RPSL: Police’ing’ the Net Anwar M. Haneef Electrical and Computer Engineering University of Massachusetts, Amherst
RFC-2622: Not the most fun thing to read on a Friday night
Aim of my talk Not to make you expert network managers Not to make you expert network managers I want all of you to go back home, knowing that you have learnt the BASICS of a new language I want all of you to go back home, knowing that you have learnt the BASICS of a new language Prepare you all for the next talk on the practical applications of RPSL Prepare you all for the next talk on the practical applications of RPSL
Agenda What is Routing Policy ? What is Routing Policy ? Why define Routing Policy ? Why define Routing Policy ? BGP Configuration BGP Configuration IRR Configuration IRR Configuration RPSL – Introduction RPSL – Introduction RPSL – Objects RPSL – Objects What’s next What’s next
Agenda What is Routing Policy ? What is Routing Policy ? Why define Routing Policy ? Why define Routing Policy ? BGP Configuration BGP Configuration IRR Configuration IRR Configuration RPSL – Introduction RPSL – Introduction RPSL – Objects RPSL – Objects What’s next What’s next
What is Routing Policy ? Public description of the relationships between external BGP peers Public description of the relationships between external BGP peers Can describe internal BGP peer relationships Can describe internal BGP peer relationships
Routing Policy Who are the peers What routes are Originated by a peer Imported from each peer Exported to each peer Preferred when multiple routes exist What to do if no route exists Routing Policy Unfortunately, Chun gets to do all the really COOL stuff…..
Routing Policy Example AS1 originates route “d” AS1 originates route “d” AS1 exports “d” to AS2, AS2 imports AS1 exports “d” to AS2, AS2 imports AS2 exports “d” to AS3, AS3 imports AS2 exports “d” to AS3, AS3 imports AS3 exports “d” to AS5, AS5 imports AS3 exports “d” to AS5, AS5 imports
Routing Policy Example AS5 also imports “d” from AS4 AS5 also imports “d” from AS4 Which route does it prefer? Which route does it prefer?
Agenda What is Routing Policy ? What is Routing Policy ? Why define Routing Policy ? Why define Routing Policy ? BGP Configuration BGP Configuration IRR Configuration IRR Configuration RPSL – Introduction RPSL – Introduction RPSL – Objects RPSL – Objects What’s next What’s next Agenda
Why define a Routing Policy ? Documentation Documentation Allows automatic generation of router configurations Allows automatic generation of router configurations Provides routing security Provides routing security Can peer originate the route? Can peer originate the route? Can peer act as transit for the route? Can peer act as transit for the route? Provides a debugging aid Provides a debugging aid Compare policy versus reality Compare policy versus reality No one ever does anything for documentation, but its good to have it No one ever does anything for documentation, but its good to have it
Agenda What is Routing Policy ? What is Routing Policy ? Why define Routing Policy ? Why define Routing Policy ? BGP Configuration BGP Configuration IRR Configuration IRR Configuration RPSL – Introduction RPSL – Introduction RPSL – Objects RPSL – Objects What’s next What’s next Agenda
BGP Configuration Too many routers Too many routers Too detailed, large & tedious Too detailed, large & tedious Consistency Consistency Heavy consequences of mistakes Heavy consequences of mistakes ?!?!?!
Agenda What is Routing Policy ? What is Routing Policy ? Why define Routing Policy ? Why define Routing Policy ? BGP Configuration BGP Configuration The Internet Routing Registry The Internet Routing Registry RPSL – Introduction RPSL – Introduction RPSL – Objects RPSL – Objects What’s next What’s next Agenda
IRR – What is it ? Database of Database of IP networks, IP networks, DNS domains, DNS domains, DNS domain Contact Persons and DNS domain Contact Persons and IP routing policies IP routing policies Data from the IRR may be used by anyone worldwide to help debug, configure, and engineer Internet routing and addressing. Data from the IRR may be used by anyone worldwide to help debug, configure, and engineer Internet routing and addressing. Currently, the IRR provides the only mechanism for validating the contents of a BGP session or mapping an AS number to a list of networks. Currently, the IRR provides the only mechanism for validating the contents of a BGP session or mapping an AS number to a list of networks.
Internet Routing Registry Policy and contact information Policy and contact information APNIC, ALTDB, BELLCA, TELSTRA etc. APNIC, ALTDB, BELLCA, TELSTRA etc.
Internet Routing Registry Route: / 16 descr: ISI-NET origin: AS226 notify: mnt-by: LN-MAINT-MCI changed: source: CW
Internet Routing Registry person: Walt Prue address: USC/ Information Sciences Institute 4676 Admiralty Way Suite 1000 Marina del Rey, California USA phone: x89191 fax-no: nic-hdl: WP8 notify: mnt-by: LN-MAINT-MCI changed: source: CW Internet Routing Registry
BGP Configuration from IRR RPSL: Abstract, high level, per-as policies IRR: Benefit from others’ data & delegation RtConfig: Details/ tedious aspects automated RPSL IRR RtConfig
Agenda What is Routing Policy ? What is Routing Policy ? Why define Routing Policy ? Why define Routing Policy ? BGP Configuration BGP Configuration IRR Configuration IRR Configuration RPSL – Introduction RPSL – Introduction RPSL – Objects RPSL – Objects What’s next What’s next Agenda
Meet Mr. RPSL – An Introduction RPSL allows a network operator to be able to specify routing policies at various levels in the Internet hierarchy; for example at the Autonomous System (AS) level RPSL allows a network operator to be able to specify routing policies at various levels in the Internet hierarchy; for example at the Autonomous System (AS) level At the same time, policies can be specified with sufficient detail in RPSL so that low level router configurations can be generated from them. At the same time, policies can be specified with sufficient detail in RPSL so that low level router configurations can be generated from them. RPSL is extensible; new routing protocols and new protocol features can be introduced at any time RPSL is extensible; new routing protocols and new protocol features can be introduced at any time
Meet Mr. RPSL – An Introduction Object oriented language Object oriented language RPSL is based on RIPE-181, a language used to register routing policies and configurations in the IRR RPSL is based on RIPE-181, a language used to register routing policies and configurations in the IRR Operational use of RIPE-181 has shown that it is sometimes difficult (or impossible) to express a routing policy which is used in practice Operational use of RIPE-181 has shown that it is sometimes difficult (or impossible) to express a routing policy which is used in practice RPSL has been developed to address these shortcomings and to provide a language which can be further extended as the need arises RPSL has been developed to address these shortcomings and to provide a language which can be further extended as the need arises RPSL obsoletes RIPE-181 RPSL obsoletes RIPE-181
Meet Mr. RPSL – An Introduction RPSL was designed so that a view of the global routing policy can be contained in a single cooperatively maintained distributed database to improve the integrity of Internet's routing RPSL was designed so that a view of the global routing policy can be contained in a single cooperatively maintained distributed database to improve the integrity of Internet's routing RPSL is not designed to be a router configuration language RPSL is not designed to be a router configuration language RPSL is designed so that router configurations can be generated from the description of the policy for one autonomous system (aut-num class) combined with the description of a router (inet- rtr class), mainly providing router ID, autonomous system number of the router, interfaces and peers of the router, and combined with a global database mappings from AS sets to ASes (as-set class), and from origin ASes and route sets to route prefixes (route and route-set classes) RPSL is designed so that router configurations can be generated from the description of the policy for one autonomous system (aut-num class) combined with the description of a router (inet- rtr class), mainly providing router ID, autonomous system number of the router, interfaces and peers of the router, and combined with a global database mappings from AS sets to ASes (as-set class), and from origin ASes and route sets to route prefixes (route and route-set classes) The accurate population of the RPSL database can help contribute toward such goals as router configurations that protect against accidental (or malicious) distribution of inaccurate routing information, verification of Internet's routing, and aggregation boundaries beyond a single AS The accurate population of the RPSL database can help contribute toward such goals as router configurations that protect against accidental (or malicious) distribution of inaccurate routing information, verification of Internet's routing, and aggregation boundaries beyond a single AS
RPSL: Getting to know it RPSL constructs are expressed in one or more database "objects" which are registered in one of the registries RPSL constructs are expressed in one or more database "objects" which are registered in one of the registries Each database object contains some routing policy information and some necessary administrative data Each database object contains some routing policy information and some necessary administrative data When objects are registered in the IRR, they become available for others to query using a whois service When objects are registered in the IRR, they become available for others to query using a whois service Uses RIPE database style ( whois ) objects Uses RIPE database style ( whois ) objects
RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 5147 Crystal Springs Drive NE NE Sasquatch NE Sasquatch Bainbridge Island, WE Bainbridge Island, WE USA USA phone: # day time fax-no: nic-hdl: RB366 remarks: This object is automatically converted from RIPE181 converted from RIPE181 mnt-by: RGNET-MAINT-MCI changed: source: MCI
RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 5147 Crystal Springs Drive NE NE Sasquatch NE Sasquatch Bainbridge Island, WE Bainbridge Island, WE USA USA phone: # day time fax-no: nic-hdl: RB366 remarks: This object is automatically converted from RIPE181 converted from RIPE181 mnt-by: RGNET-MAINT-MCI changed: source: MCI Attribute name Attribute value Comment Continuation
Common Attributes for all classes descr: Short free text description of the object remarks: Free text comment attribute tech-c: Technical contact nic handles admin-c: Administrative contact nic handles notify: s to send notification of changes mnt-by: Maintainer authorized to do changes changed: changed: source: Registry
Agenda What is Routing Policy ? What is Routing Policy ? Why define Routing Policy ? Why define Routing Policy ? BGP Configuration BGP Configuration IRR Configuration IRR Configuration RPSL – Introduction RPSL – Introduction RPSL – Objects RPSL – Objects What’s next What’s next Agenda
RPSL Classes Person, Role, Maintainer Person, Role, Maintainer Route Route Set classes: as-set, route-set Set classes: as-set, route-set Autonomous System Autonomous System
RPSL Classes Person, Role, Maintainer Person, Role, Maintainer Person and Role objects are for contact information Person and Role objects are for contact information Maintainer objects are for authentication Maintainer objects are for authentication Route Route Set classes: as-set, route-set Set classes: as-set, route-set Autonomous System Autonomous System
Person Class person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 5147 Crystal Springs Drive NE NE Sasquatch NE Sasquatch Bainbridge Island, WE Bainbridge Island, WE USA USA phone: # day time fax-no: nic-hdl: RB366 remarks: This object is automatically converted from RIPE181 converted from RIPE181 mnt-by: RGNET-MAINT-MCI changed: source: MCI Person class attributes Common attributes Maintenance
Role Class role: RIPE NCC Operations address: Singel AB Amsterdam 1016 AB Amsterdam The Netherlands The Netherlands phone: fax-no: admin-c: CO19-RIPE tech-c: RW488-RIPE tech-c: JLSD1-RIPE nic-hdl: OPS4-RIPE notify: changed: source: RIPE The nic-hdl attributes of the person and role classes share the same name space.
Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: mnt-nfy: auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: source: RADB
Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: mnt-nfy: auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: source: RADB
Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: mnt-nfy: auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: source: RADB
Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: mnt-nfy: auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: source: RADB
Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: mnt-nfy: auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: source: RADB It defines access control for other objects in the database
Auth Attribute auth: PGPKEY-23F5CE3 auth: CRYPT-PW lz1A7/JnfkTI auth: MAIL-FROM auth: auth: NONE
RPSL Classes Person, Role, Maintainer Person, Role, Maintainer Route Route Specifies origin AS for a route Specifies origin AS for a route Can indicate membership of a route set Can indicate membership of a route set Set classes: as-set, route-set Set classes: as-set, route-set Autonomous System Autonomous System
Route Class route: /16 origin: AS2914 descr: my routes mnt-by: MAINT-RGNET tech-c: RB366 changed: source: RADB Policy Information Route /16 is originated by AS2914
Inter-AS Routing AS1 originates route “d” AS1 originates route “d” AS1 exports “d” to AS2, AS2 imports AS1 exports “d” to AS2, AS2 imports AS2 exports “d” to AS3, AS3 imports AS2 exports “d” to AS3, AS3 imports AS3 exports “d” to AS5, AS5 imports AS3 exports “d” to AS5, AS5 imports Hmm… looks familiar, doesn’t it ?
Route Class route: /16 origin: AS2914 descr: my routes mnt-by: MAINT-RGNET tech-c: RB366 changed: source: RADB Policy Information Route /16 is originated by AS2914
Some Notations AS Numbers AS2914 Address Prefixes /16 Route-set Names RS-VERIO AS-set Names AS-VERIO
Rules for Words Words can have - or _ in the middle Words can have - or _ in the middle RGNET-MAINT-MCI RGNET-MAINT-MCI Can have digits Can have digits RGNET-MAINT-MCI_ 1 RGNET-MAINT-MCI_ 1 Case insensitive Case insensitive rgnet-MaInT-MCI rgnet-MaInT-MCI
RPSL Classes Person, Role, Maintainer Person, Role, Maintainer Route Route Set classes: route-set, as-set Set classes: route-set, as-set Autonomous System Autonomous System
RPSL Classes Person, Role, Maintainer Person, Role, Maintainer Route Route Set classes: Route-set Set classes: Route-set Collects routes together with similar properties Collects routes together with similar properties Autonomous System Autonomous System
Route-Set route-set: rs-foo members: /16, /24, / /16 descr: some address prefixes mnt-by: MAINT-RGNET tech-c: RB366 changed: source: RADB route-set: rs-bar members: /16, rs-foo
Route Set route-set: RS-BCMI2 descr: routes via BCM to be announced to I2 to I2 members: /16, /24, / /24, /24 admin-c: JCY tech-c: SM346 mnt-by: MAINT-AS302 changed: source: demo
Indirect Members route-set: RS-ANS-IGP_ ONLY descr: ANS IGP aggregates mbrs-by-ref: ANY route: /24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS route: /24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS
Restricted Indirect Members route-set: RS-ANS-IGP_ ONLY descr: ANS IGP aggregates mbrs-by-ref: MNT-ANS, MNT-CENGIZ route: /24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS route: /24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS
Direct and Indirect Members route-set: RS-ANS-IGP_ ONLY descr: ANS IGP aggregates members: /24, /24, / /24 mbrs-by-ref: MNT-ANS route: /24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS route: /24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS
More Specific Operators route-set: rs-martians descr: most ASes do not import these routes members: /0^32, /8^+, /8^+, /20^+, /8^+, /20^+, /16^+, /24^+, /16^+, /24^+, /16^+, /16^+, /16^+, /16^+, /24^+, /24^+, /24^+, /24^+, /3^+, /0^ /3^+, /0^26-32 Inclusive more specifics: ^+ Inclusive more specifics: ^+ Exclusive more specifics: ^- Exclusive more specifics: ^- Length n more specifics: ^n Length n more specifics: ^n Length n-m more specifics: ^n-m Length n-m more specifics: ^n-m Confusing isn’t it ?
Route-Set Name Spaces route-set: AS4763:RS-ROUTES:AS681 descr: prefix filter for AS681 members: /16, /16, /16, /16, /16, /16, /16, /16, /16, /16, /16, / /16, /24 tech-c: JA39 mnt-by: MAINT-TELSTRA-NZ changed: source: RADB Sorry about that !!
RPSL Classes Person, Role, Maintainer Person, Role, Maintainer Route Route Set classes: As-set Set classes: As-set Collect together Autonomous Systems with shared properties Can be used in policy in place of AS RPSL has hierarchical names Autonomous System Autonomous System
AS-Set Class as-set: AS-SESQUI-STUB descr: Single Homed Sesquinet Customer ASs Customer ASs members: AS1832, AS2712, AS302, AS3526, AS8 AS3526, AS8 tech-c: SB98 mnt-by: MAINT-AS114 source: RADB Same flexibility as route-set class
AS Set as-set: AS2764:AS_DOMESTIC descr: connect.com.au AS set members: AS4860, AS7469, AS7489, AS7543, AS7569, AS7592, AS7611, AS7701, AS9262, AS9298 AS7592, AS7611, AS7701, AS9262, AS9298 tech-c: MP151 admin-c: CC89 remarks: Customers with domestic connectivity only only mnt-by: MAINT-AS2764 changed: Source: RADB
Indirect AS-Sets as-set: as-aads-mlpa descr: MLPA participants at the AADS NAP mbrs-by-ref: ANY admin-c: Andrew Schmidt tech-c: Mark Cnota notify: aads. net mnt-by: MAINT-RSPEER changed: aads. net source: RADB aut-num: AS4550 member-of: as-aads-mlpa aut-num: AS683 member-of: as-aads-mlpa
Even more AS-Sets as-set: AS-YETANOTHERNET descr: ASs routed through YetAnotherNet members: AS5696, AS1808, AS1932, AS2900, AS3111, AS3365, AS3393, AS3844, AS3901, AS4314, AS3365, AS3393, AS3844, AS3901, AS4314,... AS-ACESRESEARCH, AS-ALPHA, AS-GST,... AS-ACESRESEARCH, AS-ALPHA, AS-GST, AS-DERU, AS-INQUO AS-DERU, AS-INQUO admin-c: IP Admin DW970 tech-c: IP Admin DW970 notify: mnt-by: MAINT-AS5696 changed: source: demo
To be Continued……. As per the SLA (Seminar Level Agreement) between myself and Chun, I HAVE to stop here As per the SLA (Seminar Level Agreement) between myself and Chun, I HAVE to stop here Hey, wanna sneak peak into the next lecture ?
A Sneak Peek How import/export policies are defined How import/export policies are defined Autonomous System Objects Autonomous System Objects How to announce your customers How to announce your customers Major Backbone Provider Regional Customers
More slimy gossip…… Setting preferences based on cost and other factors Setting preferences based on cost and other factors Peering Peering Registering Policies and more Registering Policies and more A B Slow link
So tune in, boys and girls, next class, same room, same time, for more exciting things to do with RPSL !
person: Anwar M. Haneef address: Multimedia Networks Laboratory address: 312 Knowles Engineering address: Dept. of Electrical and Computer Engg. address: University of Massachusetts, Amherst phone: fax-no: nic-hdl: AMH1 changed: source: UMASS Thank You !!!!