Swinog-7, 22nd october 2003 BGP filtering André Chapuis,

Swinog-7, 22nd october 2003 Motivation: Internet routing table size evolution

Swinog-7, 22nd october 2003 Internet routing table size  Do we really need these 120’000 routes ?  Number of contiguous prefixes with same origin/path * i *> / i *> / i … 50 prefixes with same origin… *> / i *> / I * / i * / I.. 20 prefixes with same origin… * / i

Swinog-7, 22nd october 2003 Impact of Internet routing table size growth  Router memory (with 125’000 routes) –BGP table memory (21MB) –Routing table memory (21MB) –CEF table memory (21MB) –Distributed on every line card (limit=smallest card) –Second BGP feed (+10M – 20M) –Still many Cisco 7206 with NPE-150: 128MB RAM is a maximum  Crash experience with 128MB and two full feeds on a CPE  Router CPU  More updates -> more activity

Swinog-7, 22nd october 2003 Requirements  Solution with minimal (no) impact on customers  No routing holes = global reachability is granted  Multihomed customers must keep all BGP resiliency  Minimal manual tuning wanted  No frequent changes

Swinog-7, 22nd october 2003 Solution chosen  Prefix-filtering –RIR minimal allocation sizes –Historical classfull addresses (A and B) –Ad-hoc filters based on size / region  Semi-default routes –To guarantee reachability in case of misconfiguration  Exceptions –Customer prefixes –Chosen prefixes (private peerings) –Swiss peerings

Swinog-7, 22nd october 2003 Prefix filtering (1)  RIR minalloc: – – – –Ex: /19 within 62/8 –Changes needed only when IANA allocates e new block to a RIR -> not too frequent (every 3-6 month)  Historical ‘Classful’ address-space: –Class B: /22 –Class A: /21

Swinog-7, 22nd october 2003 Prefix filtering (2)  Ad-hoc: –199/8, ARIN region, default /22 with exceptions –200/7, LACNIC region, default /22 with exceptions –202/7, APNIC region, default /22 but 202/10 is /24 –204/6, ARIN region, default /22 with exceptions  Current table size within AS3303: –60’793 as seen from Oregon-IX –63’147 as seen internally (customer more-specifics) –125’000 average for ISPs not filtering

Swinog-7, 22nd october 2003 Prefix filtering (3)  Filter example … ip prefix-list martians seq permit /8 le 21 ip prefix-list martians seq permit /8 le 21 ip prefix-list martians seq permit /6 le 21 ip prefix-list martians seq permit /5 le 21 ip prefix-list martians seq permit /7 le 21 ip prefix-list martians seq permit /7 le 20 ip prefix-list martians seq permit /7 le 19 …

Swinog-7, 22nd october 2003 Semi-default routes (1): the problem  Some end-users (or ISPs) get an allocated block from a RIR (say /18), but announce only a part of it (say a /23) without aggregate !  Example: – / i –ALLOCATED PA is /18 -> not routed –Network not reachable –The responsible is the owner of the block/source ISP  But there are so many cases like that.  Therefore we use semi-default routes

Swinog-7, 22nd october 2003 Semi-default routes (2)  Aggregates created to cover RIR space: –62/8, 80/7, 212/7, 217/8 routed towards EU transit ISP –ARIN/APNIC/LACNIC space towards US transit  Class A/B –Class B: 128/3, 160/5 and 168/6 towards US transit –No semi-default for class A  Aggregates announced to customers –Tagged with a special community (3303:9999)

Swinog-7, 22nd october 2003 Semi-default routes (3)  = Static routes redistributed into BGP ip route POS3/1 router bgp network route-map semi-default  Original idea was to ask our transit ISP to send us them via BGP  Upstream ISP reluctant to the original idea (particularly the USA ones…)  We provide them to our customers

Swinog-7, 22nd october 2003 Exceptions. We don’t filter for:  Some private peerings with fair amount of traffic –Google, Yahoo, Hotmail  Customer prefixes –Accept anything from customers (up to /24) –Prefixes with an origin AS included within our as-set must be accepted to guarantee reachability  Swiss routes (= routes received on CH-peerings in CH) –Routes received from CH-peers are not subject to the filters –Because there are few of them –And we are a swiss ISP

Swinog-7, 22nd october 2003 Customer prefixes

Swinog-7, 22nd october 2003 Customer prefixes (configuration) route-map set-ipp-peer permit 10 match as-path 198 ! route-map set-ipp-peer permit 20 match ip address prefix-list martians ! ip as-path access-list 198 permit _(AS-SWCMGLOBAL)$ ! ip prefix-list martians seq 3000 permit /8 le 21 ip prefix-list martians seq 4000 permit /8 le 21 ip prefix-list martians seq 6000 permit /8 le 21 ip prefix-list martians seq 8000 permit /7 le 21

Swinog-7, 22nd october 2003 Results (1)  BGP Updates/min before and after the filter

Swinog-7, 22nd october 2003 Results (2)  Stability improved –Number of updates/minute reduced by 40% –Last month de-aggregation of Bellsouth –About 1000 more prefixes injected –Transparent for AS3303  Traffic engineering done by ISPs outside CH with more-specifics from PA blocks is ignored by AS3303  Forced ‘traffic engineering’ neglectible –Small amount of traffic following the semi-defaults routes – /6 has less than 500kb/s average traffic –For a total of 10’000 prefixes

Swinog-7, 22nd october 2003 Other ISPs filtering  Verio AS2914 –Class A space (i.e., 0/1), accept /22 and shorter –Class B space (i.e., 128/2), accept /22 and shorter –Class C space (i.e., 192/3), accept /24 and shorter  SWITCH AS559 –RIR minalloc + /19 in ClassA/B  Jippi (Eunet Finland) AS6667 –192/7 : accept /24 and shorter –Rest: accept /21 and shorter

Swinog-7, 22nd october 2003 Conclusions  Less memory needed (and CPU)  No reachability issues with semi-default routes  BGP customers satisfied  …lots of ‘useless’ routes in the Internet…  Need to have at least one transit provider  Method does not work for Tier-1 (transit-free ISPs)  Good solution for (small) ISPs with limited memory budget