![Page 1: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/1.jpg)
PracticaleverydayBGPfilteringwithAS_PATHfilters:PeerLocking
Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.
![Page 2: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/2.jpg)
Part1
JobSnijders- Peerlocking- NANOG67
![Page 3: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/3.jpg)
Anybodyknowhttp://puck.nether.net/bgp/leakinfo.cgi ?
https://www.nanog.org/meetings/nanog41/presentations/mauch-lightning.pdf
JobSnijders- Peerlocking- NANOG67
![Page 4: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/4.jpg)
Whatarewetalkingabout?
JobSnijders- Peerlocking- NANOG67
![Page 5: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/5.jpg)
Wikipediaproclaimed“bigboys”
7018,174,209,3320,3257,286,3356,3549,2914,5511,1239,6453,6762,12956,1299,701,2828,6461
NomorethentwooftheseshouldshowupinagivenAS_PATH,followingthe“Transit-Free”paradigm.
https://en.wikipedia.org/wiki/Tier_1_network#List_of_tier_1_networks
JobSnijders- Peerlocking- NANOG67
![Page 6: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/6.jpg)
Non-scientificgraph- notmeanttopointfingers- ‘instigators’arenotalone(othersaccepttoo)- collectiveresponsibility tofilter- datafocussesonBGPupdates/uniqueprefixes- manyrouteleaksnotvisibleduetomax_prefix
![Page 7: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/7.jpg)
Humans…
JobSnijders- Peerlocking- NANOG67
![Page 8: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/8.jpg)
Peerlock-liteaka“bignetworks filter”
Assumingyou’llnotselltransittooneofthosebignetworksintheforeseeablefuture:rejectanyprefixesyoureceivefromyourcustomerswhichcontaina$bignetwork ASNanywhereintheAS_PATH.
ip as-path access-list 99 permit \_(174|209|286|701|1239|1299 \
|2828|2914|3257|3320|3356 \|3549|5511|6453|6461|6762 \|7018|12956)_
route-map ebgp-customer-in deny 1match as-path 99
JobSnijders- Peerlocking- NANOG67
![Page 9: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/9.jpg)
Approachestopreventrouteleaks#1
• Networksshouldnotannouncereceivedprefixesoverpeeringtootherpeers– Fix:TagrouteswithBGPcommunitiesoningress,
executeonegress(recentNANOGthread)– Note:AlwayssetegressfilterstoREJECTprefixes
withoutany/thepropercommunities(failsafe)
JobSnijders- Peerlocking- NANOG67
![Page 10: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/10.jpg)
Approachestopreventrouteleaks#2
• Onemustapplya“whitelist”ofprefixesacustomermayannounceoneverycustomersession– Fix:usebgpq3orsomeotherprefixfiltergenerator
• Con:– Customer’sAS-SETmightcontaintheentireinternet– thuswhenleakingafulltablestillallowingalottopass• https://github.com/job/irrtree• http://irrexplorer.nlnog.net/
JobSnijders- Peerlocking- NANOG67
![Page 11: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/11.jpg)
Approachestopreventrouteleaks#3
• Maximumprefixsettingsonpeers+customers– Fix:ifunsure:justdoit– Note:automatetheadjustmentofmax_prefixsettingsforyourpeers!Onlyemailyourpeerwhenabsolutelyunsurewhattoconfigure.
• Con:doesnothelpagainstsmall/partialroute-leaks
JobSnijders- Peerlocking- NANOG67
![Page 12: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/12.jpg)
PeerLock
JobSnijders- Peerlocking- NANOG67
![Page 13: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/13.jpg)
TheHumanNetwork:Peerlockinginanutshell
WeknowPCCWisnotanupstreamforAT&T,weknowAT&TisnotanupstreamforPCCW,etc,etcetc.
Howdoweknowthis?Weemailedthem.
example:AS_PATH2914_3491_7018wouldbegarbage!
JobSnijders- Peerlocking- NANOG67
![Page 14: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/14.jpg)
Peerlock schematicgoal
GivenASNsA,B,C,D,andEasourpeers.PeerAsubscribestothepeerlockidea(Protected ASN)andindicatesthatpeerBisan”Allowed Upstream”
OK: ^A_OK: ^B_A_NOTOK:^C_A_NOTOK:^D_A_NOTOK:^E_A_
JobSnijders- Peerlocking- NANOG67
![Page 15: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/15.jpg)
Examplecases:
• Prevent_7018_routesfrombeingacceptedanywhereexceptondirect7018peering
• AllowonlyAS3356asupstreamforpeerPCCWglobally(wedon’t,butwecould)
JobSnijders- Peerlocking- NANOG67
![Page 16: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/16.jpg)
Deploying&ManagingPeerlock
• “peerlock”isappliedonALLeBGP sessions(bothcustomersessionsandpeeringsessions)
• “peerlock”isentirelydynamicthroughNTT’snetworkmanagementwebinterface
• “peerlock”allowsforadvanced regionalexceptions/rules
• ITISRECOMMENDABLETHATBOTHPARTIESCONSENTTOPEERLOCK
JobSnijders- Peerlocking- NANOG67
![Page 17: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/17.jpg)
ProtectedASN AllowedUpstream
InWhatRegion IgnoreConstraints
Active
3491 None Everywhere False True
7018 None Everywhere True True
65123 7018 US False True
4200000000 3491 Europe False True
4200000000 7018 US False True
UI/tableMockupRulesbasedapproach
JobSnijders- Peerlocking- NANOG67
![Page 18: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/18.jpg)
RuleConstraints(unlessoverridden)1. BoththeProtected ASN andAllowed Upstream
MUSTbedirectlyconnectedwitheBGP sessionstotheAS2914backbone.
2. OnlyASNsthatconnectwithAS2914inmultipleregionsareeligibletobeusedasanAllowed Upstream.
3. TheAllowed Upstream fieldcanonlybesetto”None"incombinationwithin_what_region ”Everywhere”, iftheProtected ASN connectswithAS2914inmultipleregions.
4. AnAllowed Upstream canonlybespecifiedforaregioniftheAllowed Upstream connectswithAS2914withinthatregion.
JobSnijders- Peerlocking- NANOG67
![Page 19: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/19.jpg)
OpenSourceProofofConceptconfigurationgenerator
Tofacilitateincalculatingwhattheproperas-path-setsare– I’vepublishedsomepythoncode.Thisisavariantwhatweusedtovalidatetheproductionimplementation.
https://github.com/job/peerlock
WARNING:codeisofHazyEngineeringQualityWINTHEPRIZE:I’vehiddenonebuginthescript
JobSnijders- Peerlocking- NANOG67
![Page 20: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/20.jpg)
Thesearegenerated• perpeer• perregion
JobSnijders- Peerlocking- NANOG67
![Page 21: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/21.jpg)
Exampleworkflow
1. Peeringteamengageswithpeerandseekspermission,proposesinitialruleset
2. Engineeringevaluatesiftheinitialproposedpeerlockruleswillbreaktheinternetornot
3. Deploytherulesetincoordinationwithpeer4. PeerscancontactyourNOCforchange
requests,youcommittotimelyresponses5. Engineeringapproves/denieschange
requeststopeer-lockrulesJobSnijders- Peerlocking- NANOG67
![Page 22: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/22.jpg)
ExampleTechnicalDocumentationforoureBGP peers
1. Containsconfigurationexamples2. Terminology3. Disclaimer4. Defaultoperatingmode5. Howtorequestchanges/Whotocontact
http://instituut.net/~job/peerlock_manual.pdf
JobSnijders- Peerlocking- NANOG67
![Page 23: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/23.jpg)
Part2
JobSnijders- Peerlocking- NANOG67
![Page 24: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/24.jpg)
DroppingBogon ASNsMotivation:• OccurrencesofAS23456aremisconfigurationsorsoftwarebugs.
• Private/ReservedASNshavenoplaceintheglobalroutingtable
Weshouldnotrewardmisconfigurationsbyacceptingtheseroutes.Thenewparadigm:failhard&failfast.
NTTisnottheonlyone:GTT,AT&T,KPN&DE-CIXhavecommittedtooforJune/July2016.
JobSnijders- Peerlocking- NANOG67
![Page 25: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/25.jpg)
WhatBogon ASNstodrop?AS2914willNOTacceptrouteannouncementsfromANYeBGPneighborswhichcontaina“Bogon ASN”anywhere intheAS_PATHoritsaggregateat.
Bogon ASNsaredefinedas:
02345664496– 1310714200000000– 4294967295
Basedon:RFC5398,RFC6996,RFC7300
ThispolicyiseffectivestartingJuly2016.http://www.us.ntt.net/support/policy/routing.cfm#bogon
JobSnijders- Peerlocking- NANOG67
![Page 26: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/26.jpg)
Config examples
http://as2914.net/bogon_asns/configuration_examples.txt
Currentlyhaveconfigs forBIRD,IOSXR,JunOS,IOS(yuck)
policy-options {as-path-group bogon-asns {
as-path begin ".* 0 .*";as-path as_trans ".* 23456 .*";as-path reserved1 ".* [64496-131071] .*";as-path reserved2 ".* [4200000000-4294967295] .*";
}policy-statement import_from_ebgp {
term bogon-asns {from as-path-group bogon-asns;then reject;
}term .....
}}
JobSnijders- Peerlocking- NANOG67
![Page 27: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/27.jpg)
Part3
JobSnijders- Peerlocking- NANOG67
![Page 28: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/28.jpg)
Puttingitalltogether:Ingress
1. Dynamicmaximumprefixsettings2. RejectBogon prefixes (RFC1918,etc)3. RejectBogon ASNs (AS0/AS23456etc)4. RejectIXPprefixes (SomeIXPsubnets)5. RejectleakagewiththePeerlock filter6. MatchagainstIRRwhitelist (onlycustomers)7. Markascustomerroute (oraspeerroute)8. ScrubinternallysignificantBGPcommunities9. ApplyFeatures– (blackholing,trafficengineering,etc,onlyforcustomers)
JobSnijders- Peerlocking- NANOG67
![Page 29: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/29.jpg)
Puttingitalltogether:egress
1. RejectBogon prefixes2. remove-private-AS3. Reject“bad”routes4. Acceptpeerroutes(oncustomersession)5. Acceptcustomerroutes (oneverysession)6. Doprepending(ifrequested&applicable)7. Scrubinternalcommunities8. Setnext-hop-self9. NormalizeMed
JobSnijders- Peerlocking- NANOG67
![Page 30: Practical everyday BGP filtering with AS PATH …...Practical everyday BGP filtering with AS_PATH filters: Peer Locking job@ntt.net Disclaimer: ISPs and their ASNs used in this talk](https://reader034.vdocuments.us/reader034/viewer/2022042413/5f2d5a0c7936e82c1a70b0fa/html5/thumbnails/30.jpg)
Questions,anytime,anywhere
Disclaimer:ISPsandtheirASNsusedinthistalkareexamplesfordiscussionpurposeonly.NTTdoesnotadmitordenyanyrelationshipswiththeseentities.
JobSnijders- Peerlocking- NANOG67