push for this feature request to your SE : s

Filter on IRR DB Some tools exist to help with the generation of filter based on the content of the IRR DB (RIPE, ARIN, etc.) Gather and Track prefix within AS-Macro. A set of tools to work with irrpt to extract comment from your routers configurations to generate : ● the irrdb.conf file (the list of AS-MACRO to fetch) ● your ripe aut-num ● generate the right filter for a given router (currently only parse juniper config)

Conclusion Renesys BGP white paper, Everything I said but in plain understandable english For those of you who prefer cisco talks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.