bgp part-1 - cloud object storage | store & retrieve data ... part-1 prerequisite knowledge...
Post on 17-Apr-2018
238 Views
Preview:
TRANSCRIPT
BGP Part-1
www.ine.com
Copyright © www.ine.com
Comparison between IGPs & BGP
» Similarit ies and differences between BGP and IGPs (OSPF and EIGRP): • BGP needs to form neighborship like IGPs.
• BGP needs to advertise prefixes, just like IGPs.
• BGP also advertises Next Hops for those prefixes.
• Neighbor IP address may not be on a common subnet for BGP.
• BGP uses TCP (179) and unicast…IGPs do not.
Copyright © www.ine.com
» Neighbors versus Peers • IGP routers are called “neighbors” which typically denotes a direct-
connection.
• BGP routers are called “peers” because there is no need for direct-connection.
» Routes versus NLRI • IGP protocols exchange unicast routes
• BGP also exchanges unicast routes, but can also exchange other types of information.
• For this reason we say BGP exchanges NLRI (Network-Layer Reachability Information)
Comparison between IGPs & BGP
Copyright © www.ine.com
Overview of iBGP and eBGP
» There are two types of neighbors in BGP: internal BGP (iBGP) and external BGP (eBGP).
» A BGP router behaves different ly in several ways depending on whether the peer (neighbor) is an iBGP or eBGP peer.
Router BGP 1 neighbor 2.2.2.2 remote-as 2
Router BGP 1 neighbor 2.2.2.2 remote-as 1
eBGP Peering
iBGP Peering
Copyright © www.ine.com
iBGP and eBGP Differences (Overview)
» Peer establishment • eBGP imposes certain rules/restrictions not imposed by iBGP
» Prefix exchange • BGP updates received from external peers can be forwarded on to
any other type of peer.
• BGP updates received from internal peers can ONLY be forwarded on to external peers.
» Update modificat ion • Certain BGP Path Attributes may only be forwarded to external…or
internal peers.
Copyright © www.ine.com
BGP Peering Overview
1 2 1.1.1.1 1.1.1.2
AS# 1 AS# 2
1 Ensure BGP peers have IP reachability to each other.
2 Configure basic eBGP on each router.
3 TCP 3-Way Handshake must complete 4 BGP Peering must complete
5 BGP Update Exchange 6 BGP Bestpath Selection Process
router bgp 1 neighbor 1.1.1.2 remote-as 2
router bgp 2 neighbor 1.1.1.1 remote-as 1
TCP Sync (179) TCP Sync + Ack (179)
TCP ACK (179)
BGP Peering Establishment
BGP Update Exchange
These are the best paths I’ve seen so far!
I’ve got better paths for these same prefixes!!
Copyright © www.ine.com
eBGP Neighborship Overview
» To configure BGP Peers, use the following commands: • router bgp asn (global command)
• neighbor ip-address remote-as remote-asn (BGP subcommand)
» The asn in the router bgp command is the local AS number of the router.
Copyright © www.ine.com
BGP Peering Sanity Checks
1 2 1.1.1.1 1.1.1.2
AS# 1 AS# 2
1 Source IP address of incoming TCP connection must be from an expected/configured BGP peer.
2 Peer’s advertisement of his BGP AS# must be what we expect.
3 If BGP authentication is used, same password must be configured.
4 Peers must have unique BGP Router-IDs
5 Peers must use the same BGP version.
router bgp 1 neighbor 1.1.1.2 remote-as 2
router bgp 2 neighbor 1.1.1.1 remote-as 1
TCP Sync (179) TCP Sync + Ack (179)
TCP ACK (179)
BGP Peering Establishment
Copyright © www.ine.com
BGP Router-ID
» Just like any IGP, BGP elects a Router-ID. » The BGP router-ID is elected as follows:
• Use the setting of the bgp router-id <x.x.x.x> router subcommand.
• Choose the highest numeric IP address of any up/up loopback interface, at the time the BGP process initializes.
• Choose the highest numeric IP address of any up/up non- loopback interface, at the time the BGP process initializes.
Copyright © www.ine.com
BGP Authentication
» To configure authentication for BGP, use the following command: • neighbor neighbor-ip password key (BGP subcommand)
» This command must be configured on both routers. » If keys do not match or this command is only
configured on one router, peer-establishment will not be formed.
Copyright © www.ine.com
BGP Update-Source
» TCP Connection must first form between BGP peers. » This TCP connection must form before BGP messages flow
over this TCP connection. » Source IP address used in TCP connection usually must
match what your neighbor is expecting from you in his “neighbor” command.
» The local router t ries to form a TCP connection with the IP address defined in the neighbor remote-as command.
Copyright © www.ine.com
BGP Update-Source
» When peers are directly-connected, source-IP address of incoming BGP messages is t rusted.
1 2 1.1.1.1 1.1.1.2
AS# 1 AS# 2 router bgp 1 neighbor 1.1.1.2 remote-as 2
router bgp 2 neighbor 1.1.1.1 remote-as 1
Fast0/0 Fast0/0
How do I reach 1.1.1.2? Oh…via FastEthernet0/ 0! I’ll use that as my source IP.
1
TCP Sync (src=1.1.1.1 dest port=179) 2
Am I configured to expect/ trust BGP from 1.1.1.1? Yes!! How do I reply back to 1.1.1.1? Oh…via FastEthernet0/ 0! I’ll use that as my source IP.
3
TCP Sync + Ack (src = 1.1.1.2 src port=179)
4 TCP ACK (179) 5
Copyright © www.ine.com
BGP Update-Source (2)
» What if peers are NOT directly connected?
1 2 1.1.1.1
3.3.3.3 AS# 1 AS# 1
router bgp 1 neighbor 3.3.3.3 remote-as 1
router bgp 1 neighbor 1.1.1.1 remote-as 1
Fast0/0 Fast0/0
How do I reach 3.3.3.3? Oh…via FastEthernet0/ 0! I’ll use that as my source IP.
1 1.2.1.1?? Who are you??? I don’t know you!! 3
Serial0/0 Serial0/0
1.2.1.1
TCP Sync (src=1.2.1.1 dest port=179) 2
TCP Reset (src = 3.3.3.3 src port=179) 4 1.2.1.2
IP Routing Table D 3.3.3.0/24 via 1.2.1.2 (Fast0/0)
Copyright © www.ine.com
BGP Update-Source (3)
» Redundant Links between connected peers
1 2
1.2.1.2 AS# 1 AS# 1
router bgp 1 neighbor 1.1.1.2 remote-as 1
router bgp 1 neighbor 1.1.1.1 remote-as 1
Fast0/0 Fast0/0
How do I reach 1.1.1.2? Oh…via FastEthernet0/ 1! I’ll use that as my source IP.
1 1.1.1.1? Great…I was expecting you! 3
1.2.1.1
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1
0/1
0/2
0/3
0/4
IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1
TCP Sync (179) TCP Sync + Ack (179)
TCP ACK (179)
D 1.1.1.0/24 via 1.2.1.2 (Fast0/10) TCP Sync (src=1.2.1.1 dest port=179) 4
1.2.1.1?? Who are you??? I don’t know you!! 5
TCP Reset (src = 3.3.3.3 src port=179) 6
Copyright © www.ine.com
BGP Update-Source
» The failure in one link can cause BGP neighborship to fail.
» There are two solut ions to resolve this issue: • Configure two neighbor commands on each router.
• Use loopback interfaces as the TCP connection endpoints.
» The use of two BGP Peerings between the same pair of routers can consume bandwidth and more memory in the BGP table.
Copyright © www.ine.com
BGP Update-Source (Fix# 1)
1 2 1.1.1.1
3.3.3.3 AS# 1 AS# 1
router bgp 1 neighbor 3.3.3.3 remote-as 1 neighbor 3.3.3.3 update-source Serial0/0
router bgp 1 neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 update-source FastEthernet0/0
Fast0/0 Fast0/0
How do I reach 3.3.3.3? Oh…via FastEthernet0/ 0! I’ll use that as my source IP.
1 I was waiting for you 1.1.1.1! 3
Serial0/0 Serial0/0
1.2.1.1
TCP Sync (src=1.1.1.1 dest port=179) 2
1.2.1.2
IP Routing Table D 3.3.3.0/24 via 1.2.1.2 (Fast0/0)
Copyright © www.ine.com
BGP Parallel Links (Solution #1)
1 2
1.2.1.2 AS# 1 AS# 1
router bgp 1 neighbor 1.2.1.2 remote-as 1 neighbor 1.1.1.2 remote-as 1
router bgp 1 neighbor 1.2.1.1 remote-as 1 neighbor 1.1.1.1 remote-as 1
Fast0/0 Fast0/0 1.2.1.1
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1
0/1
0/2
0/3
0/4
TCP Sync (179) TCP Sync + Ack (179)
TCP ACK (179)
TCP Sync (179) TCP Sync + Ack (179)
TCP ACK (179)
Copyright © www.ine.com
BGP Parallel Links (Solution# 2)
1 2
1.2.1.2 AS# 1 AS# 1
router bgp 1 neighbor 12.12.12.12 remote-as 1 neighbor 12.12.12.12 update-source Loop0 ! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2
router bgp 1 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 ! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
Fast0/0 Fast0/0 1.2.1.1
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1
0/1
0/2
0/3
0/4
IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 12.12.12.12/32 via 1.1.1.2 via 1.2.1.2
Loop0 12.12.12.12 / 32
Loop0 11.11.11.11 / 32
TCP Sync (179) TCP Sync + Ack (179)
TCP ACK (179)
IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 11.11.11.11/32 via 1.1.1.1 via 1.2.1.1
Copyright © www.ine.com
Case where “Update-Source” not needed
1 2 1.1.1.1 1.1.1.2
Loopback0 2.2.2.2
Router bgp <whatever> neighbor 2.2.2.2 remote-as <whatever>
Router bgp <whatever> neighbor 1.1.1.1 remote-as <whatever>
1 TCP Sync (Dest Port=179) Src=1.1.1.1 Dest = 2.2.2.2
2 TCP Sync+ACK (Source Port=179) Src=2.2.2.2 Dest = 1.1.1.1
• Notice that in this instance, Router-2 responds using it’s Loopback Interface IP Address as a source IP…even without “update-source” configured.
Copyright © www.ine.com
eBGP Problem
1 2
1.2.1.2 AS# 1 AS# 2
router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0 ! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2
router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 ! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
Fast0/0 Fast0/0 1.2.1.1
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1
0/1
0/2
0/3
0/4
IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 12.12.12.12/32 via 1.1.1.2 via 1.2.1.2
Loop0 12.12.12.12 / 32
Loop0 11.11.11.11 / 32
IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 11.11.11.11/32 via 1.1.1.1 via 1.2.1.1
I can’t even start the TCP process because my peer is NOT directly-connected!!
I can’t even start the TCP process because my peer is NOT directly-connected!!
Copyright © www.ine.com
eBGP Solution #1 - Multihop
1 2
1.2.1.2 AS# 1 AS# 2
router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0 neighbor 12.12.12.12 ebgp-multihop ! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2
router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 neighbor 11.11.11.11 ebgp-multihop ! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
Fast0/0 Fast0/0 1.2.1.1
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1
0/1
0/2
0/3
0/4
IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 12.12.12.12/32 via 1.1.1.2 via 1.2.1.2
Loop0 12.12.12.12 / 32
Loop0 11.11.11.11 / 32
IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 11.11.11.11/32 via 1.1.1.1 via 1.2.1.1
TCP Sync (179) IP TTL = 255
Copyright © www.ine.com
eBGP Solution #2 – Disable Connected
1 2
1.2.1.2 AS# 1 AS# 2
router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0 neighbor 12.12.12.12 disable-connected-check ! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2
router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 neighbor 11.11.11.11 disable-connected-check ! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
Fast0/0 Fast0/0 1.2.1.1
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1
0/1
0/2
0/3
0/4
IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 12.12.12.12/32 via 1.1.1.2 via 1.2.1.2
Loop0 12.12.12.12 / 32
Loop0 11.11.11.11 / 32
IP Routing Table C 1.2.1.0/24 via Fast0/0 C 1.1.1.0/24 via Fast0/1 S 11.11.11.11/32 via 1.1.1.1 via 1.2.1.1
TCP Sync (179) IP TTL = 1
Copyright © www.ine.com
BGP Message Header and Types
» All BGP messages carried within IP/TCP Headers
IP Header TCP Header
Marker (All “Fs”) 16-bytes Length (2-bytes) Type (1 byte) BGP Data
» BGP uses four types of messages for its operat ion: • Open
• Update • Keepalive • Notification
Copyright © www.ine.com
BGP Message Types - Open
» BGP Open Message: • Used in Neighbor Establishment
• BGP values and capabilities are exchanged.
Marker (All “Fs”) 16-bytes Length (2-bytes) Type = 1 Version = 4 My AS# Hold Time Router-ID
Optional Parameters Length BGP Capabilities
Copyright © www.ine.com
BGP Open Message (Sniffer Trace)
Copyright © www.ine.com
BGP Message Types - Update
» BGP Update Message: • Informs neighbors about withdrawn routes, changed routes, and new
routes.
• Used to exchange PAs and the associated prefix/length (NLRI) that use those attributes.
Marker (All “Fs”) 16-bytes Length (2-bytes) Type = 2 Unfeasible Routes
Length Withdrawn Routes (if any)
Total Path Attributes Length NLRI Prefix Length
Path Attributes (TLV)
NLRI Prefix
Copyright © www.ine.com
BGP Message Types - Notification
» BGP Notificat ion message: • Used to signal a BGP error; typically results in a reset to the neighbor
relationship
Marker (All “Fs”) 16-bytes Length (2-bytes) Type = 3
Error Code Error Subcode
Data
Copyright © www.ine.com
BGP Message Types - Keepalive
» BGP Keepalive message: • Sent on a periodic basis to maintain the neighbor relationship. The
lack of receipt of a Keepalive message within the negotiated Hold timer causes BGP to bring down the neighbor connection.
IP Header TCP Header
Marker (All “Fs”) 16-bytes Length (2-bytes) Type = 4
Copyright © www.ine.com
Examining the BGP Table
» To verify the BGP table, use the command show ip bgp.
» The output will list all the BGP learned routes, locally injected plus learned from neighbors.
» With each prefix it will have mult iple at t ributes that can be examined and used for best path select ion.
» Each prefix can have mult iple paths with different next-hops.
Copyright © www.ine.com
Examining the BGP Table
Copyright © www.ine.com
Examining the BGP Table
» Prefixes with ‘*’ are valid to be considered for best-path algorithm.
» Best path is presented by ‘>’. » The Path heading shows the AS_Path Attribute. » The BGP show commands list the AS_Path with the
first-added ASN on the right and the last-added ASN on the left .
Copyright © www.ine.com
Verification Commands for eBGP Learned Routes
» show ip bgp prefix [subnet-mask] » show ip bgp neighbors ip-address received-routes » show ip bgp neighbors ip-address routes » show ip bgp neighbors ip-address advert ised-routes » show ip bgp summary
Copyright © www.ine.com
BGP Neighbor States
» BGP goes to through the following neighborship states: » Idle: The BGP process is either administrat ively down or
await ing the next retry at tempt.
» Connect : The BGP process has detected an incoming TCP connection request and is wait ing for the TCP connection to be completed.
Copyright © www.ine.com
BGP Neighbor States
» Act ive: BGP has init iated an outbound TCP connection request and is wait ing for the 3-way handshake to complete. BGP can enter this state either because: • This router was the first router to initiate a connection (from Idle-to-Active)
• This router received an initial, inbound connnection request that failed to complete the TCP handshake (Idle-Connect-Active)
» Opensent : The TCP connection exists, and a BGP Open message has been sent to the peer, but the matching Open message has not yet been received from the other router.
Copyright © www.ine.com
BGP Neighbor States
» Openconfirm: An Open message has been both sent to and received from the other router.
» Established: All neighbor parameters match, the neighbor relat ionship works, and the peers can now exchange Update messages.
Copyright © www.ine.com
Active “Initiate TCP”
State Transitions: TCP Handshake Failure
Idle “Start event” Connect “ Initiate TCP”
TCP Sync Received
Possibility #1
EXPIRED!
TCP timeout
TCP Sync+ACK
TCP Sync Transmited
ConnectRetry Timer
ConnectRetry Timer
Copyright © www.ine.com
ConnectRetry Timer (stopped)
ConnectRetry Timer
Active “Initiate TCP”
State Transitions: TCP Resets
Idle “Start event”
TCP Sync Sent
TCP Reset Received
Possibility #2
BGP invokes/starts TCP
Copyright © www.ine.com
OpenSent
Moving to OpenSent
Idle “Start event” Active “ Initiate TCP”
TCP Sync Sent
TCP Sync+AcK received
Possibility #3
Send BGP “Open”
TCP AcK sent
ConnectRetry Timer
Copyright © www.ine.com
OpenSent
Moving from OpenSent (1)
Idle ACTIVE “Initiate TCP”
Open Received but bad BGP header or bad Open parameters
BGP Notification
Copyright © www.ine.com
OpenSent
Moving from OpenSent (2)
Open Confirm
Established
Open Received …everything looks good!
BGP Keepalive sent
BGP Keepalive received
I’m ready to send my BGP Update(s) now!!
Copyright © www.ine.com
Peering and Router-IDs
» When two routers are init ially configured to peer with each other, they don’t know each other’s BGP Router-IDs.
» Normally, the router with highest Router-ID will init iate the TCP handshake with the router that has lowest Router-ID.
» That can’t happen if Router-IDs are unknown.
Copyright © www.ine.com
BGP Collisions? » If BGP Router-IDs are unknown, a peering collision may occur.
TCP Sync (179) TCP Sync + Ack (179)
TCP ACK (179)
TCP Sync (179)
TCP Sync + Ack (179)
TCP ACK (179)
1 2
1.2.1.2 AS# 1 AS# 2
router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0 neighbor 12.12.12.12 ebgp-multihop bgp router-id 11.11.11.11 ! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2
router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 neighbor 11.11.11.11 ebgp-multihop bgp router-id 12.12.12.12 ! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
Fast0/0 Fast0/0 1.2.1.1
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1
0/1
0/2
0/3
0/4
Loop0 12.12.12.12 / 32
Loop0 11.11.11.11 / 32
BGP Open (RiD=11.11.11.11)
BGP Open (RiD=12.12.12.12)
Hey, I’ve already got a session with you! Hey, I’ve already got a
session with you! BGP Notification (Cease!!)
Copyright © www.ine.com
How do we prevent collisions?
» Router can be configured to only accept inbound connections, but not ACTIVELY init iate outbound connections.
TCP Sync (179) TCP Sync + Ack (179)
TCP ACK (179)
1 2
1.2.1.2 AS# 1 AS# 2
router bgp 1 neighbor 12.12.12.12 remote-as 2 neighbor 12.12.12.12 update-source Loop0 neighbor 12.12.12.12 ebgp-multihop neighbor 12.12.12.12 transport connection-mode passive bgp router-id 11.11.11.11 ! ip route 12.12.12.12 255.255.255.255 1.1.1.2 ip route 12.12.12.12 255.255.255.255 1.2.1.2
router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 update-source Loop0 neighbor 11.11.11.11 ebgp-multihop bgp router-id 12.12.12.12 ! ip route 11.11.11.11 255.255.255.255 1.1.1.2 ip route 11.11.11.11 255.255.255.255 1.2.1.2
Fast0/0 Fast0/0 1.2.1.1
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1
0/1
0/2
0/3
0/4
BGP Open (RiD=12.12.12.12)
Copyright © www.ine.com
Who initiated the connection?
If the “Local Port” is NOT 179 that means your local router INITIATED the TCP connection.
Copyright © www.ine.com
BGP DoS Example
1.2.1.2
AS# 1
AS# 2
router bgp 1 neighbor 1.2.1.2 remote-as 2 bgp router-id 11.11.11.11 !
router bgp 2 neighbor 1.2.1.1 remote-as 1 bgp router-id 12.12.12.12 !
Fast0/0 Fast0/0 1.2.1.1 1 2
Evil Person
BGP Notification= CEASE!! (RiD=12.12.12.12) IP TTL=4
Dest=1.2.1.1 Source=1.2.1.2
BGP Notification= CEASE!! (RiD=12.12.12.12) IP TTL=1
Dest=1.2.1.1 Source=1.2.1.2
Destination 1.2.1.1? I can forward that!
Guess I need to kill my BGP peering with
12.12.12.12!
eBGP’s reliance on TTL=1 leaves it open to attack.
Copyright © www.ine.com
TTL and eBGP Sessions
» eBGP sessions assume neighbor is direct ly-connected. » TTL in eBGP sessions set to “1” if Connected route is found. » If neighbor NOT direct ly connected, addit ional configurat ion
needed to start BGP peering process (which affects outbound TTL) • eBGP-multihop (sets TTL in outbound BGP packets to 255)
• Disable-connected-check (sets TTL to “1” in outbound BGP packets.
• TTL-Security (to be discussed next)
Copyright © www.ine.com
TTL-Security
» By default , any TTL value (>0) of received BGP packets is accepted from eBGP peers.
» TTL-Security = Mechanism to enforce TTL values to prevent DoS • (config-rtr)#neighbor x.x.x.x ttl-security hops <1-254>
» How is “hops” used? • 255 - <hops> = X
• All incoming BGP packets must have TTL ≥ X
Copyright © www.ine.com
TTL-Security with Direct-Connection Peering
1.2.1.2
AS# 1 (customer) AS# 2 (ISP)
Fast0/0 Fast0/0 1.2.1.1 1 2
Evil Person neighbor 1.2.1.2 ttl-security hops 1 neighbor 1.2.1.1 ttl-security hops 1
1 BGP packets sent with TTL=255
R1 R2
2 BGP packets received-and-processed with TTL ≥ 254
R1 R2
Attacker TTL=255 3 BGP packets silently discarded with TTL < 254 R1
TTL=252
x Y
TTL=254 TTL=253
Copyright © www.ine.com
TTL-Security with Multihop Peering
2.2.2.2
AS# 1 (customer) AS# 2 (ISP)
1.2.1.1 1 2
Evil Person neighbor 2.2.2.2 ttl-security hops 2 neighbor 1.2.1.1 ttl-security hops 2
1 BGP packets sent with TTL=255
R1 R2
2 BGP packets received-and-processed with TTL ≥ 253
R1 R2
Attacker TTL=255 3 BGP packets silently discarded with TTL < 252 R1
TTL=250
x Y
TTL=254 TTL=253
a b
Copyright © www.ine.com
TTL-Security with Loopback Peering (Method #1)
1.2.1.2
AS# 1 (customer) AS# 2 (ISP)
1.2.1.1 1 2
neighbor 22.22.22.22 update-source loop0 neighbor 22.22.22.22 ttl-security hops 2
neighbor 22.22.22.22 update-source loop0 neighbor 11.11.11.11 ttl-security hops 2
1 BGP packets sent with TTL=255
R1 R2
2 BGP packets received-and-processed with TTL ≥ 253
R1 R2
3 BGP packets silently discarded with TTL < 253 R1
Loop0 11.11.11.11 /32 Loop0
22.22.22.22 /32
Copyright © www.ine.com
TTL-Security with Loopback Peering (Method #2)
1.2.1.2
AS# 1 (customer) AS# 2 (ISP)
1.2.1.1 1 2
neighbor 22.22.22.22 update-source loop0 neighbor 22.22.22.22 ttl-security hops 1 neighbor 22.22.22.22 disable-connected-check
neighbor 11.11.11.11 update-source loop0 neighbor 11.11.11.11 ttl-security hops 1 neighbor 11.11.11.11 disable-connected-check
1 BGP packets sent with TTL=255
R1 R2
2 BGP packets received-and-processed with TTL ≥ 254
R1 R2
3 BGP packets silently discarded with TTL < 254 R1
Loop0 11.11.11.11 /32 Loop0
22.22.22.22 /32
Copyright © www.ine.com
Neighbor Failures – Direct Connections
» BGP neighbors may be direct ly, or indirect ly connected. » Failures of direct-connection = immediate teardown of BGP
peer.
1 2 1.1.1.1 1.1.1.2
AS# 1 AS# 2 router bgp 1 neighbor 1.1.1.2 remote-as 2
router bgp 2 neighbor 1.1.1.1 remote-as 1
Fast0/0 Fast0/0
Copyright © www.ine.com
Neighbor Failures – Indirect Connections » Indirect neighbor failures rely on BGP Holddown t imer = 180-seconds.
Copyright © www.ine.com
Adjusting BGP Timers
» BGP Keepalives can be reduced to a minimum of 1-second with a minimum holdtime of 3-secs.
Copyright © www.ine.com
Other ways of failure detection
» Several other options exist for neighbor failure detect ion which don’t affect CPU: • Neighbor Fall-Over
• Neighbor Fall-Over Route-Map
• Neighbor Fall-Over BFD
» All of the above are called, “BGP Fast Peering Session Deact ivat ion”
Copyright © www.ine.com
Neighbor Fall-Over
» The “neighbor x.x.x.x fall-over” command has several options:
• Tracks IGP route to BGP peer (iBGP or eBGP). When route is lost, peer immediately taken down.
• Does NOT work if router ALSO contains a default route.
Copyright © www.ine.com
Neighbor Fall-Over
router bgp 1 neighbor 22.22.22.2 remote-as 1
Loopback0 11.11.11.11
Loopback0 22.22.22.2
router bgp 1 neighbor 11.11.11.11 remote-as 1
Without “neighbor fall-over”, Holddown Timer must expire.
1 2 1.1.1.1 1.1.1.2
AS# 1 Fast0/0 Fast0/0
EIGRP
neighbor 22.22.22.2 fall-over neighbor 11.11.11.11 fall-over
Copyright © www.ine.com
Neighbor Fall-Over – The Problem
router bgp 1 neighbor 1.1.1.2 remote-as 1 neighbor 199.11.1.3 remote-as 1 neighbor 199.11.1.3 fall-over
Loop0 199.11.1.3/ 32
1 1.1.1.2 7.7.7.2
ISP-B: BGP AS# 1
Fast0/0
EIGRP AS 100
2 3
iBGP peering
iBGP peering iBGP peering
Loop0 199.10.1.1/ 32
Corporate Intranet Routers
199.11.0.0/16 via Rtr-X!! 199.10.0.0 /16
via Rtr-Y!! A C
ISP-A ISP-C
router bgp 1 neighbor 7.7.7.2 remote-as 1 neighbor 199.10.1.1 remote-as 1 neighbor 199.10.1.1 fall-over
199.11.x.x/16 199.10.x.x/16
X Y
Copyright © www.ine.com
BGP Fast Peering Session Deactivation with Next-Hop Address Tracking
» A Route-Map can be associated to the “neighbor x.x.x.x fall-over” command:
• Tracks IGP route to BGP peer (iBGP or eBGP). When route is lost, peer immediately taken down.
• Doesn’t care if a default route (or aggregate) exists or not.
Copyright © www.ine.com
Neighbor Fall-Over – The Solution!
router bgp 1 neighbor 1.1.1.2 remote-as 1 neighbor 199.11.1.3 remote-as 1 neighbor 199.11.1.3 fall-over route-map FALLOVER ! access-list 1 permit 199.11.1.3 0.0.0.0 ! Route-map FALLOVER permit 10 match ip address 1
Loop0 199.11.1.3/ 32
1 1.1.1.2 7.7.7.2 Fast0/0
EIGRP AS 100
2 3
iBGP peering
iBGP peering iBGP peering
Loop0 199.10.1.1/ 32
Corporate Intranet Routers
199.11.0.0/16 via Rtr-X!! 199.10.0.0 /16
via Rtr-Y!! A C
ISP-A ISP-C
router bgp 1 neighbor 7.7.7.2 remote-as 1 neighbor 199.10.1.1 remote-as 1 neighbor 199.10.1.1 fall-over route-map FALLOVER ! access-list 1 permit 199.10.1.1 0.0.0.0 ! Route-map FALLOVER permit 10 match ip address 1
199.11.x.x/16 199.10.x.x/16
X Y
Copyright © www.ine.com
Indirect Link Failure
1 2
AS# 1 AS# 2
router bgp 1 neighbor 1.1.1.2 remote-as 2 neighbor a.a.a.a remote-as 3 network 7.7.7.0 mask 255.255.255.0
router bgp 2 neighbor 1.1.1.1 remote-as 1 neighbor b.b.b.b remote-as 4
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1 0/2 0/4
A B
AS# 3 AS# 4
7.7.7.0/24
• Previous two solutions will not work. • Router-2 will continue to use path to Router-1 until holddown timer expires.
Copyright © www.ine.com
BFD…yes, it is a Big, Fantastic Deal!!
» BFD = Bi-Direct ional Forwarding Detect ion » Utilizes UDP and CEF » BFD session setup between BFD peers. » Sub-second failover ut ilizing BFD/UDP “pings” » Originally designed for direct ly-connected peers. » Not just for BGP.
Copyright © www.ine.com
BFD Echo and Control Packets
» BFD can utilize two types of packets • Echo
• Control
» Control packets are mandatory and processed by CPU.
» Echo packets are optional (on by default). • Echo packets are not received by CPU of peer, simply test forwarding
path of peer.
• Echo packets contain source-and-destination address of the sender.
Copyright © www.ine.com
BFD Basic Configuration
» Init ial BFD timers configured on physical interface. » Echo Mode on by default
• Router(config-if)#bfd interval 100 min_rx 200 multiplier 3
“I would like to transmit BFD Echo packets every 100msecs”! “The fastest I can process incoming
BFD ECHO packets is every 200msecs so please don’t send
them any faster”!
“If YOUR min_rx is LESS than my interval, I’ll respect your value and transmit Echo packets at that rate. And
I’ll declare you dead after 3x that value”!
Copyright © www.ine.com
Indirect Link Failure with BFD
1 2
AS# 1 AS# 2
Interface FastEthernet0/1 ip address 1.1.1.1 255.255.255.252 bfd interval 100 min_rx 100 multiplier 3 ! router bgp 1 neighbor 1.1.1.2 remote-as 2 neighbor 1.1.1.2 fall-over bfd neighbor a.a.a.a remote-as 3 network 7.7.7.0 mask 255.255.255.0
Interface FastEthernet0/1 ip address 1.1.1.2 255.255.255.252 bfd interval 100 min_rx 100 multiplier 3 ! router bgp 2 neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 fall-over bfd neighbor b.b.b.b remote-as 4
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1 0/2 0/4
A B
AS# 3 AS# 4
7.7.7.0/24
Copyright © www.ine.com
Indirect Link Failure with BFD (1)
1 2
AS# 1 AS# 2
! router bgp 1 neighbor 22.22.22.22 remote-as 2 neighbor 22.22.22.22 ebgp-multihop neighbor 22.22.22.22 update-source loopback0 neighbor 1.3.1.3 remote-as 3 network 7.7.7.0 mask 255.255.255.0 ! Ip route 22.22.22.22 255.255.255.255 1.1.1.2
! router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 ebgp-multihop neighbor 11.11.11.11 update-source loopback0 neighbor 2.4.2.4 remote-as 4 ! Ip route 11.11.11.11 255.255.255.255 1.1.1.1
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1 0/2 0/4
A B AS# 3 AS# 4
7.7.7.0/24
Loop0 11.11.11.11 / 32
Loop0 22.22.22.22/ 32
1.3.1.3 2.4.2.4
1.3.1.1 2.4.2.2
Multihop peers can be reachable via several physical links. Upon which link should BFD be configured?
Copyright © www.ine.com
Indirect Link Failure with BFD (2)
1 2
AS# 1 AS# 2
bfd-template multi-hop BGP interval min-tx 200 min-rx 200 multiplier 3 ! bfd map ipv4 22.22.22.22/32 0.0.0.0/0 BGP ! router bgp 1 neighbor 22.22.22.22 remote-as 2 neighbor 22.22.22.22 ebgp-multihop neighbor 22.22.22.22 update-source loopback0 neighbor 22.22.22.22 fall-over bfd multihop neighbor 1.3.1.3 remote-as 3 network 7.7.7.0 mask 255.255.255.0 ! Ip route 22.22.22.22 255.255.255.255 1.1.1.2
bfd-template multi-hop BGP interval min-tx 200 min-rx 200 multiplier 3 ! bfd map ipv4 11.11.11.11/32 0.0.0.0/0 BGP ! router bgp 2 neighbor 11.11.11.11 remote-as 1 neighbor 11.11.11.11 ebgp-multihop neighbor 11.11.11.11 update-source loopback0 neighbor 11.11.11.11 fall-over bfd multihop neighbor 2.4.2.4 remote-as 4 ! Ip route 11.11.11.11 255.255.255.255 1.1.1.2
1.1.1.2 Fast0/1 Fast0/1 1.1.1.1 0/2 0/4
A B AS# 3 AS# 4
7.7.7.0/24
Loop0 11.11.11.11 / 32
Loop0 22.22.22.22/ 32 1.3.1.3 2.4.2.4
1.3.1.1 2.4.2.2
Copyright © www.ine.com
Quiz!!!
Given the configurations shown above, answer these questions: 1. How often will Router-1 receive BFD Echo packets from Router-2? ____________
2. How long will it take for Router-2 to tear down the BGP peering session with
Router-1 when port 0/2 on the switch goes down? ____________
Copyright © www.ine.com
Answer
Given the configurations shown above, answer these questions: 1. How often will Router-1 receive BFD Echo packets from Router-2? Every
300mSecs
2. How long will it take for Router-2 to tear down the BGP peering session with Router-1 when port 0/2 on the switch goes down? After roughly 900msecs.
Copyright © www.ine.com
Quiz!!! Loop0
33.33.33.33/ 32
1 Fast0/0 Fast0/0
EIGRP AS 100
2 3
iBGP peering
iBGP peering iBGP peering
Loop0 11.11.11.11/ 32
Corporate Intranet Routers
0.0.0.0/0 via Rtr-X (EIGRP) A
C
ISP-A ISP-C
X Y
Which of the features that we’ve learned about in this series would quickly teardown the iBGP Peering between Router-1 and Router-3 if FastEthernet0/0 on Router-1 went down…WITHOUT consuming any additional bandwidth on any of the links shown here?
Copyright © www.ine.com
Answer Loop0
199.11.1.3/ 32
1 1.1.1.2 7.7.7.2 Fast0/0
EIGRP AS 100
2 3
iBGP peering
iBGP peering iBGP peering
Loop0 199.10.1.1/ 32
Corporate Intranet Routers
199.11.0.0/16 via Rtr-X!! 199.10.0.0 /16
via Rtr-Y!! A C
ISP-A ISP-C
199.11.x.x/16 199.10.x.x/16
X Y
BGP Fast Peering Session Deactivation with Next-Hop Address Tracking
top related