Presentation is loading. Please wait.

Presentation is loading. Please wait.

BGP Multiple Origin AS (MOAS) Conflict Analysis

Published byVeikko Saaristo Modified over 5 years ago

Similar presentations

Presentation on theme: "BGP Multiple Origin AS (MOAS) Conflict Analysis"— Presentation transcript:

1 BGP Multiple Origin AS (MOAS) Conflict Analysis
Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia Zhang, UCLA NANOG-23, October 23, 2001 Report another observed issue in BGP operation. Team work, Xiaoliang & Dan here addresses and AS numbers used in this presentation for illustration purpose

2 Definition of MOAS BGP routes include a prefix and AS path
Example: /16, Path: 4513, 11422, 11422, 52 Origin AS: the last AS in the path In the above example: AS 52 originated the path advertisement for prefix /16 Multiple Origin AS (MOAS): the same prefix announced by more than one origin AS 10/23/2001 NANOG 23 - Oakland

3 Example MOAS Conflicts
Static or IGP learned route to 128.9/16 /16 nets AS 4 AS 226 /16 Path: 226 /16 Path: 4 MOAS conflict ! AS4 announcement goes away from time to time AS X AS Z AS Y /16 Path: Z, 226 /16 Path: X, 4 Valid MOAS case: 128.9/16 reachable either way Invalid MOAS case: 128.9/16 reachable one way but not the other 10/23/2001 NANOG 23 - Oakland

4 Talk Outline Measurement data shows that MOAS exists
Some MOAS cases caused by faults Some MOAS cases due to operational need Important to distinguish the two proposed solutions 10/23/2001 NANOG 23 - Oakland

5 Measurement Data Collection
Data collected from the Oregon Route Views Peers with >50 routers from >40 different ASes. Our analysis uses data [11/08/9707/18/01] (1279 days total) More than MOAS conflicts observed during this time period At a given moment, The Route Views server observed 1364 MOAS conflicts The views from 3 individual ISPs showed 30, 12 and 228 MOAS conflicts 10/23/2001 NANOG 23 - Oakland

6 MOAS Conflicts Do Exist
Max: 11842 (11357 from a single AS) Max: 10226 (9177 from a single AS) For 04/07/1998, there are MOAS conflicts out of prefixes announced by AS 8584 (90.19%) For 04/07/2001, there are 9177 MOAS conflicts outof 9180 prefixes announced by AS (99.97%) 10/23/2001 NANOG 23 - Oakland

7 Histogram of MOAS Conflict Lifetime
# of MOAS conflicts Total # of days a prefix experienced MOAS conflict 10/23/2001 NANOG 23 - Oakland

8 Distribution of MOAS Conflicts over Prefix Lengths
ratio of # MOAS entries over total routing entries for the same prefix length 10/23/2001 NANOG 23 - Oakland

9 Valid Causes of MOAS Conflicts
Multi-homing without BGP Private AS number Substitution 128.9/16 Path: 226 128.9/16 Path: 11422,4 /16 Path: X /16 Path:Y AS 226 AS Y AS X AS 11422 /16 Path: 64512 Static route or IGP route 128.9/16 Path: 4 AS 64512 AS 4 128.9/16 /16 10/23/2001 NANOG 23 - Oakland

10 Invalid Causes of MOAS Conflicts
Operational faults led to large spikes of MOAS conflicts 04/07/1998: one AS originated prefixes, out of which were MOAS conflicts 04/10/2001: another AS originated 9180 prefixes, out of which 9177 were MOAS conflicts Falsely originated routes Errors Intentional traffic hijacking 10/23/2001 NANOG 23 - Oakland

11 Handling MOAS Conflicts
RFC 1930 recommends each prefix be originated from a single AS Today’s routing practice leads to MOAS in normal operations We must tell valid MOAS cases from invalid ones Proposal 1: using BGP community attribute Proposal 2: DNS-based solution 10/23/2001 NANOG 23 - Oakland

12 BGP-Based Solution Define a new community attribute
Listing all the ASes allowed to originate a prefix Attach this MOAS community-attribute to BGP route announcement Enable BGP routers to detect faults and attacks At least in most cases, we hope! 10/23/2001 NANOG 23 - Oakland

13 Comm. Attribute Implementation Example
18/8, PATH<58>, MOAS{58,59} 18/8, PATH<59>, MOAS{58,59} AS58 /8 AS52 18/8, PATH<4>, MOAS{4,58,59} 18/8, PATH<52>, MOAS{52, 58} AS59 Example configuration: router bgp 59 neighbor remote-as 52 neighbor send-community neighbor route-map setcommunity out route-map setcommunity match ip address /8 set community 59:MOAS 58:MOAS additive 10/23/2001 NANOG 23 - Oakland

14 Implementation Considerations
Quickly and incrementally deployable Generating MOAS community attribute: configuration changes only Detecting un-validated MOAS or a MOAS-CA conflict: Short term: observable from monitoring platforms Longer term: adding into BGP update processing But community attributes may be dropped by a transit AS due to local configurations or policies time to fix the handling of community attributes? 10/23/2001 NANOG 23 - Oakland

15 Another Proposal: DNS-based Solution
Put the MOAS list in a new DNS Resource Record ftp://psg.com/pub/dnsind/draft-bates-bgp4-nlri-orig-verif-00.txt by Bates, Li, Rekhter, Bush, 1998 MOAS detected for 18/8, query DNS to verify Enhanced DNS service Query 18.bgp.in-addr.arpa: origin AS? Response 18.bgp.in-addr.arpa AS AS 59 8 $ORIGIN 18.bpg.in-addr.arpa. ... AS AS Example configuration (zone file for 18.bgp.in-addr.arpa): 10/23/2001 NANOG 23 - Oakland

16 Issues to Consider for the DNS Solution
Provides a general prefix to origin AS mapping database Complementary to Community-attribute Approach Check with DNS when community tag indicates a potential problem DNSSEC, once available, authenticates the MOAS list But requires changes to DNS and BGP DNS may be vulnerable without DNSSEC When would DNSSEC be ready? Routing system querying naming system: circular dependency? 10/23/2001 NANOG 23 - Oakland

17 Summary MOAS conflicts exist today
Some due to operational need; some due to faults Blind acceptance of MOAS could be dangerous An open door for traffic hijacking We plan to finalize the solution and bring to IETF Send all questions to For more info about FNIISC project: 10/23/2001 NANOG 23 - Oakland

Download ppt "BGP Multiple Origin AS (MOAS) Conflict Analysis"

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
BGP.

BGP.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.

BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
Dongkee LEE 1 An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, et al.

Dongkee LEE 1 An Analysis of BGP Multiple Origin AS (MOAS) Conflicts Xiaoliang Zhao, et al.
Www.huawei.com BGP Extensions for BIER draft-xu-idr-bier-extensions-01 Xiaohu Xu (Huawei) Mach Chen (Huawei) Keyur Patel (Cisco) IJsbrand Wijnands (Cisco)

BGP Extensions for BIER draft-xu-idr-bier-extensions-01 Xiaohu Xu (Huawei) Mach Chen (Huawei) Keyur Patel (Cisco) IJsbrand Wijnands (Cisco)
Best Practices for ISPs

Best Practices for ISPs
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.

Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.
10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,

10/21/2003DSOM'2003, Heidelberg, Germany1 Visual-based Anomaly Detection for BGP Origin AS Change (OASC) Soon-Tee Teoh 1, Kwan-Liu Ma 1, S. Felix Wu 1,
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.

10/17/2002RAID 2002, Zurich1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan.
Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.

Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.
March 22, 2002 Simple Protocols, Complex Behavior (Simple Components, Complex Systems) Lixia Zhang UCLA Computer Science Department.

March 22, 2002 Simple Protocols, Complex Behavior (Simple Components, Complex Systems) Lixia Zhang UCLA Computer Science Department.

Similar presentations

Ads by Google