![Page 1: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/1.jpg)
PracticaleverydayBGPfilteringwithAS_PATHfilters:PeerLocking
Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.
![Page 2: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/2.jpg)
Part1
JobSnijders- Peerlocking- AfPIF2016
![Page 3: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/3.jpg)
Anybodyknowhttp://puck.nether.net/bgp/leakinfo.cgi ?
https://www.nanog.org/meetings/nanog41/presentations/mauch-lightning.pdf
JobSnijders- Peerlocking- AfPIF2016
![Page 4: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/4.jpg)
Whatarewetalkingabout?
JobSnijders- Peerlocking- AfPIF2016
![Page 5: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/5.jpg)
Wikipediaproclaimed“bigboys”
7018,174,209,3320,3257,286,3356,3549,2914,5511,1239,6453,6762,12956,1299,701,2828,6461
NomorethentwooftheseshouldshowupinagivenAS_PATH,followingthe“Transit-Free”paradigm.
https://en.wikipedia.org/wiki/Tier_1_network#List_of_tier_1_networks
JobSnijders- Peerlocking- AfPIF2016
![Page 6: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/6.jpg)
Non-scientificgraph- notmeanttopointfingers- ‘instigators’arenotalone(othersaccepttoo)- collectiveresponsibility tofilter- datafocussesonBGPupdates/uniqueprefixes- manyrouteleaksnotvisibleduetomax_prefix
JobSnijders- Peerlocking- AfPIF2016
![Page 7: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/7.jpg)
Humans…
JobSnijders- Peerlocking- AfPIF2016
![Page 8: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/8.jpg)
Peerlock-liteaka“bignetworks filter”
Assumingyou’llnotselltransittooneofthosebignetworksintheforeseeablefuture:rejectanyprefixesyoureceivefromyourcustomerswhichcontaina$bignetwork ASNanywhereintheAS_PATH.
ip as-path access-list 99 permit \_(174|209|286|701|1239|1299 \
|2828|2914|3257|3320|3356 \|3549|5511|6453|6461|6762 \|7018|12956)_
route-map ebgp-customer-in deny 1match as-path 99
JobSnijders- Peerlocking- AfPIF2016
![Page 9: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/9.jpg)
Approachestopreventrouteleaks#1
• Networksshouldnotannouncereceivedprefixesoverpeeringtootherpeers– Fix:TagrouteswithBGPcommunitiesoningress,
executeonegress(recentNANOGthread)– Note:AlwayssetegressfilterstoREJECTprefixes
withoutany/thepropercommunities(failsafe)
JobSnijders- Peerlocking- AfPIF2016
![Page 10: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/10.jpg)
Approachestopreventrouteleaks#2
• Onemustapplya“whitelist”ofprefixesacustomermayannounceoneverycustomersession– Fix:usebgpq3orsomeotherprefixfiltergenerator
• Con:– Customer’sAS-SETmightcontaintheentireinternet– thuswhenleakingafulltablestillallowingalottopass• https://github.com/job/irrtree• http://irrexplorer.nlnog.net/
JobSnijders- Peerlocking- AfPIF2016
![Page 11: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/11.jpg)
Approachestopreventrouteleaks#3
• Maximumprefixsettingsonpeers+customers– Fix:ifunsure:justdoit– Note:automatetheadjustmentofmax_prefixsettingsforyourpeers!Onlyemailyourpeerwhenabsolutelyunsurewhattoconfigure.
• Con:doesnothelpagainstsmall/partialroute-leaks
JobSnijders- Peerlocking- AfPIF2016
![Page 12: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/12.jpg)
PeerLock
JobSnijders- Peerlocking- AfPIF2016
![Page 13: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/13.jpg)
TheHumanNetwork:Peerlockinginanutshell
WeknowPCCWisnotanupstreamforAT&T,weknowAT&TisnotanupstreamforPCCW,etc,etcetc.
Howdoweknowthis?Weemailedthem.
example:AS_PATH2914_3491_7018wouldbegarbage!
JobSnijders- Peerlocking- AfPIF2016
![Page 14: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/14.jpg)
Peerlock schematicgoal
GivenASNsA,B,C,D,andEasourpeers.PeerAsubscribestothepeerlockidea(Protected ASN)andindicatesthatpeerBisan”Allowed Upstream”
OK: ^A_OK: ^B_A_NOTOK:^C_A_NOTOK:^D_A_NOTOK:^E_A_
JobSnijders- Peerlocking- AfPIF2016
![Page 15: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/15.jpg)
Examplecases:
• Prevent_7018_routesfrombeingacceptedanywhereexceptondirect7018peering
• AllowonlyAS3356asupstreamforpeerPCCWglobally(wedon’t,butwecould)
JobSnijders- Peerlocking- AfPIF2016
![Page 16: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/16.jpg)
Deploying&ManagingPeerlock
• “peerlock”isappliedonALLeBGP sessions(bothcustomersessionsandpeeringsessions)
• “peerlock”isentirelydynamicthroughNTT’snetworkmanagementwebinterface
• “peerlock”allowsforadvanced regionalexceptions/rules
• ITISRECOMMENDABLETHATBOTHPARTIESCONSENTTOPEERLOCK
JobSnijders- Peerlocking- AfPIF2016
![Page 17: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/17.jpg)
ProtectedASN AllowedUpstream
InWhatRegion IgnoreConstraints
Active
3491 None Everywhere False True
7018 None Everywhere True True
65123 7018 US False True
4200000000 3491 Europe False True
4200000000 7018 US False True
UI/tableMockupRulesbasedapproach
JobSnijders- Peerlocking- AfPIF2016
![Page 18: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/18.jpg)
RuleConstraints(unlessoverridden)1. BoththeProtected ASN andAllowed Upstream
MUSTbedirectlyconnectedwitheBGP sessionstotheAS2914backbone.
2. OnlyASNsthatconnectwithAS2914inmultipleregionsareeligibletobeusedasanAllowed Upstream.
3. TheAllowed Upstream fieldcanonlybesetto”None"incombinationwithin_what_region ”Everywhere”, iftheProtected ASN connectswithAS2914inmultipleregions.
4. AnAllowed Upstream canonlybespecifiedforaregioniftheAllowed Upstream connectswithAS2914withinthatregion.
JobSnijders- Peerlocking- AfPIF2016
![Page 19: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/19.jpg)
OpenSourceProofofConceptconfigurationgenerator
Tofacilitateincalculatingwhattheproperas-path-setsare– I’vepublishedsomepythoncode.Thisisavariantwhatweusedtovalidatetheproductionimplementation.
https://github.com/job/peerlock
WARNING:codeisofHazyEngineeringQualityWINTHEPRIZE:I’vehiddenonebuginthescript
JobSnijders- Peerlocking- AfPIF2016
![Page 20: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/20.jpg)
Thesearegenerated• perpeer• perregion
JobSnijders- Peerlocking- AfPIF2016
![Page 21: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/21.jpg)
Exampleworkflow
1. Peeringteamengageswithpeerandseekspermission,proposesinitialruleset
2. Engineeringevaluatesiftheinitialproposedpeerlockruleswillbreaktheinternetornot
3. Deploytherulesetincoordinationwithpeer4. PeerscancontactyourNOCforchange
requests,youcommittotimelyresponses5. Engineeringapproves/denieschange
requeststopeer-lockrules
JobSnijders- Peerlocking- AfPIF2016
![Page 22: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/22.jpg)
ExampleTechnicalDocumentationforoureBGP peers
1. Containsconfigurationexamples2. Terminology3. Disclaimer4. Defaultoperatingmode5. Howtorequestchanges/Whotocontact
http://instituut.net/~job/peerlock_manual.pdf
JobSnijders- Peerlocking- AfPIF2016
![Page 23: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/23.jpg)
Part2
JobSnijders- Peerlocking- AfPIF2016
![Page 24: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/24.jpg)
DroppingBogon ASNsMotivation:• OccurrencesofAS23456aremisconfigurationsorsoftwarebugs.
• Private/ReservedASNshavenoplaceintheglobalroutingtable
Weshouldnotrewardmisconfigurationsbyacceptingtheseroutes.Thenewparadigm:failhard&failfast.
NTTisnottheonlyone:GTT,AT&T,KPN&DE-CIXhavecommittedtooforJune/July2016.
JobSnijders- Peerlocking- AfPIF2016
![Page 25: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/25.jpg)
WhatBogon ASNstodrop?AS2914willNOTacceptrouteannouncementsfromANYeBGPneighborswhichcontaina“Bogon ASN”anywhere intheAS_PATHoritsaggregateat.
Bogon ASNsaredefinedas:
02345664496– 1310714200000000– 4294967295
Basedon:RFC5398,RFC6996,RFC7300
ThispolicyiseffectivestartingJuly2016.http://www.us.ntt.net/support/policy/routing.cfm#bogon
JobSnijders- Peerlocking- AfPIF2016
![Page 26: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/26.jpg)
Config examples
http://as2914.net/bogon_asns/configuration_examples.txt
Currentlyhaveconfigs forBIRD,IOSXR,JunOS,IOS(yuck)
policy-options {as-path-group bogon-asns {
as-path begin ".* 0 .*";as-path as_trans ".* 23456 .*";as-path reserved1 ".* [64496-131071] .*";as-path reserved2 ".* [4200000000-4294967295] .*";
}policy-statement import_from_ebgp {
term bogon-asns {from as-path-group bogon-asns;then reject;
}term .....
}}
JobSnijders- Peerlocking- AfPIF2016
![Page 27: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/27.jpg)
Part3
JobSnijders- Peerlocking- AfPIF2016
![Page 28: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/28.jpg)
Puttingitalltogether:Ingress
1. Dynamicmaximumprefixsettings2. RejectBogon prefixes (RFC1918,etc)3. RejectBogon ASNs (AS0/AS23456etc)4. RejectIXPprefixes (SomeIXPsubnets)5. RejectleakagewiththePeerlock filter6. MatchagainstIRRwhitelist (onlycustomers)7. Markascustomerroute (oraspeerroute)8. ScrubinternallysignificantBGPcommunities9. ApplyFeatures– (blackholing,trafficengineering,etc,onlyforcustomers)
JobSnijders- Peerlocking- AfPIF2016
![Page 29: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/29.jpg)
Puttingitalltogether:egress
1. RejectBogon prefixes2. remove-private-AS3. Reject“bad”routes4. Acceptpeerroutes(oncustomersession)5. Acceptcustomerroutes (oneverysession)6. Doprepending(ifrequested&applicable)7. Scrubinternalcommunities8. Setnext-hop-self9. NormalizeMed
JobSnijders- Peerlocking- AfPIF2016
![Page 30: Peering and Transit Tutorials: Practical Every Day BGP Filtering](https://reader031.vdocuments.us/reader031/viewer/2022021423/58801abb1a28abbc128b5abf/html5/thumbnails/30.jpg)
Questions,anytime,anywhere
Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.
JobSnijders- Peerlocking- AfPIF2016