BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

Slides:

Advertisements

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.

Advertisements

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Dongkee LEE 1 An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, et al.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

BGP Extensions for BIER draft-xu-idr-bier-extensions-01 Xiaohu Xu (Huawei) Mach Chen (Huawei) Keyur Patel (Cisco) IJsbrand Wijnands (Cisco)

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

Best Practices for ISPs

June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Network Infrastructure Security Research at Colorado State University Dan Massey November 19, 2004.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.

Presented By: Hanping Feng Configuring BGP With Cisco IOS Software (Part 1)

Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.

02/06/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.

March 22, 2002 Simple Protocols, Complex Behavior (Simple Components, Complex Systems) Lixia Zhang UCLA Computer Science Department.

03/19/2001ICMP Traceback Working Group, IETF'50, Minneapolis, MN 1 Intention-Driven iTrace S. Felix “Last Minutes” Wu UC Davis

Security and Resilience for the Internet Infrastructure Dan Massey USC/ISI.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

DARPA NMS PI Meeting November 14, 2002 Understanding BGP in Action Dan Massey USC/ISI.

Border Gateway Protocol (BGP4) Rizwan Rehman, CCS, DU.

BGP Policy Control.

BGP Best Current Practices

A LIGHT-WEIGHT DISTRIBUTED SCHEME FOR DETECTING IP PREFIX HIJACKS IN REAL TIME Changxi Zheng, Lusheng Ji, Dan Pei, Jia Wang and Paul Francis. Cornell University,

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

Building a Secure and Resilient Network Infrastructure Dan Massey Colorado State University.

Routing protocols Basic Routing Routing Information Protocol (RIP) Open Shortest Path First (OSPF)

SECURING BGP Matthew Nickasch University of Wisconsin-Platteville Dept. of Computer Science & Software Engineering.

1 GIRO: Geographically Informed Inter-domain Routing Ricardo Oliveira, Mohit Lad, Beichuan Zhang, Lixia Zhang.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.

Chapter 9. Implementing Scalability Features in Your Internetwork.

BGP4 - Border Gateway Protocol. Autonomous Systems Routers under a single administrative control are grouped into autonomous systems Identified by a 16.

Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

R1R1 GD ERER ISP 1 R2R2 R3R3 R4R4 ISP 2 Normal Data Traffic AS100 AS600AS700 AS65535 AS200 Normal Operation: R1 peer to IPS1 with EBGP, and R2 peer to.

Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.

BGP Filtering (Policy Routing). BGP Filtering Can Apply our Routing Policy Controlling the sending and receiving updates Prefix Filtering AS_Path Filtering.

Designing a Secure and Resilient Internet Infrastructure Dan Massey USC/ISI.

An internet is a combination of networks connected by routers. When a datagram goes from a source to a destination, it will probably pass through many.

Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Outbound Route Filtering.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Applying Route-Maps as BGP Filters.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Understanding BGP Path Attributes.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 Course Introduction.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—7-1 Optimizing BGP Scalability Improving BGP Convergence.

1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.

RRG Nov 08 Mapped BGP Paul Francis, Cornell Xiaohu Xu, Huawei Hitesh Ballani, Cornell.

1 Investigating occurrence of duplicate updates in BGP announcements Jong Han Park 1, Dan Jen 1, Mohit Lad 2, Shane Amante 3, Danny McPherson 4, Lixia.

Boarder Gateway Protocol (BGP)

Goals of soBGP Verify the origin of advertisements

BGP Overview BGP concepts and operation.

BGP Multiple Origin AS (MOAS) Conflict Analysis

An Analysis of BGP Multiple Origin AS (MOAS) Conflicts

COS 561: Advanced Computer Networks

BGP Instability Jennifer Rexford

Design Expectations vs. Deployment Reality in Protocol Development

Validating MANRS of a network

Presentation transcript:

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia Zhang, UCLA NANOG-23, October 23, 2001

NANOG 23 - Oakland210/23/2001 Definition of MOAS n BGP routes include a prefix and AS path –Example: /16, Path: 4513, 11422, 11422, 52 n Origin AS: the last AS in the path –In the above example: AS 52 originated the path advertisement for prefix /16 n Multiple Origin AS (MOAS): the same prefix announced by more than one origin AS

NANOG 23 - Oakland310/23/2001 Example MOAS Conflicts /16 Path: /16 nets AS 4 AS /16 Path: /16 Path: X, 4 AS X AS Y /16 Path: Z, 226 AS Z MOAS conflict ! Static or IGP learned route to 128.9/16 Valid MOAS case: 128.9/16 reachable either way Invalid MOAS case: 128.9/16 reachable one way but not the other

NANOG 23 - Oakland410/23/2001 Talk Outline n Measurement data shows that MOAS exists n Some MOAS cases caused by faults n Some MOAS cases due to operational need n Important to distinguish the two –proposed solutions

NANOG 23 - Oakland510/23/2001 Measurement Data Collection n Data collected from the Oregon Route Views –Peers with >50 routers from >40 different ASes. –Our analysis uses data [11/08/97  07/18/01] (1279 days total) n More than MOAS conflicts observed during this time period At a given moment, –The Route Views server observed 1364 MOAS conflicts –The views from 3 individual ISPs showed 30, 12 and 228 MOAS conflicts

NANOG 23 - Oakland610/23/2001 MOAS Conflicts Do Exist Max: (11357 from a single AS) Max: (9177 from a single AS)

NANOG 23 - Oakland710/23/2001 Histogram of MOAS Conflict Lifetime Total # of days a prefix experienced MOAS conflict # of MOAS conflicts

NANOG 23 - Oakland810/23/2001 Distribution of MOAS Conflicts over Prefix Lengths ratio of # MOAS entries over total routing entries for the same prefix length

NANOG 23 - Oakland910/23/2001 Multi-homing without BGPPrivate AS number Substitution Valid Causes of MOAS Conflicts 128.9/16 Path: 11422, /16 Path: /16 Path: /16 Path: X /16 Path:Y 128.9/ /16 AS AS Y AS X AS 4 AS AS 226 Static route or IGP route 128.9/16 Path: 4

NANOG 23 - Oakland1010/23/2001 Invalid Causes of MOAS Conflicts n Operational faults led to large spikes of MOAS conflicts –04/07/1998: one AS originated prefixes, out of which were MOAS conflicts –04/10/2001: another AS originated 9180 prefixes, out of which 9177 were MOAS conflicts n Falsely originated routes –Errors –Intentional traffic hijacking

NANOG 23 - Oakland1110/23/2001 Handling MOAS Conflicts n RFC 1930 recommends each prefix be originated from a single AS n Today’s routing practice leads to MOAS in normal operations n We must tell valid MOAS cases from invalid ones –Proposal 1: using BGP community attribute –Proposal 2: DNS-based solution

NANOG 23 - Oakland1210/23/2001 BGP-Based Solution Define a new community attribute –Listing all the ASes allowed to originate a prefix n Attach this MOAS community-attribute to BGP route announcement n Enable BGP routers to detect faults and attacks –At least in most cases, we hope!

NANOG 23 - Oakland1310/23/2001 Comm. Attribute Implementation Example router bgp 59 neighbor remote-as 52 neighbor send-community neighbor route-map setcommunity out route-map setcommunity match ip address /8 set community 59:MOAS 58:MOAS additive Example configuration: AS58 18/8, PATH, MOAS{4,58,59} AS /8 18/8, PATH, MOAS{58,59} 18/8, PATH, MOAS{52, 58} AS52

NANOG 23 - Oakland1410/23/2001 Implementation Considerations n Quickly and incrementally deployable –Generating MOAS community attribute: configuration changes only –Detecting un-validated MOAS or a MOAS-CA conflict: Short term: observable from monitoring platforms Longer term: adding into BGP update processing n But community attributes may be dropped by a transit AS due to local configurations or policies –time to fix the handling of community attributes?

NANOG 23 - Oakland1510/23/2001 Another Proposal: DNS-based Solution n Put the MOAS list in a new DNS Resource Record ftp://psg.com/pub/dnsind/draft-bates-bgp4-nlri-orig-verif-00.txt by Bates, Li, Rekhter, Bush, 1998 $ORIGIN 18.bpg.in-addr.arpa.... AS 58 8 AS Example configuration (zone file for 18.bgp.in-addr.arpa): Query 18.bgp.in-addr.arpa: origin AS? Response 18.bgp.in-addr.arpa AS 58 8 AS 59 8 Enhanced DNS service MOAS detected for 18/8, query DNS to verify

NANOG 23 - Oakland1610/23/2001 Issues to Consider for the DNS Solution n Provides a general prefix to origin AS mapping database n Complementary to Community-attribute Approach –Check with DNS when community tag indicates a potential problem –DNSSEC, once available, authenticates the MOAS list nBut requires changes to DNS and BGP nDNS may be vulnerable without DNSSEC –When would DNSSEC be ready? nRouting system querying naming system: circular dependency?

NANOG 23 - Oakland1710/23/2001 Summary n MOAS conflicts exist today –Some due to operational need; some due to faults n Blind acceptance of MOAS could be dangerous –An open door for traffic hijacking n We plan to finalize the solution and bring to IETF Send all questions to For more info about FNIISC project: