Migratory ASs Sandra Murphy

Slides:



Advertisements
Similar presentations
Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.
Advertisements

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 BGP Diverse Paths draft-ietf-grow-diverse-bgp-paths-dist-02 Keyur Patel.
Route Leaks Sandra Murphy. Is This a Route Leak? To be able to detect a route leak: Given Update with AS_PATH AS1…ASn Is this a route leak?
CCNP Network Route BGP Part -I BGP : Border Gateway Protocol. It is a distance vector protocol It is an External Gateway Protocol and basically used for.
1 Interdomain Traffic Engineering with BGP By Behzad Akbari Spring 2011 These slides are based on the slides of Tim. G. Griffin (AT&T) and Shivkumar (RPI)
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
ISP 7 AS 7 ISP 5 AS 5ISP 3 AS 3 ISP 1 AS 1 peer ISP 9 AS 9 peer.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
CS Summer 2003 Quiz 1 A1) IGP (IS-IS, OSPF) BGP A2) Stub Transit. because it is adverting AS2’s routes to AS1 and vice versa. A3) Traffic discarded.
R OUTING IN THE INTERNET. A UTONOMOUS SYSTEM ( AS ) Collections of routers that has the same protocol, administative and technical control Intra-AS routing.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 BGP AS AN MVPN PE-CE Protocol draft-keyupate-l3vpn-mvpn-pe-ce-00 Keyur Patel,
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
Scaling iBGP. BGP iBGP –Internal BGP –BGP peering between routers in same AS –Goal: get routes from a border router to another border router without losing.
BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.
Border Gateway Protocol
© 2001, Cisco Systems, Inc. A_BGP_Confed BGP Confederations.
BGP4 - Border Gateway Protocol. Autonomous Systems Routers under a single administrative control are grouped into autonomous systems Identified by a 16.
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
Draft-ietf-sidr-bgpsec-protocol Matt Lepinski
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.
BGPSEC : A BGP Extension to Support AS-Path Validation Matt Lepinski BBN Technologies.
Base Specification for Multicast in BGP/MPLS VPNs draft-raggarwa-l3vpn-2547-mvpn-00.txt Rahul Aggarwal Juniper Networks.
Internal BGP as PE-CE Protocol Pedro Marques Robert Raszuk Dan Tappan
Draft-ietf-sidr-bgpsec-reqs-01 diffs from -00 (Jul) sidr / IETF Taipei Randy Bush sidr bgpsec reqs 1.
Routing Workshop (IPv4 & IPv6) Philip Smith PacNOG 7, Pago Pago, American Samoa 28th June - 3rd July 2010.
Advertising ECMP Routes in BGP Joel Halpern Manav Bhatia Paul Jakma 65 th IETF – Dallas, TX.
Deterministic Route Redistribution into BGP Enke Chen Jenny Yuan
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Module Summary The multihomed customer network must exchange BGP information with both ISP.
IDR WG 6PE-Alt draft-manral-idr-mpls-explicit-null-00.txt Vishwas Manral, IPInfusion Manoj Dutta, IPInfusion IETF 71, Philadelphia, PA, USA.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Lab 6-2 Debrief.
Route Selection Using Attributes
Text BGP Basics. Document Name CONFIDENTIAL Border Gateway Protocol (BGP) Introduction to BGP BGP Neighbor Establishment Process BGP Message Types BGP.
BGP L3VPN origin validation (draft-ymbk-l3vpn-origination-02) November 2012.
1 Investigating occurrence of duplicate updates in BGP announcements Jong Han Park 1, Dan Jen 1, Mohit Lad 2, Shane Amante 3, Danny McPherson 4, Lixia.
26 Jul 2007SIDR IETF 69 Chicago Jul Private Address/AS Space Sandra Murphy
IDR WG Document Status Update Sue Hares, Yakov Rekhter November 2005.
Border Gateway Protocol BGP-4 BGP environment How BGP works BGP information BGP administration.
BGP-based Auto-Discovery for L2VPNs draft-hlmu-l2vpn-bgp-discovery-00.txt Sue Hares - Vasile Radoaca -
Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 BGPSEC Protcol Error Handling IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.
BGPSEC Protocol (From -01 to -02 and on to -03) Matt Lepinski.
Sandra Murphy Migratory ASs (my own interpretation of draft-ga-idr-as-migration & draft-george-sidr-as-migration) Sandra Murphy.
ISP Workshop Agenda Phithakkit Phasuk.
Connecting an Enterprise Network to an ISP Network
Boarder Gateway Protocol (BGP)
BGP 1. BGP Overview 2. Multihoming 3. Configuring BGP.
ARIN Relying Party Agreement Impact. Workarounds
Non optimal routing caused by incompatibility of 32-bit ASN with the old router software. KazRENA case study.
Virtual Aggregation (VA)
Border Gateway Protocol
BGP supplement Abhigyan Sharma.
Interdomain Traffic Engineering with BGP
BGPSEC Potential Optimizations for AS-PATH Prepending and Transparent Route Servers. sidr wg / Québec City Doug Montgomery
Lixin Gao ECE Dept. UMASS, Amherst
Module Summary BGP is a path-vector routing protocol that allows routing policy decisions at the AS level to be enforced. BGP is a policy-based routing.
BGP Overview BGP concepts and operation.
COS 561: Advanced Computer Networks
draft-mohanty-bess-ebgp-dmz-00 IETF 101, London
Connecting an Enterprise Network to an ISP Network
EVPN Interworking with IPVPN
Routers Routing algorithms
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Presentation transcript:

Sandra Murphy sandra.murphy@sparta.com Migratory ASs Sandra Murphy sandra.murphy@sparta.com sponsored by DHS under an Interagency Agreement with AFRL 9 Nov 2012 SIDR IETF85 Atlanta, GA

How to Do That in BGPSEC 9 Nov 2012 SIDR IETF85 Atlanta, GA

Notation In the following, the notation means: for the origin BGPSEC signature attribute: sig(originprefix, <target>, AS of signer, pcount) key for intermediate BGPSEC signature attributes: sig(<target>, AS of signer, pcount) key 9 Nov 2012 SIDR IETF85 Atlanta, GA

BEFORE MERGER 333 | ISP A' ISP A’ CE-1 <--- PE-1 <------------------- PE-2 <--- CE-2 100 Old_ASN: 300 Old_ASN: 200 400 CE-2 to PE-2: sig(origin(N),<200>,400,pcount=1)K_400-CE2 [sig1] AS_PATH=(400) length=sum(pcount)=1 PE-2 to 333: sig(<333>,200,sig1,pcount=1)K_200-PE2 [sig2] sig(origin(N),<200>,400,pcount=1)K_400-CE2 [sig1] AS_PATH=(200,400) length=sum(pcount)=2 PE-2 to PE-1: sig(<300>,(200),sig1,pcount=1)K_200-PE2 [sig3] sig(origin(N),<200>,(400),pcount=1)K_400-CE2[sig1] PE-1 to CE-1: sig(<100>,300,sig3,pcount=1)K_300-PE1 [sig4] sig(<300>,200,sig1,pcount=1)K_200-PE2 [sig3] sig(origin(N),<200>,400,pcount=1)K_400-CE2 [sig1] AS_PATH = 300,200,400 length=sum(pcount)=3 9 Nov 2012 SIDR IETF85 Atlanta, GA

MIGRATING 333 | ISP A' ISP A’ CE-1 <--- PE-1 <------------------- PE-2 <--- CE-2 100 Old_ASN: 300 Old_ASN: 200 400 New_ASN: 200 New_ASN: 200 CE-2 to PE-2: sig(origin(N),<200>,400,pcount=1)K_400-CE2 [sig11] AS_PATH=(400) length=sum(pcount)=1 PE-2 to 333: sig(<333>,200,sig11,pcount=1,sig11)K_200-PE2 [sig12] sig(origin(N),<200>,400,pcount=1)K_400-CE2 [sig11] AS_PATH=(200,400) length=sum(pcount)=2 PE-2 to PE-1: sig11 PE-1 to CE-1: sig(<100>,300,pcount=1,sig12)K_300-PE1 [sig13] sig(<300>,200,pcount=0,sig11)K_200-PE2 [sig12] sig(origin(N),<200>,400,pcount=1)K_400-CE2 [sig11] AS_PATH=(300,400) length=sum(pcount)=2 (length is NOT 3) 9 Nov 2012 SIDR IETF85 Atlanta, GA

MIGRATING Note that PE-1 is adding two signatures to the list. 333 | ISP A' ISP A’ CE-1 ---> PE-1 -------------------> PE-2 ---> CE-2 100 Old_ASN: 300 Old_ASN: 200 400 New_ASN: 200 New_ASN: 200 PE-1 to CE-1: sig(<100>,300,pcount=1,sig12)K_300-PE1 [sig13] sig(<300>,200,pcount=0,sig11)K_200-PE2 [sig12] sig(origin(N),<200>,400,pcount=1)K_400-CE2 [sig11] AS_PATH=(300,400) length=sum(pcount)=2 (length is NOT 3) Note that PE-1 is adding two signatures to the list. It is as if PE-1 had an AS hop internally. NOTE: “AS IF” PE-1 adds sig12 and sig13. sig12 is added as if PE-1 is AS200 and adds the pcount=0. sig13 is added as if PE-1 is AS300. So “AS300” authorizes “AS200” to add the pcount=0. Note that the neighbor of the AS that adds pcount=0 is the one authorizing – further ASs can not check the authorization. (For original route server motivation, neighbor is authority.) 9 Nov 2012 SIDR IETF85 Atlanta, GA

MIGRATING in Other Direction – Alternative 1 333 | ISP A' ISP A’ CE-1 ---> PE-1 -------------------> PE-2 ---> CE-2 100 Old_ASN: 300 Old_ASN: 200 400 New_ASN: 200 New_ASN: 200 CE-1 to PE-1: sig(origin(N2),<300>,100,pcount=1)K_100-CE1 [sig21] AS_PATH=(100) length=sum(pcount)=1 PE-1 to PE-2: sig(<200>,300,pcount=0,sig21)K_300-PE1 [sig22] sig(origin(N2),<300>,100,pcount=1)K_100-CE1 [sig21] AS_PATH=(300,100) length=sum(pcount)=1 PE-2 to CE-2: sig(<400>,200,pcount=1,sig22)K_200-PE2 [sig23] sig(<200>,300,pcount=0,sig21)K_300-PE1 [sig22] sig(origin(N2),<300>,100,pcount=1)K_100-CE1 [sig21] AS_PATH=(200,300,100) length=sum(pcount)=2 9 Nov 2012 SIDR IETF85 Atlanta, GA

MIGRATING in Other Direction – Alternative 1 333 | ISP A' ISP A’ CE-1 ---> PE-1 -------------------> PE-2 ---> CE-2 100 Old_ASN: 300 Old_ASN: 200 400 New_ASN: 200 New_ASN: 200 PE-1 to PE-2: sig(<200>,300,pcount=0,sig21)K_300-PE1 [sig22] sig(origin(N2),<300>,100,pcount=1)K_100-CE1 [sig21] AS_PATH=(300,100) length=sum(pcount)=1 (PE-2 authorizes PE-1 to use pcount=0) PE-1 is the one doing the migration, so it makes sense that it is the one that has to take special action. but this is an ibgp session and not normal to be adding bgpsec attrb on ibgp session. Again, this is working as if there was a ebgp hop internal to PE1, at least as far as the bgpsec attributes are computed 9 Nov 2012 SIDR IETF85 Atlanta, GA

Discussion In BGP, this is a non-spec vendor knob There’s work presented to idr to make a standard way to do this (make vendor knobs consistent) Presuming this proves to work Do we consider this as advice to vendors making bgpsec versions of their knobs? Do we make this part of the bgpsec protocol? (If idr makes this standard, then obviously it should be part of bgpsec protocol.) 9 Nov 2012 SIDR IETF85 Atlanta, GA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.