Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving reliability of IRR database

Published byKlaus Bauer Modified over 5 years ago

Similar presentations

Presentation on theme: "Improving reliability of IRR database"— Presentation transcript:

1 Improving reliability of IRR database
The University of Tokyo Kengo Nagahashi Nara Institute of Science and Technology Masasi Eto JPNIC IRR Planning Team 2018/11/29

2 Research Activity of JPIRR
Nagahashi Prefix Validation using IRR Database Eto Improvement of consistency among AS policies on IRR database Our goal is Improving reliability of IRR database More widespread use of IRR JPIRR Planning Team investigates 2 research activities One is checking invalid origin AS using IRR Database By Kengo Nagahashi. And the other is Improvement of consistency among AS Policies on IRR database. Our goal is to improve reliability of IRR database and Though its activities, we aim to more wide spread use of IRR 2018/11/29

3 Prefix Validation using IRR Database
The University of Tokyo Kengo Nagahashi 2018/11/29

4 Background One of severe problems in Inter-domain routing; Why happen?
Hijacking prefix (black hole) Why happen? One AS propagates invalid origin prefix AS2 AS3 There are several important issues in BGP. And one of severe problems is hijacking prefix also Said black hole problem. The reason why its problem happens is that One AS propagates invalid origin prefix. For example, in this figure, AS5 should announce 133.11/16 but AS4 announces its prefix and AS3,AS2 and AS1 goes AS4 and unreachable problem is happened AS1 AS5 originates /16 133.11/16=AS5->AS3->AS2 133.27/16=AS4-AS3->AS2 ⇒UNREACH!! AS4 133.11/16 2018/11/29

5 Counter major Approach
Authenticate prefix in BGP update BGP Routers exchange Certificate Candidates: sBGP, soBGP Problem Take long time solution Heavy protocol: To verify certificate per one prefix BGP holds over 120,000 prefixes… There are several counter major approach for Detecting hijacking prefix. One of valid solution Is to authenticate prefix in BGP update To authenticate prefix, BGP routers exchange Certificate. The protocol to exchange Certificate is sBGP and soBGP. But problem is to take long time to deploy and Protocol is heavy . There needs to verify vertificate Per one prefix and current BGP holds One hundred and twenty thousands of prefixes , So it can say it is overhead 2018/11/29

6 Motivation To check a correct prefix by lightweight and simple
What to “check” ? To identify invalid origin prefix To use certificate is too heavy (same as sBGP, soBGP) How to verify? Using IRR Database So our motivation is to check a correct prefix by Light weight and simple method. So what we check? The answer is to Identify invalid origin prefix. As we said previously, To use certificate is too heavy. And next, how to verify prefix? To verify it we use IRR database 2018/11/29

7 Approach Using IRR as Database router router DB
(1)Download request for DB (once a day) router router DB Prefix announcement (2)Response prefix/origin-as pairs (3)Comparison with (1) and (2) Example: #show invalid route Network origin origin in DB / Our approach is consists of 3 flows. One is router issues download request for Database one a day And second, Database response prefix/origin-as pairs to routers Finally, router can compare prefix in BGP update and prefix in Database. As database we us IRR 2018/11/29

8 simple protocol Download Response Router requests Download to DB
Frequency is once a day Response DB responses to router Response prefix/origin-as pairs which stores in DB There needs simple protocol to communicate Router and Database. One is Download message . Router requests Download to Database one a day. Next is Response message , Database responses to router With prefix/origin-as pairs 2018/11/29

9 Problems to be solved Future Work Router Overhead Utilization of IRR
To hold 120,000 prefix/origin-as pairs is overhead? Utilization of IRR All entries are registered in IRR database? Duration of update Is Once a day too long ? There are several issues to be solved. One is router overhead , this means Router hold one hundred twenty thousands of prefix/origin-as pairs The other is utilization of IRR. All Entries are no registered in IRR database. 2018/11/29

10 Consistency Check among AS policies
Nara Institute of Science and Technology Masasi Eto 2018/11/29

11 auto-configuration with IRR
Generate router configuration from routing policy registered in IRR with “RtConfig” Policy IRR RtConfig Config AS 1 AS 2 2018/11/29

12 Consistency among AS policies
Inconsistencies Inconsistency of import in routing information Inconsistency of export in routing information As a result When we generate the router configurations from IRR database, the connectivity between peering ASes will be lost. IRR inspects only policy’s syntax. → Need to inspect policy’s semantics 2018/11/29

13 Inconsistency of import
AS 3 import AS 2 AS 3 AS 4 AS 5 export AS 2 AS 3 AS 4 IX 3 AS 1 AS 2 AS 4 AS 5 2018/11/29

14 Inconsistency of export
AS 3 import AS 2 AS 3 AS 4 export AS 2 AS 3 AS 4 AS 5 IX 3 AS 1 AS 2 AS 4 AS 5 2018/11/29

15 Classification of Inconsistencies
Inconsistencies of import Peer AS-SET doesn’t exist on IRR database Peer AS doesn’t exist on IRR database Peer AS doesn’t export any route to the AS Peer AS doesn’t export route which the AS imports Inconsistencies of export Peer AS doesn’t import any route from the AS Peer AS doesn’t import route which the AS exports 2018/11/29

16 Policy Check Server Policy Checker Database Checker
Inspects if the policy is consistent with peer ASes’ policies Database Checker Inspects how many inconsistencies exist on unified IRR database. 2018/11/29

17 Example - query 2018/11/29

18 Example - result 2018/11/29

19 Analysis of Inspection Result
Registered Ases: > 55.8% of AS has at least one inconsistency 2018/11/29

20 Detail of Inconsistencies
Classification Number Rate Peer AS-SET doesn’t exist on IRR database 482 0.2 % Peer AS doesn’t exist on IRR database 7,971 4.0 % Peer AS doesn’t exist export any routes to the AS 36,333 18.6 % Peer AS doesn’t import any routes from the AS 34,710 17.8 % Peer AS doesn’t export route which the AS imports 11,436 5.8 % Peer AS doesn’t import route which the AS exports 17,753 9.1 % Total 108,685 55.8 % Rate of each inconsistency in all 194,820 import and export sentences 2018/11/29

21 Future Work Deploy Policy Checker on JPIRR.
Implement a function to notify result of investigation to JPIRR users periodically. 2018/11/29

Download ppt "Improving reliability of IRR database"

Similar presentations

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.

Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.
Dongkee LEE 1 Understanding BGP Misconfiguration Ratul Mahajan, David Wetherall, Tom Anderson.

Dongkee LEE 1 Understanding BGP Misconfiguration Ratul Mahajan, David Wetherall, Tom Anderson.
Distributed Route Aggregation on the Global Network (DRAGON) João Luís Sobrinho 1 Laurent Vanbever 2, Franck Le 3, Jennifer Rexford 2 1 Instituto Telecomunicações,

Distributed Route Aggregation on the Global Network (DRAGON) João Luís Sobrinho 1 Laurent Vanbever 2, Franck Le 3, Jennifer Rexford 2 1 Instituto Telecomunicações,
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
1 ELEN 602 Lecture 20 More on Routing RIP, OSPF, BGP.

1 ELEN 602 Lecture 20 More on Routing RIP, OSPF, BGP.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.

Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.
Inter-domain Routing security Problems Solutions.

Inter-domain Routing security Problems Solutions.
COS 420 Day 16. Agenda Finish Individualized Project Please Have Grading sheets to me by Tomorrow Group Project Discussion Assignment 3 moved back to.

COS 420 Day 16. Agenda Finish Individualized Project Please Have Grading sheets to me by Tomorrow Group Project Discussion Assignment 3 moved back to.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Router Configuration Management Tools

Router Configuration Management Tools
Network Abuse Handling in CNNIC and JPNIC Terence Zhang, CNNIC Izumi Okutani, JPNIC.

Network Abuse Handling in CNNIC and JPNIC Terence Zhang, CNNIC Izumi Okutani, JPNIC.
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Introduction to BGP.

Introduction to BGP.

Similar presentations

Ads by Google