06_bgp_bcp
TRANSCRIPT
-
8/10/2019 06_BGP_BCP
1/67
BGP Best CurrentPractices
ISP Workshops
1Last updated 28 October 2013
-
8/10/2019 06_BGP_BCP
2/67
Configuring BGP
Where do we start?
2
-
8/10/2019 06_BGP_BCP
3/67
IOS Good Practices
! ISPs should start off with the following BGPcommands as a basic template:
router bgp 64511
bgp deterministic-med
distance bgp 200 200 200no synchronization
no auto-summary
!
If supporting more than just IPv4 unicastneighbours
no bgp default ipv4-unicast" Turns off IOS assumption that all neighbours will
exchange IPv4 prefixes
3
Make ebgp and ibgpdistance the same
Replace with public ASN
-
8/10/2019 06_BGP_BCP
4/67
Cisco IOS Good Practices! BGP in Cisco IOS is permissive by default
! Configuring BGP peering without using filters means:
" All best paths on the local router are passed to the neighbour
" All routes announced by the neighbour are received by thelocal router
" Can have disastrous consequences
! Good practice is to ensure that each eBGP neighbour hasinbound and outbound filter applied:
router bgp 64511
neighbor 1.2.3.4 remote-as 64510
neighbor 1.2.3.4 prefix-list as64510-in in
neighbor 1.2.3.4 prefix-list as64510-out out
4
-
8/10/2019 06_BGP_BCP
5/67
What is BGP for??
What is an IGP not for?
5
-
8/10/2019 06_BGP_BCP
6/67
BGP versus OSPF/ISIS
! Internal Routing Protocols (IGPs)
"
examples are ISIS and OSPF
" used for carrying infrastructureaddresses
" NOTused for carrying Internet prefixes or
customer prefixes
" design goal is to minimisenumber of prefixesin IGP to aid scalability and rapid convergence
6
-
8/10/2019 06_BGP_BCP
7/67
BGP versus OSPF/ISIS
! BGP used internally (iBGP) and externally(eBGP)
! iBGP used to carry
"
some/all Internet prefixes across backbone"
customer prefixes
! eBGP used to
" exchange prefixes with other ASes
" implement routing policy
7
-
8/10/2019 06_BGP_BCP
8/67
BGP versus OSPF/ISIS
! DO NOT:
"
distribute BGP prefixes into an IGP
" distribute IGP routes into BGP
" use an IGP to carry customer prefixes
! YOUR NETWORK WILL NOT SCALE
8
-
8/10/2019 06_BGP_BCP
9/67
Aggregation
9
-
8/10/2019 06_BGP_BCP
10/67
Aggregation
! Aggregation means announcing the address blockreceived from the RIR to the other ASesconnected to your network
!
Subprefixes of this aggregate may be:
" Used internally in the ISP network" Announced to other ASes to aid with multihoming
! Unfortunately too many people are still thinking
about class Cs, resulting in a proliferation of /24sin the Internet routing table
" Note: Same is happening for /48s with IPv6" October 2013: 5900 /48s in IPv6 table of 14700 prefixes
10
-
8/10/2019 06_BGP_BCP
11/67
Configuring Aggregation CiscoIOS
! ISP has 101.10.0.0/19 address block
! To put into BGP as an aggregate:
router bgp 64511
network 101.10.0.0 mask 255.255.224.0
ip route 101.10.0.0 255.255.224.0 null0! The static route is a pull uproute
" more specific prefixes within this address block ensureconnectivity to ISPs customers
" longest match lookup
11
-
8/10/2019 06_BGP_BCP
12/67
Aggregation
! Address block should be announced to theInternet as an aggregate
! Subprefixes of address block should NOT
be announced to Internet unless for trafficengineering
" See BGP Multihoming presentations
! Aggregate should be generated internally
"
Not on the network borders!
12
-
8/10/2019 06_BGP_BCP
13/67
Announcing Aggregate Cisco IOS
! Configuration Examplerouter bgp 64511
network 101.10.0.0 mask 255.255.224.0
neighbor 102.102.10.1 remote-as 101
neighbor 102.102.10.1 prefix-list out-filterout
!
ip route 101.10.0.0 255.255.224.0 null0
!
ip prefix-list out-filterpermit 101.10.0.0/19
ip prefix-list out-filterdeny 0.0.0.0/0 le 32
13
-
8/10/2019 06_BGP_BCP
14/67
Announcing an Aggregate
! ISPs who dont and wont aggregate are held inpoor regard by community
! Registries publish their minimum allocation size
" For IPv4:!
Now ranging from a /20 to a /24 depending on RIR! Different sizes for different address blocks
! (APNIC changed its minimum allocation to /24 in October 2010)
" For IPv6:! /48 for assignment, /32 for allocation
! Until recently there was no real reason to see
anything longer than a /22 IPv4 prefix in theInternet
" BUT there are currently (October 2013) >249000 /24s!
" IPv4 run-out is starting to have an impact14
-
8/10/2019 06_BGP_BCP
15/67
Aggregation Example
15
! Customer has /23 network assigned fromAS100s /19 address block
! AS100 announces customersindividualnetworks to the Internet
AS100
customer
100.10.10.0/23Internet
100.10.10.0/23100.10.0.0/24100.10.4.0/22
-
8/10/2019 06_BGP_BCP
16/67
Aggregation Bad Example
! Customer link goes down" Their /23 network
becomes unreachable
" /23 is withdrawn fromAS100s iBGP
! Their ISP doesn
taggregate its /19 network
block" /23 network withdrawal
announced to peers
" starts rippling throughthe Internet
" added load on allInternet backbonerouters as network isremoved from routingtable
! Customer link returns" Their /23 network is now
visible to their ISP
" Their /23 network is re-advertised to peers
" Starts rippling throughInternet
" Load on Internetbackbone routers asnetwork is reinserted intorouting table
" Some ISPs suppress the
flaps" Internet may take 10-20
min or longer to bevisible
" Where is the Quality ofService???
16
-
8/10/2019 06_BGP_BCP
17/67
Aggregation Example
17
! Customer has /23 network assigned from
AS100s /19 address block! AS100 announced /19 aggregate to the
Internet
AS100
customer
100.10.10.0/23
100.10.0.0/19aggregate
Internet
100.10.0.0/19
-
8/10/2019 06_BGP_BCP
18/67
Aggregation Good Example
!
Customer link goesdown" their /23 network
becomes unreachable
" /23 is withdrawn fromAS100s iBGP
!/19 aggregate is stillbeing announced" no BGP hold down
problems
" no BGP propagationdelays
" no damping by otherISPs
! Customer link returns
! Their /23 network is
visible again
" The /23 is re-injected
into AS100s iBGP
! The whole Internetbecomes visibleimmediately
!
Customer has Qualityof Service perception
18
-
8/10/2019 06_BGP_BCP
19/67
Aggregation Summary
! Good example is what everyone shoulddo!
" Adds to Internet stability
" Reduces size of routing table
" Reduces routing churn
" Improves Internet QoS for everyone
! Bad example is what too many still do!
" Why? Lack of knowledge?
"
Laziness?
19
-
8/10/2019 06_BGP_BCP
20/67
Separation of iBGP and eBGP! Many ISPs do not understand the importance of
separating iBGP and eBGP" iBGP is where all customer prefixes are carried
" eBGP is used for announcing aggregate to Internet andfor Traffic Engineering
! Do NOTdo traffic engineering with customeroriginated iBGP prefixes" Leads to instability similar to that mentioned in the
earlier bad example
" Even though aggregate is announced, a flappingsubprefix will lead to instability for the customer
concerned! Generate traffic engineering prefixes on the
Border Router20
-
8/10/2019 06_BGP_BCP
21/67
The Internet Today (October 2013)
! Current Internet Routing Table Statistics" BGP Routing Table Entries 469725
" Prefixes after maximum aggregation 188940
" Unique prefixes in Internet 232915
"
Prefixes smaller than registry alloc 164052"/24s announced 249009
" ASes in use 45306
21
-
8/10/2019 06_BGP_BCP
22/67
Efforts to improve aggregation
! The CIDR Report" Initiated and operated for many years by Tony Bates
" Now combined with Geoff Hustons routing analysis
! www.cidr-report.org
! (covers both IPv4 and IPv6 BGP tables)
" Results e-mailed on a weekly basis to most operationslists around the world
" Lists the top 30 service providers who could do better ataggregating
! RIPE Routing WG aggregation recommendations
" IPv4: RIPE-399 www.ripe.net/ripe/docs/ripe-399.html
" IPv6: RIPE-532 www.ripe.net/ripe/docs/ripe-532.html
22
-
8/10/2019 06_BGP_BCP
23/67
Efforts to Improve AggregationThe CIDR Report
! Also computes the size of the routing tableassuming ISPs performed optimal aggregation
! Website allows searches and computations of
aggregation to be made on a per AS basis
" Flexible and powerful tool to aid ISPs" Intended to show how greater efficiency in terms of BGP
table size can be obtained without loss of routing andpolicy information
" Shows what forms of origin AS aggregation could beperformed and the potential benefit of such actions to
the total table size" Very effectively challenges the traffic engineering excuse
23
-
8/10/2019 06_BGP_BCP
24/67
24
-
8/10/2019 06_BGP_BCP
25/67
25
-
8/10/2019 06_BGP_BCP
26/67
26
-
8/10/2019 06_BGP_BCP
27/67
Importance of Aggregation
! Size of routing table" Router Memory is not so much of a problem as it was in
the 1990s
" Routers routinely carry over 1 million prefixes
!
Convergence of the Routing System" This is a problem
" Bigger table takes longer for CPU to process
" BGP updates take longer to deal with
" BGP Instability Report tracks routing system updateactivity
" bgpupdates.potaroo.net/instability/bgpupd.html
27
-
8/10/2019 06_BGP_BCP
28/67
28
-
8/10/2019 06_BGP_BCP
29/67
29
-
8/10/2019 06_BGP_BCP
30/67
Receiving Prefixes
30
-
8/10/2019 06_BGP_BCP
31/67
Receiving Prefixes
! There are three scenarios for receivingprefixes from other ASNs
" Customer talking BGP
" Peer talking BGP
" Upstream/Transit talking BGP
! Each has different filtering requirements
and need to be considered separately
31
-
8/10/2019 06_BGP_BCP
32/67
Receiving Prefixes:From Customers
! ISPs should only accept prefixes which have beenassigned or allocated to their downstreamcustomer
!
If ISP has assigned address space to its
customer, then the customer IS entitled toannounce it back to his ISP
! If the ISP has NOT assigned address space to its
customer, then:" Check in the five RIR databases to see if this address
space really has been assigned to the customer" The tool: whois h jwhois.apnic.net x.x.x.0/24
! (jwhois queries all RIR databases)
32
-
8/10/2019 06_BGP_BCP
33/67
Receiving Prefixes:From Customers! Example use of whois to check if customer is
entitled to announce address space:$ whois -h whois.apnic.net 202.12.29.0
inetnum: 202.12.28.0 - 202.12.29.255
netname: APNIC-AP
descr: Asia Pacific Network Information Centre
descr: Regional Internet Registry for the Asia-Pacificdescr: 6 Cordelia Street
descr: South Brisbane, QLD 4101
descr: Australia
country: AU
admin-c: AIC1-AP
tech-c: NO4-AP
mnt-by: APNIC-HM
mnt-irt: IRT-APNIC-AP
changed: [email protected]
status: ASSIGNED PORTABLE
changed: [email protected] 20110309
source: APNIC33
Portable means its anassignment to the customer, thecustomer can announce it to you
-
8/10/2019 06_BGP_BCP
34/67
Receiving Prefixes:From Customers! Example use of whois to check if customer is entitled
to announce address space:$ whois -h whois.ripe.net 193.128.0.0
inetnum: 193.128.0.0 - 193.133.255.255
netname: UK-PIPEX-193-128-133
descr: Verizon UK Limited
country: GB
org: ORG-UA24-RIPE
admin-c: WERT1-RIPE
tech-c: UPHM1-RIPE
status: ALLOCATED UNSPECIFIED
remarks: Please send abuse notification to [email protected]
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS1849-MNT
mnt-routes: AS1849-MNT
mnt-routes: WCOM-EMEA-RICE-MNT
mnt-irt: IRT-MCI-GB
source: RIPE # Filtered34
ALLOCATED means that this isProvider Aggregatable addressspace and can only be announcedby the ISP holding the allocation(in this case Verizon UK)
-
8/10/2019 06_BGP_BCP
35/67
Receiving Prefixes from customer:Cisco IOS
! For Example:" downstream has 100.50.0.0/20 block
" should only announce this to upstreams
" upstreams should only accept this from them
! Configuration on upstream
router bgp 100
neighbor 102.102.10.1 remote-as 101
neighbor 102.102.10.1 prefix-list customer in
!ip prefix-list customer permit 100.50.0.0/20
35
-
8/10/2019 06_BGP_BCP
36/67
Receiving Prefixes:From Peers
! A peer is an ISP with whom you agree toexchange prefixes you originate into theInternet routing table
"
Prefixes you accept from a peer are only those
they have indicated they will announce
" Prefixes you announce to your peer are onlythose you have indicated you will announce
36
-
8/10/2019 06_BGP_BCP
37/67
Receiving Prefixes:From Peers
! Agreeing what each will announce to theother:
" Exchange of e-mail documentation as part ofthe peering agreement, and then ongoing
updatesOR
"
Use of the Internet Routing Registry andconfiguration tools such as the IRRToolSet
www.isc.org/sw/IRRToolSet/
37
-
8/10/2019 06_BGP_BCP
38/67
Receiving Prefixes from peer:Cisco IOS
! For Example:" Peer has 220.50.0.0/16, 61.237.64.0/18 and
81.250.128.0/17 address blocks
! Configuration on local router
router bgp 100
neighbor 102.102.10.1 remote-as 101
neighbor 102.102.10.1 prefix-list my-peer in
!
ip prefix-list my-peer permit 220.50.0.0/16
ip prefix-list my-peer permit 61.237.64.0/18
ip prefix-list my-peer permit 81.250.128.0/17
ip prefix-list my-peer deny 0.0.0.0/0 le 3238
-
8/10/2019 06_BGP_BCP
39/67
Receiving Prefixes:From Upstream/Transit Provider
! Upstream/Transit Provider is an ISP who you payto give you transit to the WHOLEInternet
! Receiving prefixes from them is not desirable
unless really necessary"
Traffic Engineering see BGP Multihoming presentations! Ask upstream/transit provider to either:
" originate a default-route
OR
" announce one prefix you can use as default
39
-
8/10/2019 06_BGP_BCP
40/67
Receiving Prefixes:From Upstream/Transit Provider
! Downstream Router Configurationrouter bgp 100
network 101.10.0.0 mask 255.255.224.0
neighbor 101.5.7.1 remote-as 101
neighbor 101.5.7.1 prefix-list infilterin
neighbor 101.5.7.1 prefix-list outfilterout
!
ip prefix-list infilterpermit 0.0.0.0/0
!
ip prefix-list outfilterpermit 101.10.0.0/19
40
-
8/10/2019 06_BGP_BCP
41/67
Receiving Prefixes:From Upstream/Transit Provider
! Upstream Router Configurationrouter bgp 101
neighbor 101.5.7.2 remote-as 100
neighbor 101.5.7.2 default-originate
neighbor 101.5.7.2 prefix-list cust-inin
neighbor 101.5.7.2 prefix-list cust-outout
!
ip prefix-list cust-inpermit 101.10.0.0/19
!
ip prefix-list cust-outpermit 0.0.0.0/0
41
-
8/10/2019 06_BGP_BCP
42/67
Receiving Prefixes:From Upstream/Transit Provider! If necessary to receive prefixes from any
provider, care is required." Dont accept default (unless you need it)
" Dont accept your own prefixes
! For IPv4:"
Dont accept private (RFC1918) and certain special useprefixes:
http://www.rfc-editor.org/rfc/rfc5735.txt
" Dont accept prefixes longer than /24 (?)
! For IPv6:" Dont accept certain special use prefixes:
http://www.rfc-editor.org/rfc/rfc5156.txt
" Dont accept prefixes longer than /48 (?)
42
-
8/10/2019 06_BGP_BCP
43/67
Receiving Prefixes:From Upstream/Transit Provider
! Check Team Cymrus list of bogonswww.team-cymru.org/Services/Bogons/http.html
! For IPv4 also consult:www.rfc-editor.org/rfc/rfc6441.txt
! For IPv6 also consult:
www.space.net/~gert/RIPE/ipv6-filters.html
! Bogon Route Server:
www.team-cymru.org/Services/Bogons/routeserver.html
" Supplies a BGP feed (IPv4 and/or IPv6) of address blocks
which should not appear in the BGP table
43
-
8/10/2019 06_BGP_BCP
44/67
Receiving IPv4 Prefixes
44
router bgp 100
network 101.10.0.0 mask 255.255.224.0
neighbor 101.5.7.1 remote-as 101
neighbor 101.5.7.1 prefix-list in-filter in
!
ip prefix-list in-filter deny 0.0.0.0/0 ! Default
ip prefix-list in-filter deny 0.0.0.0/8 le 32 ! Network Zero
ip prefix-list in-filter deny 10.0.0.0/8 le 32 ! RFC1918
ip prefix-list in-filter deny 100.64.0.0/10 le 32 ! RFC6598 shared addr
ip prefix-list in-filter deny 101.10.0.0/19 le 32 ! Local prefix
ip prefix-list in-filter deny 127.0.0.0/8 le 32 ! Loopback
ip prefix-list in-filter deny 169.254.0.0/16 le 32 ! Auto-config
ip prefix-list in-filter deny 172.16.0.0/12 le 32 ! RFC1918
ip prefix-list in-filter deny 192.0.2.0/24 le 32 ! TEST1
ip prefix-list in-filter deny 192.168.0.0/16 le 32 ! RFC1918
ip prefix-list in-filter deny 198.18.0.0/15 le 32 ! Benchmarking
ip prefix-list in-filter deny 198.51.100.0/24 le 32 ! TEST2
ip prefix-list in-filter deny 203.0.113.0/24 le 32 ! TEST3
ip prefix-list in-filter deny 224.0.0.0/3 le 32 ! Multicast
ip prefix-list in-filter deny 0.0.0.0/0 ge 25 ! Prefixes >/24
ip prefix-list in-filter permit 0.0.0.0/0 le 32
-
8/10/2019 06_BGP_BCP
45/67
Receiving IPv6 Prefixes
45
router bgp 100
network 2020:3030::/32
neighbor 2020:3030::1 remote-as 101
neighbor 2020:3030::1 prefix-list v6in-filter in
!
ipv6 prefix-list v6in-filter permit 2001::/32 ! Teredo
ipv6 prefix-list v6in-filter deny 2001::/32 le 128 ! Teredo subnets
ipv6 prefix-list v6in-filter deny 2001:db8::/32 le 128 ! Documentation
ipv6 prefix-list v6in-filter permit 2002::/16 ! 6to4
ipv6 prefix-list v6in-filter deny 2002::/16 le 128 ! 6to4 subnets
ipv6 prefix-list v6in-filter deny 2020:3030::/32 le 128 ! Local Prefix
ipv6 prefix-list v6in-filter deny 3ffe::/16 le 128 ! Old 6bone
ipv6 prefix-list v6in-filter permit 2000::/3 le 48 ! Global Unicast
ipv6 prefix-list v6in-filter deny ::/0 le 128
-
8/10/2019 06_BGP_BCP
46/67
Receiving Prefixes
! Paying attention to prefixes received fromcustomers, peers and transit providersassists with:
"
The integrity of the local network
" The integrity of the Internet
! Responsibility of all ISPs to be good
Internet citizens
46
-
8/10/2019 06_BGP_BCP
47/67
Prefixes into iBGP
47
-
8/10/2019 06_BGP_BCP
48/67
Injecting prefixes into iBGP
! Use iBGP to carry customer prefixes
"
dont use IGP
! Point static route to customer interface
!
Use BGP network statement! As long as static route exists (interface
active), prefix will be in BGP
48
-
8/10/2019 06_BGP_BCP
49/67
Router Configuration:network statement
! Example:interface loopback 0
ip address 215.17.3.1 255.255.255.255
!
interface Serial 5/0
ip unnumbered loopback 0
ip verify unicast reverse-path
!
ip route 215.34.10.0 255.255.252.0 Serial 5/0
!
router bgp 100network 215.34.10.0 mask 255.255.252.0
49
-
8/10/2019 06_BGP_BCP
50/67
Injecting prefixes into iBGP
! Interface flap will result in prefix withdrawand reannounce
" use ip route . . . permanent
! Many ISPs redistribute static routes into
BGP rather than using the networkstatement
" Only do this if you understand why
50
-
8/10/2019 06_BGP_BCP
51/67
Router Configuration:redistribute static! Example:
ip route 215.34.10.0 255.255.252.0 Serial 5/0
!
router bgp 100
redistribute static route-map static-to-bgp
!
route-map static-to-bgp permit 10
match ip address prefix-list ISP-block
set origin igp
!
ip prefix-list ISP-block permit 215.34.10.0/22 le 30
51
-
8/10/2019 06_BGP_BCP
52/67
Injecting prefixes into iBGP
! Route-map ISP-block can be used formany things:
" setting communities and other attributes
" setting origin code to IGP, etc
! Be careful with prefix-lists and route-maps
"
absence of either/both means all staticallyrouted prefixes go into iBGP
52
-
8/10/2019 06_BGP_BCP
53/67
Summary
! Best Practices Covered:
"
When to use BGP
" When to use ISIS/OSPF
" Aggregation
"
Receiving Prefixes
" Prefixes into BGP
53
-
8/10/2019 06_BGP_BCP
54/67
Configuration Tips
Of passwords, tricks andtemplates
-
8/10/2019 06_BGP_BCP
55/67
iBGP and IGPsReminder!
! Make sure loopback is configured onrouter
" iBGP between loopbacks, NOT real interfaces
! Make sure IGP carries loopback /32
address
! Consider the DMZ nets:
" Use unnumbered interfaces?
" Use next-hop-self on iBGP neighbours
" Or carry the DMZ /30s in the iBGP
"
Basically keep the DMZ nets out of the IGP!
-
8/10/2019 06_BGP_BCP
56/67
iBGP: Next-hop-self
! BGP speaker announces external networkto iBGP peers using routers local address(loopback) as next-hop
! Used by many ISPs on edge routers
" Preferable to carrying DMZ /30 addresses inthe IGP
"
Reduces size of IGP to just core infrastructure
" Alternative to using unnumbered interfaces
" Helps scale network"
Many ISPs consider this best practice
-
8/10/2019 06_BGP_BCP
57/67
Limiting AS Path Length
! Some BGP implementations haveproblems with long AS_PATHS
" Memory corruption
" Memory fragmentation
! Even using AS_PATH prepends, it is notnormal to see more than 20 ASes in atypical AS_PATH in the Internet today
" The Internet is around 5 ASes deep on average
" Largest AS_PATH is usually 16-20 ASNs
-
8/10/2019 06_BGP_BCP
58/67
Limiting AS Path Length! Some announcements have ridiculous lengths of AS-paths:
*> 3FFE:1600::/24 22 11537 145 12199 1031810566 13193 1930 2200 3425 293 5609 5430 13285 6939
14277 1849 33 15589 25336 6830 8002 2042 7610 i
This example is an error in one IPv6 implementation
*> 96.27.246.0/24 2497 1239 12026 12026 12026
12026 12026 12026 12026 12026 12026 12026 12026 12026
12026 12026 12026 12026 12026 12026 12026 12026 12026
12026 i
This example shows 21 prepends (for no obvious reason)
! If your implementation supports it, consider limiting the
maximum AS-path length you will accept
-
8/10/2019 06_BGP_BCP
59/67
BGP TTL hack
! Implement RFC5082 on BGP peerings" (Generalised TTL Security Mechanism)
" Neighbour sets TTL to 255
" Local router expects TTL of incoming BGP packets to be254
" No one apart from directly attached devices can sendBGP packets which arrive with TTL of 254, so anypossible attack by a remote miscreant is dropped due toTTL mismatch
ISP AS 100Attacker
TTL 254
TTL 253 TTL 254
R1 R2
-
8/10/2019 06_BGP_BCP
60/67
BGP TTL hack
! TTL Hack:
"
Both neighbours must agree to use the feature
" TTL check is much easier to perform than MD5
" (Called BTSH BGP TTL Security Hack)
! Provides securityfor BGP sessions
" In addition to packet filters of course
" MD5 should still be used for messages whichslip through the TTL hack
" See www.nanog.org/mtg-0302/hack.html formore details
-
8/10/2019 06_BGP_BCP
61/67
Templates
! Good practice to configure templates foreverything
" Vendor defaults tend not to be optimal or evenvery useful for ISPs
" ISPs create their own defaults by usingconfiguration templates
! eBGP and iBGP examples follow
" Also see Team Cymrus BGP templates
! http://www.team-cymru.org/ReadingRoom/Documents/
-
8/10/2019 06_BGP_BCP
62/67
iBGP TemplateExample
! iBGP between loopbacks!
! Next-hop-self
" Keep DMZ and external point-to-point out of
IGP
! Always send communities in iBGP
" Otherwise accidents will happen
! Hardwire BGP to version 4
"
Yes, this is being paranoid!
-
8/10/2019 06_BGP_BCP
63/67
iBGP TemplateExample continued
! Use passwords on iBGP session
"
Not being paranoid, VERY necessary
" Its a secret shared between you and your peer
" If arriving packets dont have the correct MD5
hash, they are ignored" Helps defeat miscreants who wish to attack
BGP sessions
! Powerful preventative tool, especially
when combined with filters and the TTLhack
G T l
-
8/10/2019 06_BGP_BCP
64/67
eBGP TemplateExample
! BGP damping" Do NOT use it unless you understand the impact
" Do NOT use the vendor defaults without thinking
!
Remove private ASes from announcements" Common omission today
! Use extensive filters, with backup
" Use as-path filters to backup prefix filters
" Keep policy language for implementing policy, ratherthan basic filtering
!
Use password agreed between you and peer oneBGP session
BGP T l
-
8/10/2019 06_BGP_BCP
65/67
eBGP TemplateExample continued
! Use maximum-prefix tracking
"
Router will warn you if there are suddenincreases in BGP table size, bringing downeBGP if desired
! Limit maximum as-path length inbound
! Log changes of neighbour state
" and monitor those logs!
! Make BGP admin distance higher than that
of any IGP" Otherwise prefixes heard from outside your
network could override your IGP!!
-
8/10/2019 06_BGP_BCP
66/67
Summary
! Use configuration templates
! Standardise the configuration
! Be aware of standard tricksto avoid
compromise of the BGP session
! Anything to make your life easier, network
less prone to errors, network more likelyto scale
! Its all about scaling if your networkwont scale, then it wont be successful
-
8/10/2019 06_BGP_BCP
67/67
BGP Best CurrentPractices
ISP Workshops
67