bgp techniques for internet service providers 2011 1 bgp techniques for internet service providers...

AfNOG 2011 1

BGP Techniques for Internet ServiceProviders

Philip Smith <[email protected]>AfNOG 2011Dar Es Salaam, Tanzania5 June 2011

AfNOG 2011 2

Presentation Slides

Will be available onftp://ftp-eng.cisco.com/pfs/seminars/AfNOG2011-BGP-Techniques.pdfAnd on the AfNOG2011 website

Feel free to ask questions any time

AfNOG 2011 3

Deploying BGP in an ISP Network

We’ve learned about BGP in SI-E/F and AR-E… What now?

AfNOG 2011 4

Deploying BGP

The role of IGPs and iBGP

Aggregation

Receiving Prefixes

Configuration Tips

Deploying 4-byte ASNs

AfNOG 2011 5

The role of IGP and iBGP

Ships in the night?OrGood foundations?

AfNOG 2011 6

BGP versus OSPF/ISIS

Internal Routing Protocols (IGPs)examples are ISIS and OSPFused for carrying infrastructure addressesNOT used for carrying Internet prefixes or customer prefixesdesign goal is to minimise number of prefixes in IGP to aidscalability and rapid convergence

AfNOG 2011 7


BGP used internally (iBGP) and externally (eBGP) iBGP used to carry

some/all Internet prefixes across backbonecustomer prefixes

eBGP used toexchange prefixes with other ASesimplement routing policy

AfNOG 2011 8

BGP/IGP model used in ISP networks

Model representation

IGP

iBGP

IGP

iBGP

IGP

iBGP

IGP

iBGP

eBGP eBGP eBGP

AS1 AS2 AS3 AS4

AfNOG 2011 9


DO NOT:distribute BGP prefixes into an IGPdistribute IGP routes into BGPuse an IGP to carry customer prefixes

YOUR NETWORK WILL NOT SCALE

AfNOG 2011 10

Injecting prefixes into iBGP

Use iBGP to carry customer prefixesDon’t ever use IGP

Point static route to customer interface Enter network into BGP process

Ensure that implementation options are used so that the prefixalways remains in iBGP, regardless of state of interfacei.e. avoid iBGP flaps caused by interface flaps

AfNOG 2011 11

Aggregation

Quality or Quantity?

AfNOG 2011 12

Aggregation

Aggregation means announcing the address blockreceived from the RIR to the other ASes connected toyour network

Subprefixes of this aggregate may be:Used internally in the ISP networkAnnounced to other ASes to aid with multihoming

Unfortunately too many people are still thinking aboutclass Cs, resulting in a proliferation of /24s in theInternet routing table

AfNOG 2011 13

Aggregation

Address block should be announced to the Internet asan aggregate

Subprefixes of address block should NOT beannounced to Internet unless for traffic engineeringpurposes

(see BGP Multihoming Tutorial)

Aggregate should be generated internallyNot on the network borders!

AfNOG 2011 14

Announcing an Aggregate

ISPs who don’t and won’t aggregate are held in poorregard by community

Registries publish their minimum allocation sizeAnything from a /20 to a /24 depending on RIRDifferent sizes for different address blocksThere are currently >185000 /24s!

APNIC changed (Oct 2010) its minimum allocation sizeon all blocks to /24

IPv4 run-out is starting to have an impact

AfNOG 2011 15

AS100customer

100.10.10.0/23Internet

100.10.10.0/23100.10.0.0/24100.10.4.0/22…

Aggregation – Example

Customer has /23 network assigned from AS100’s /19 address block

AS100 announces customers’ individual networks to the Internet

AfNOG 2011 16

Customer link returnsTheir /23 network is nowvisible to their ISPTheir /23 network is re-advertised to peersStarts rippling through InternetLoad on Internet backbonerouters as network isreinserted into routing tableSome ISP’s suppress the flapsInternet may take 10-20 min orlonger to be visibleWhere is the Quality ofService???

Customer link goes downTheir /23 network becomesunreachable/23 is withdrawn from AS100’siBGP

Their ISP doesn’t aggregate its/19 network block

/23 network withdrawalannounced to peersstarts rippling through theInternetadded load on all Internetbackbone routers as networkis removed from routing table

Aggregation – Bad Example

AfNOG 2011 17

AS100customer

100.10.10.0/23

100.10.0.0/19aggregate

Internet

100.10.0.0/19

Aggregation – Example

Customer has /23 network assigned from AS100’s /19 address block

AS100 announced /19 aggregate to the Internet

AfNOG 2011 18

Aggregation – Good Example

Customer link goes downtheir /23 network becomesunreachable/23 is withdrawn from AS100’siBGP

/19 aggregate is still beingannounced

no BGP hold down problemsno BGP propagation delaysno damping by other ISPs

Customer link returns

Their /23 network is visibleagain

The /23 is re-injected intoAS100’s iBGP

The whole Internet becomesvisible immediately

Customer has Quality ofService perception

AfNOG 2011 19

Aggregation – Summary

Good example is what everyone should do!Adds to Internet stabilityReduces size of routing tableReduces routing churnImproves Internet QoS for everyone

Bad example is what too many still do!Why? Lack of knowledge?Laziness?

AfNOG 2011 20

Separation of iBGP and eBGP

Many ISPs do not understand the importance ofseparating iBGP and eBGP

iBGP is where all customer prefixes are carriedeBGP is used for announcing aggregate to Internet and forTraffic Engineering

Do NOT do traffic engineering with customer originatediBGP prefixes

Leads to instability similar to that mentioned in the earlier badexampleEven though aggregate is announced, a flapping subprefix willlead to instability for the customer concerned

Generate traffic engineering prefixes on the BorderRouter

AfNOG 2011 21

The Internet Today (1st June 2011)

Current Internet Routing Table StatisticsBGP Routing Table Entries 358603Prefixes after maximum aggregation 162337Unique prefixes in Internet 178173Prefixes smaller than registry alloc 149545/24s announced 186667ASes in use 37758

AfNOG 2011 22

“The New Swamp”

Swamp space is name used for areas of pooraggregation

The original swamp was 192.0.0.0/8 from the former class Cblock

Name given just after the deployment of CIDR

The new swamp is creeping across all parts of the InternetNot just RIR space, but “legacy” space too

AfNOG 2011 23

“The New Swamp”RIR Space – February 1999

RIR blocks contribute 88% of the Internet Routing TableBlock Networks118/8 0119/8 0120/8 0121/8 0122/8 0123/8 0124/8 0125/8 0126/8 0173/8 0174/8 0186/8 0187/8 0189/8 0190/8 0192/8 6275193/8 2390194/8 2932195/8 1338196/8 513198/8 4034199/8 3495200/8 1348

Block Networks201/8 0202/8 2276203/8 3622204/8 3792205/8 2584206/8 3127207/8 2723208/8 2817209/8 2574210/8 617211/8 0212/8 717213/8 1216/8 943217/8 0218/8 0219/8 0220/8 0221/8 0222/8 0

Block Networks24/8 16541/8 058/8 059/8 060/8 061/8 362/8 8763/8 2064/8 065/8 066/8 067/8 068/8 069/8 070/8 071/8 072/8 073/8 074/8 075/8 076/8 077/8 078/8 0

Block Networks79/8 080/8 081/8 082/8 083/8 084/8 085/8 086/8 087/8 088/8 089/8 090/8 091/8 096/8 097/8 098/8 099/8 0112/8 0113/8 0114/8 0115/8 0116/8 0117/8 0

AfNOG 2011 24

“The New Swamp”RIR Space – February 2010

Block Networks118/8 1349119/8 1694120/8 531121/8 1756122/8 2687123/8 2400124/8 2259125/8 2514126/8 106173/8 1994174/8 1089186/8 1223187/8 1501189/8 3063190/8 6945192/8 6952193/8 6820194/8 5177195/8 5325196/8 1857198/8 4504199/8 4372 200/8 8884

Block Networks201/8 4136202/8 11354203/8 11677204/8 5744205/8 3037206/8 3951207/8 4635208/8 6498209/8 5536210/8 4977211/8 3130212/8 3550213/8 3442216/8 7645217/8 3136218/8 1512219/8 1303220/8 2108221/8 980222/8 1058

Block Networks24/8 332841/8 344858/8 167559/8 157560/8 88861/8 289062/8 241863/8 311464/8 660165/8 396666/8 778267/8 377168/8 322169/8 528070/8 200871/8 132772/8 405073/8 474/8 507475/8 116476/8 103477/8 196478/8 1397

Block Networks79/8 111980/8 233581/8 170982/8 135883/8 135784/8 134185/8 249286/8 78087/8 146688/8 106889/8 316890/8 37791/8 455596/8 77897/8 72598/8 131299/8 288112/8 883113/8 890114/8 996115/8 1616116/8 1755117/8 1611

RIR blocks contribute about 87% of the Internet Routing Table

AfNOG 2011 25

“The New Swamp”Summary

RIR space shows creeping deaggregationIt seems that an RIR /8 block averages around 5000 prefixes(and upwards) once fully allocated

Food for thought:The 120 RIR /8s combined will cause:635000 prefixes with 5000 prefixes per /8 density762000 prefixes with 6000 prefixes per /8 densityPlus 12% due to “non RIR space deaggregation”→ Routing Table size of 853440 prefixes

AfNOG 2011 26

“The New Swamp”Summary

Rest of address space is showing similar deaggregationtoo

What are the reasons?Main justification is traffic engineering

Real reasons are:Lack of knowledgeLazinessDeliberate & knowing actions

AfNOG 2011 27

Efforts to improve aggregation

The CIDR ReportInitiated and operated for many years by Tony BatesNow combined with Geoff Huston’s routing analysis

www.cidr-report.orgResults e-mailed on a weekly basis to most operations listsaround the worldLists the top 30 service providers who could do better ataggregating

RIPE Routing WG aggregation recommendationRIPE-399 — http://www.ripe.net/ripe/docs/ripe-399.html

AfNOG 2011 28

Efforts to Improve AggregationThe CIDR Report

Also computes the size of the routing table assumingISPs performed optimal aggregation

Website allows searches and computations ofaggregation to be made on a per AS basis

Flexible and powerful tool to aid ISPsIntended to show how greater efficiency in terms of BGP tablesize can be obtained without loss of routing and policyinformationShows what forms of origin AS aggregation could be performedand the potential benefit of such actions to the total table sizeVery effectively challenges the traffic engineering excuse

AfNOG 2011 29

AfNOG 2011 30

AfNOG 2011 31

AfNOG 2011 32

AfNOG 2011 33

AfNOG 2011 34

AfNOG 2011 35

Importance of Aggregation

Size of routing tableRouter Memory is not so much of a problem as it was in the1990sRouters can be specified to carry 1 million+ prefixes

Convergence of the Routing SystemThis is a problemBigger table takes longer for CPU to processBGP updates take longer to deal withBGP Instability Report tracks routing system update activityhttp://bgpupdates.potaroo.net/instability/bgpupd.html

AfNOG 2011 36

AfNOG 2011 37

AfNOG 2011 38

Aggregation Potential(source: bgp.potaroo.net/as2.0/)

AS Path

AS Origin

AfNOG 2011 39

AggregationSummary

Aggregation on the Internet could be MUCH better35% saving on Internet routing table size is quite feasibleTools are available

Commands on the routers are not hardCIDR-Report webpage

AfNOG 2011 40

Receiving Prefixes

AfNOG 2011 41

Receiving Prefixes

There are three scenarios for receiving prefixes fromother ASNs

Customer talking BGPPeer talking BGPUpstream/Transit talking BGP

Each has different filtering requirements and need to beconsidered separately

AfNOG 2011 42

Receiving Prefixes:From Customers

ISPs should only accept prefixes which have beenassigned or allocated to their downstream customer

If ISP has assigned address space to its customer, thenthe customer IS entitled to announce it back to his ISP

If the ISP has NOT assigned address space to itscustomer, then:

Check the five RIR databases to see if this address space reallyhas been assigned to the customerThe tool: whois

AfNOG 2011 43

Example use of whois to check if customer is entitled to announceaddress space:

$ whois -h whois.apnic.net 202.12.29.0inetnum: 202.12.28.0 - 202.12.29.255netname: APNIC-APdescr: Asia Pacific Network Information Centredescr: Regional Internet Registry for the Asia-Pacificdescr: 6 Cordelia Streetdescr: South Brisbane, QLD 4101descr: Australiacountry: AUadmin-c: AIC1-APtech-c: NO4-APmnt-by: APNIC-HMmnt-irt: IRT-APNIC-APchanged: [email protected]: ASSIGNED PORTABLEchanged: [email protected] 20110309source: APNIC

Portable – means its an assignmentto the customer, the customer canannounce it to you


AfNOG 2011 44

Example use of whois to check if customer is entitled to announce addressspace:

$ whois -h whois.ripe.net 193.128.0.0inetnum: 193.128.0.0 - 193.133.255.255netname: UK-PIPEX-193-128-133descr: Verizon UK Limitedcountry: GBorg: ORG-UA24-RIPEadmin-c: WERT1-RIPEtech-c: UPHM1-RIPEstatus: ALLOCATED UNSPECIFIEDremarks: Please send abuse notification to [email protected]: RIPE-NCC-HM-MNTmnt-lower: AS1849-MNTmnt-routes: AS1849-MNTmnt-routes: WCOM-EMEA-RICE-MNTmnt-irt: IRT-MCI-GBsource: RIPE # Filtered

ALLOCATED – means that this isProvider Aggregatable address spaceand can only be announced by the ISPholding the allocation (in this caseVerizon UK)


AfNOG 2011 45

Receiving Prefixes:From Peers

A peer is an ISP with whom you agree to exchangeprefixes you originate into the Internet routing table

Prefixes you accept from a peer are only those they haveindicated they will announcePrefixes you announce to your peer are only those you haveindicated you will announce

AfNOG 2011 46

Receiving Prefixes:From Peers

Agreeing what each will announce to the other:Exchange of e-mail documentation as part of the peeringagreement, and then ongoing updates

ORUse of the Internet Routing Registry and configuration toolssuch as the IRRToolSet

www.isc.org/sw/IRRToolSet/

AfNOG 2011 47

Receiving Prefixes:From Upstream/Transit Provider

Upstream/Transit Provider is an ISP who you pay togive you transit to the WHOLE Internet

Receiving prefixes from them is not desirable unlessreally necessary

Traffic Engineering – see BGP Multihoming Tutorial

Ask upstream/transit provider to either:originate a default-route

ORannounce one prefix you can use as default

AfNOG 2011 48


If necessary to receive prefixes from any provider, careis required.

Don’t accept default (unless you need it)Don’t accept your own prefixes

For IPv4:Don’t accept private (RFC1918) and certain special useprefixes:

http://www.rfc-editor.org/rfc/rfc5735.txtDon’t accept prefixes longer than /24 (?)

For IPv6:Don’t accept certain special use prefixes:

http://www.rfc-editor.org/rfc/rfc5156.txtDon’t accept prefixes longer than /48 (?)

AfNOG 2011 49


Check Team Cymru’s list of “bogons”www.team-cymru.org/Services/Bogons/http.html

For IPv4 also consult:datatracker.ietf.org/doc/draft-vegoda-no-more-unallocated-slash8s

For IPv6 also consult:www.space.net/~gert/RIPE/ipv6-filters.html

Bogon Route Server:www.team-cymru.org/Services/Bogons/routeserver.htmlSupplies a BGP feed (IPv4 and/or IPv6) of address blockswhich should not appear in the BGP table

AfNOG 2011 50

Receiving Prefixes

Paying attention to prefixes received from customers,peers and transit providers assists with:

The integrity of the local networkThe integrity of the Internet

Responsibility of all ISPs to be good Internet citizens

AfNOG 2011 51

Configuration Tips

Of passwords, tricks and templates

AfNOG 2011 52

iBGP and IGPsReminder!

Make sure loopback is configured on routeriBGP between loopbacks, NOT real interfaces

Make sure IGP carries loopback /32 address

Consider the DMZ nets:Use unnumbered interfaces?Use next-hop-self on iBGP neighboursOr carry the DMZ /30s in the iBGPBasically keep the DMZ nets out of the IGP!

AfNOG 2011 53

iBGP: Next-hop-self

BGP speaker announces external network to iBGPpeers using router’s local address (loopback) as next-hop

Used by many ISPs on edge routersPreferable to carrying DMZ /30 addresses in the IGPReduces size of IGP to just core infrastructureAlternative to using unnumbered interfacesHelps scale networkMany ISPs consider this “best practice”

AfNOG 2011 54

Limiting AS Path Length

Some BGP implementations have problems with longAS_PATHS

Memory corruptionMemory fragmentation

Even using AS_PATH prepends, it is not normal to seemore than 20 ASes in a typical AS_PATH in theInternet today

The Internet is around 5 ASes deep on averageLargest AS_PATH is usually 16-20 ASNs

AfNOG 2011 55

Limiting AS Path Length

Some announcements have ridiculous lengths of AS-paths:

*> 3FFE:1600::/24 22 11537 145 12199 1031810566 13193 1930 2200 3425 293 5609 5430 13285 693914277 1849 33 15589 25336 6830 8002 2042 7610 i

This example is an error in one IPv6 implementation

*> 96.27.246.0/24 2497 1239 12026 12026 1202612026 12026 12026 12026 12026 12026 12026 1202612026 12026 12026 12026 12026 12026 12026 1202612026 12026 12026 i

This example shows 21 prepends (for no obvious reason)

If your implementation supports it, consider limiting themaximum AS-path length you will accept

AfNOG 2011 56

BGP TTL “hack”

Implement RFC5082 on BGP peerings(Generalised TTL Security Mechanism)Neighbour sets TTL to 255Local router expects TTL of incoming BGP packets to be 254No one apart from directly attached devices can send BGPpackets which arrive with TTL of 254, so any possible attack bya remote miscreant is dropped due to TTL mismatch

ISP AS 100Attacker

TTL 254

TTL 253 TTL 254R1 R2

AfNOG 2011 57

BGP TTL “hack”

TTL Hack:Both neighbours must agree to use the featureTTL check is much easier to perform than MD5(Called BTSH – BGP TTL Security Hack)

Provides “security” for BGP sessionsIn addition to packet filters of courseMD5 should still be used for messages which slip through theTTL hackSee www.nanog.org/mtg-0302/hack.html for more details

AfNOG 2011 58

Templates

Good practice to configure templates for everythingVendor defaults tend not to be optimal or even very useful forISPsISPs create their own defaults by using configuration templates

eBGP and iBGP examples followAlso see Team Cymru’s BGP templates

http://www.team-cymru.org/ReadingRoom/Documents/

AfNOG 2011 59

iBGP TemplateExample

iBGP between loopbacks!

Next-hop-selfKeep DMZ and external point-to-point out of IGP

Always send communities in iBGPOtherwise accidents will happen

Hardwire BGP to version 4Yes, this is being paranoid!

AfNOG 2011 60

iBGP TemplateExample continued

Use passwords on iBGP sessionNot being paranoid, VERY necessaryIt’s a secret shared between you and your peerIf arriving packets don’t have the correct MD5 hash, they areignoredHelps defeat miscreants who wish to attack BGP sessions

Powerful preventative tool, especially when combinedwith filters and the TTL “hack”

AfNOG 2011 61

eBGP TemplateExample

BGP dampingDo NOT use it unless you understand the impactDo NOT use the vendor defaults without thinking

Remove private ASes from announcementsCommon omission today

Use extensive filters, with “backup”Use as-path filters to backup prefix filtersKeep policy language for implementing policy, rather than basicfiltering

Use password agreed between you and peer on eBGPsession

AfNOG 2011 62

eBGP TemplateExample continued

Use maximum-prefix trackingRouter will warn you if there are sudden increases in BGP tablesize, bringing down eBGP if desired

Limit maximum as-path length inbound

Log changes of neighbour state…and monitor those logs!

Make BGP admin distance higher than that of any IGPOtherwise prefixes heard from outside your network couldoverride your IGP!!

AfNOG 2011 63

Summary

Use configuration templates

Standardise the configuration

Be aware of standard “tricks” to avoid compromise ofthe BGP session

Anything to make your life easier, network less prone toerrors, network more likely to scale

It’s all about scaling – if your network won’t scale, thenit won’t be successful

AfNOG 2011 64

Deploying 32-bit ASNs

How to support customers using the extended ASN range

AfNOG 2011 65

32-bit ASNs

Standards documentsDescription of 32-bit ASNs

www.rfc-editor.org/rfc/rfc4893.txtTextual representation

www.rfc-editor.org/rfc/rfc5396.txtNew extended community

www.rfc-editor.org/rfc/rfc5668.txt

AS 23456 is reserved as interface between 16-bit and32-bit ASN world

AfNOG 2011 66

32-bit ASNs – terminology

16-bit ASNsRefers to the range 0 to 65535

32-bit ASNsRefers to the range 65536 to 4294967295(or the extended range)

32-bit ASN poolRefers to the range 0 to 4294967295

AfNOG 2011 67

Getting a 32-bit ASN

Sample RIR policywww.apnic.net/docs/policy/asn-policy.html

From 1st January 200732-bit ASNs were available on request

From 1st January 200932-bit ASNs were assigned by default16-bit ASNs were only available on request

From 1st January 2010No distinction – ASNs assigned from the 32-bit pool

AfNOG 2011 68

Representation

Representation of 0-4294967295 ASN rangeMost operators favour traditional format (asplain)A few prefer dot notation (X.Y):

asdot for 65536-4294967295, e.g 2.4asdot+ for 0-4294967295, e.g 0.64513

But regular expressions will have to be completely rewritten forasdot and asdot+ !!!

For example:^[0-9]+$ matches any ASN (16-bit and asplain)This and equivalents extensively used in BGP multihomingconfigurations for traffic engineering

Equivalent regexp for asdot is: ^([0-9]+)|([0-9]+\.[0-9]+)$

Equivalent regexp for asdot+ is: ^[0-9]+\.[0-9]+$

AfNOG 2011 69

Changes

32-bit ASNs are backward compatible with 16-bit ASNs There is no flag day You do NOT need to:

Throw out your old routersReplace your 16-bit ASN with a 32-bit ASN

You do need to be aware that:Your customers will come with 32-bit ASNsASN 23456 is not a bogon!You will need a router supporting 32-bit ASNs to use a 32-bitASN locally

If you have a proper BGP implementation, 32-bit ASNswill be transported silently across your network

AfNOG 2011 70

How does it work?

If local router and remote router supports configurationof 32-bit ASNs

BGP peering is configured as normal using the 32-bit ASN

If local router and remote router does not supportconfiguration of 32-bit ASNs

BGP peering can only use a 16-bit ASN

If local router only supports 16-bit ASN and remoterouter/network has a 32-bit ASN

Compatibility mode is initiated…

AfNOG 2011 71

Compatibility Mode:

Local router only supports 16-bit ASN and remote router uses 32-bit ASN

BGP peering initiated:Remote asks local if 32-bit supported (BGP capability negotiation)When local says “no”, remote then presents AS23456Local needs to be configured to peer with remote using AS23456

BGP peering initiated (cont):BGP session established using AS2345632-bit ASN included in a new BGP attribute called AS4_PATH

(as opposed to AS_PATH for 16-bit ASNs)

Result:16-bit ASN world sees 16-bit ASNs and 23456 standing in for 32-bitASNs32-bit ASN world sees 16 and 32-bit ASNs

AfNOG 2011 72

180.10.0.0/16 123 23456 23456170.10.0.0/16 123 23456

AS 80000

AS 123

AS 70000

AS 90000

AS 321

170.10.0.0/16 180.10.0.0/16

150.10.0.0/16

180.10.0.0/16 123 70000 80000170.10.0.0/16 123 70000150.10.0.0/16 123 321

Example:

Internet with 32-bit and16-bit ASNs

AS-PATH lengthmaintained

AfNOG 2011 73

What has changed?

Two new BGP attributes:AS4_PATH

Carries 32-bit ASN path infoAS4_AGGREGATOR

Carries 32-bit ASN aggregator infoWell-behaved BGP implementations will simply pass thesealong if they don’t understand them

AS23456 (AS_TRANS)

AfNOG 2011 74

asdotformat

asplainformat

What do they look like?

IPv4 prefix originated by AS196613as4-7200#sh ip bgp 145.125.0.0/20BGP routing table entry for 145.125.0.0/20, version 58734Paths: (1 available, best #1, table default) 131072 12654 196613 204.69.200.25 from 204.69.200.25 (204.69.200.25) Origin IGP, localpref 100, valid, internal, best

IPv4 prefix originated by AS3.5as4-7200#sh ip bgp 145.125.0.0/20BGP routing table entry for 145.125.0.0/20, version 58734Paths: (1 available, best #1, table default) 2.0 12654 3.5 204.69.200.25 from 204.69.200.25 (204.69.200.25) Origin IGP, localpref 100, valid, internal, best

AfNOG 2011 75

TransitionAS

What do they look like?

IPv4 prefix originated by AS196613But 16-bit AS world view:

BGP-view1>sh ip bgp 145.125.0.0/20

BGP routing table entry for 145.125.0.0/20, version 113382

Paths: (1 available, best #1, table Default-IP-Routing-Table)

23456 12654 23456

204.69.200.25 from 204.69.200.25 (204.69.200.25)

Origin IGP, localpref 100, valid, external, best

AfNOG 2011 76

If 32-bit ASN not supported:

Inability to distinguish between peer ASes using 32-bit ASNsThey will all be represented by AS23456Could be problematic for transit provider’s policy

Inability to distinguish prefix’s origin ASHow to tell whether origin is real or fake?The real and fake both represented by AS23456(There should be a better solution here!)

Incorrect NetFlow summaries:Prefixes from 32-bit ASNs will all be summarised under AS23456Traffic statistics need to be measured per prefix and aggregatedMakes it hard to determine peerability of a neighbouring network

AfNOG 2011 77

iBGP Deployment (1)

Typical ISP design is thus:ISIS/OSPF for IGP, carrying loopback and point to point linkaddressesiBGP mesh (full/RR/Confederation) to carry customer andInternet prefixes

All routers support 4-byte ASNs:Proceed with iBGP design as normal

Not all routers support 4-byte ASNs:Three viable options

AfNOG 2011 78

iBGP Deployment (2)

1. Return 4-byte ASN to the RIR and request 2-byteASN instead:Works if RIR is willing to do soWorks as long as there are 2-byte ASNs remaining

2. Partial iBGP mesh:Routers which support 4-byte ASNs run iBGP meshRouters which do not support 4-byte ASNs either:

Run in private ASN (as a pseudo-customer) orDo not run BGP at all

3. Use a BGP Confederation(see AR-E Workshop)

AfNOG 2011 79

Implementations (May 2011)

Cisco IOS-XR 3.4 onwards

Cisco IOS-XE 2.3 onwards

Cisco IOS 12.0(32)S12, 12.4(24)T, 12.2SRE, 12.2(33)SXI1 onwards

Cisco NX-OS 4.0(1) onwards

Quagga 0.99.10 (patches for 0.99.6)

OpenBGPd 4.2 (patches for 3.9 & 4.0)

Juniper JunOSe 4.1.0 & JunOS 9.1 onwards

Redback SEOS

Force10 FTOS7.7.1 onwards

http://as4.cluepon.net/index.php/Software_Support for a complete list

AfNOG 2011 80

Cisco Routers Supporting 4-byte ASNs

CRSIOS-XR 3.4 onwards

GSRIOS-XR 3.4 onwardsIOS 12.0(32)S12, 12.0(33)S and 12.0(32)SY8 onwards

ASR1000IOS-XE 2.3 onwards

Nexus SwitchesNX-OS 4.0(1) onwards

AfNOG 2011 81


Catalyst 6500IOS 12.2(33)SXI1 onwards

7600IOS 12.2(33)SRE1 onwards

7200 seriesIOS 12.0(32)S12, 12.0(33)S, 12.2(33)SRE1, 12.4(24)T, 15.0onwards

7301IOS 12.2(33)SRE1, 12.4(24)T, 15.0 onwards

AfNOG 2011 82


3900/2900/1900 seriesIOS 15.0 onwards

3800/2800/1800/800 seriesIOS 12.4(24)T and IOS 15.0 onwards

3745/3725IOS 12.4(24)T

AS5350/5400IOS 12.4(24)T and IOS 15.0 onwards

AfNOG 2011 83

Cisco Routers NOT supporting 4-byteASNs

Routers which will never support 4-byte ASNs include:1700 series2500 series2600 series3600 seriesAS53007304

AfNOG 2011 84

Summary

Deploying 32-bit ASNs is simpleYour network can talk to a network which is using a 32-bit ASNYou have options with iBGP if not all your routers supportconfiguration of 32-bit ASN

Vendor support should be much betterRecent software support only, meaning older hardware will beproblematic

AfNOG 2011 85

Summary

AfNOG 2011 86

Summary

Tutorial has examined BGP deployment techniques:The role of IGPs and iBGPAggregationReceiving PrefixesConfiguration TipsDeploying 4-byte ASNs

AfNOG 2011 87

BGP Techniques for Internet ServiceProviders

The End!