routing and rpslng ipv6 workshop krakow may 2012 carlos friaças, fccn [email protected] luc de...
TRANSCRIPT
Routing and RPSLng
IPv6 workshop KrakowMay 2012
Carlos Friaças, [email protected] De Ghein, [email protected]
ContentsSystems
• Routing Context• VRRP (Virtual Router Redundancy Protocol)
Internal Routing• RIPng (Routing Information Protocol)• IS-IS (Intermediate System-Intermediate System)• OSPFv3 (Open Shortest Path First)
External Routing• Multiprotocol BGP (Border Gateway Protocol)
RPSLng• Routing Policies• RPSL and RPSLng• Examples and Tools
Systems’ Routing Context
OS IPv4 IPv6
Cisco (IOS)show ip route show ipv6 route
WinXP/Win7route print netsh interface ipv6 show route
Linux/sbin/route /sbin/route –A inet6
Macnetstat –r
VRRP
Virtual Router Redundancy Protocol• Providing a redundant gateway to end-systems
IETF: Version 3• RFC5798, March 2010• Based on VRRPv2 for IPv4• Election protocol
Usage of «virtual» addresses• Which are used by/configured on hosts• One of the existent VRRP routers is elected as
«MASTER»
VRRP
IPv6 Multicast Address• Assigned by IANA = FF02::12
Advantage of using VRRP on IPv4:• Higher-availability default path without
requiring configuration of dynamic routing or router discovery protocols on every end-host.
Advantage of using VRRP on IPv6:• Quicker switchover to Backup routers than can
be obtained with standard IPv6 Neighbor Discovery mechanisms.
Internal vs. External Routing
Autonomous System Number (ASN or AS)• Identifies a network independently managed• Unique identifier on the Internet• Initially 2-byte, now expanded to 4-byte• Allows for an independent routing policy (choosing peers
and transit providers)
Internal Routing Protocols• Used between routers from the same ASN
External Routing Protocols• Used between routers from different ASNs
Goal of any type of routing protocols is to share information about routes
RIPng
Same as IPv4• Based on RIPv2• Distance vector, max. 15 hop, split-horizon, …
It’s an IPv6 only protocol• In a dual-stack environment, running RIP, you’ll
need RIP (IPv4) and RIPng (IPv6)
IPv6 related functionality• Uses IPv6 for transport• IPv6 prefix, next-hop IPv6 address• For RIP updates, uses multicast address FF02::9
ISISv6OSI ProtocolBased on two levels
• L2 = Backbone• L1 = Stub• L2L1= interconnect L2 and L1
Runs on top of CNLS• Each IS device still sends out LSP (Link State
Packets)
• Send information via TLV’s
(Tag/Length/values)
• Neighborship process is unchanged
Major operation remains unchanged
L1
L1
L1L2
ISISv6 (2)
Updated features:• Two new Tag/Length/Values (TLV) for IPv6
– IPv6 Reachability – IPv6 Interface Address
• New network Layer Identifier– IPv6 NLPID
L1
L1
L1L2
OSPFv3
OSPFv3 = OSPF for IPv6Based on OSPFv2
Topology of an area is invisible from outside the area • LSA flooding is bounded by area• SPF calculation is performed separately for
each area
All areas must have a connection to the backbone (area 0)
Area #1
Internet
Area #2
BackboneArea #0
OSPFv3 (2)
OSPFv3 is an IPv6-only protocol• In a dual-stack environment, running OSPF, you’ll
need OSPFv2 (IPv4) and OSPFv3 (IPv6)• Work-in-progress about extensible mechanisms to
enable OSPFv3 with different address families support
Details• Runs directly over IPv6• Distributes IPv6 prefixes• New LSA types• Uses Multicast addresses
ALLSPFRouters (FF02::5) ALLDRouters (FF02::6)
Area #1
Internet
Area #2
BackboneArea #0
OSPFv3 Basic Configs & CommandsConfigs:
ipv6 router ospf <pid/asn>no passive interface defaultredistribute connected
interface <interface>ipv6 enableipv6 ospf <pid/asn> area <area_id>
Commandsshow ipv6 ospf neighborclear ipv6 ospf process
Multiprotocol BGP
«The» Exterior Gateway Protocol
Session based, 1 to 1
Connects separate routing domains that contain independent routing policies (and AS numbers)
Same «peering» and «transit» concepts
Multiprotocol BGP (2)
Carries sequences of AS numbers, indicating path (for each route)
Supports the same features and functionality as IPv4 BGP
AS Z
AS YAS X
PeeringPeering
PeeringMultiple addresses families: IPv4, IPv6, unicast, multicast
Multiprotocol BGP (3)
BGP4 carries only 3 types of information wich is truly IPv4 specific:• NLRI in the UPDATE message contains an
IPv4 prefix• NEXT_HOP attribute in the UPDATE message
contains an IPv4 address• BGP ID in AGGREGATOR attribute
Multiprotocol BGP (4)
RFC 4760 (Jan 2007) defines multi-protocols extensions for BGP4• this makes BGP4 available for other network
layer protocols (IPv6, MPLS…)• New BGP4 attributes:
MP_REACH_NLRI MP_UNREACH_NLRI
• Protocol Independent NEXT_HOP attribute• Protocol Independent NLRI attribute
MBGP Basic Configs & CommandsConfigs:
router bgp <asn>address-family ipv6 unicastneighbor 2001:db8::2 activateneighbor 2001:db8::2 version 4neighbor 2001:db8::2 remote-as
<nei_asn>network 2001:db8:ffff::/48
Commandsshow bgp ipv6 unicast summaryshow bgp neighbors 2001:db8::2 routesclear bgp ipv6 unicast <ipv6_address/asn>
Global Routing Stats (IPv6 vs. IPv4)
(28/04/2012) IPv6 IPv4
ROUTES 8800 409883
AGGREGATED
ROUTES
7643
(86,9%)
239727
(58,5%)
AUTONOMOUS
SYSTEMS
5447
(13,3% of IPv4)40931
source: www.cidr-report.org
Some BGP Tools
Looking Glasses & Route Servershttp://www.traceroute.org
RIPE Routing Information Service (RIS)http://www.ripe.net/ris
Conclusions
All operating systems have a routing context
All major routing protocols have stable IPv6Support, and no major differences with IPv4
In a dual-stack environment, some protocols are run with independent processes, one for IPv4 and a different one for IPv6
About 13% of ASNs are already seen on the global IPv6 routing table
Routing Policy
What is a «routing policy» ?
• Public description of the relationship between BGP (Border Gateway Protocol) peers
• Routing policies enable route classification for importing and exporting routes
• The goal of routing policies is to control traffic flows The v4 policy may be different from the v6 policy
(however, this may not be a best practice)
Routing Policy (2)
Why define a (public) routing policy ?
• Documentation Recreate your policy in case of loss of
hardware/administrators
• Allows automatic generation of router configurations
• Provides routing security Which routes to accept from each peer?
• Helps in a BGP troubleshooting process
Routing Policy (3)Reflects the AS’ goals
AS A
AS B AS C
• Which routes to accept from other AS’s• How to manipulate the accepted route• How to propagate routes through network• How to manipulate routes before they leave the AS• Which routes to send to third-party AS’s AS = Autonomous System
Routing Policy (4)
Each Autonomous System has its ownrouting policy towards other Networks
Each policy affects the way the globalnetwork (i.e. Internet) behaves
Which means:• It’s very useful to know third party policies• A place to publish them is needed!• You can automatically configure border routers
from that info, if you can rely on the quality of information
RPSLRPSL stands for Routing Policy SpecificationLanguage
• Replacement for the language previously known as RIPE-181
A tool to describe Inter-Domain Policies, itaffects:• People doing Local Internet Registry work• People dealing with border routers (i.e. BGP)
It is used for Internet network management.It is NOT about Internal Routing!
RPSL
Object oriented language• It has classes used to defined the various objects
Uses RIR database style (whois) objects.• Each Object is a list of "attribute-value" pairs
displayed in plain text. person, maintainer, role route as-set, route-set ...
Person Object - Exampleperson: Miguel Baptistaaddress: Example street Lisbon, Portugalphone: +351 123 456 789e-mail: [email protected]: MB10-TESTmnt-by: EXAMPLE-MNTremarks: *********************************remarks: This object is only an example!remarks: *********************************changed: [email protected] 20060228source: TEST
RPSLng is...
RPSL next generation
Yet another easy thing to have in place • one more item in the IPv6 check-list ;)
Yet another tool to help IPv6 development in an «orderly» fashion;
Yet another way of showing people IPv6 isnot that much complex than IPv4.
RFC4012 (Mar 2005)
Backward CompatibilityChanges:• New dictionary attribute – AFI• New predifined dictionary type• New protocol dictionary specification• New policy attributes• New route6 class• New attribute in route-set class• New attribute in filter-set class• New attribute in peering-set class• New attribute in inet-rtr class• New attribute in rtr-set class
RPSL and RPSLng, Some Differences
IPv4 IPv6
Networks inetnum inet6num
Routes route route6
Policies(aut-num)
import export
mp-importmp-export
Evolution…
RIPE/NCC, APNIC and AFRINIC have a RPSLng compliant Whois service. • ARIN and LACNIC implement different languages
LIR admins when their networks deploy IPv6 need to rewrite their routing policies, to include:• IPv4 Unicast;• IPv4 Multicast; • IPv6 Unicast;• IPv6 Multicast (very, very few)
Objects - Examples #1
Route6route6: 2001:0760::/32descr: GARR-IPv6origin: AS137mnt-by: GARR-LIR …
Peering-setpeering-set: prng-ebgp-peersdescr: TopneT IPv6 ebgp peers...mp-peering: AS12533 2001:15A8:A:1::2 at 2001:15A8:A:1::3 mp-peering: AS5609 3FFE:1001:1:F036::1 at 3FFE:1001:1:F036::2
mp-peering: AS5602 2001:15A8:A:1::5 at 2001:15A8:A:1::4 ...mp-peering: AS6939 2001:470:1F01:FFFF::224 at 2001:470:1F01:FFFF::225
route & route6 objects only exist in whois servers which are also routing registries (RR)
Objects - Examples #2
Aut-Numaut-num: AS1853as-name: ACOnetdescr: ACOnet Backbonedescr: ATremarks: ===================================remarks: #upstream: Sprint.netimport: from AS1239 action pref=100; accept ANYexport: to AS1239 announce AS-ACONET AND AS-SANETmp-import: afi ipv6.unicast from AS6175 accept ANYmp-export: afi ipv6.unicast to AS6175 announce AS-ACONET-V6remarks: #upstream: GEANT.netimport: from AS20965 action pref=100; accept ANYexport: to AS20965 announce AS-ACONET AND AS-UNREN AND AS-
ACOSERVmp-import: afi ipv6.unicast from AS20965 accept ANYmp-export: afi ipv6.unicast to AS20965 announce AS-ACONET-V6remarks: ===================================...
Objects - Examples #3
Inet-rtrinet-rtr: BR1.mucI.baycix.netlocal-as: AS12657ifaddr: 212.72.95.1 masklen 32interface: 2001:1578:0:FFFF::1 masklen 128interface: 2001:1578:0:FF::1 masklen 112peer: BGP4 212.72.95.3 asno(AS12657)peer: BGP4 212.72.72.197 asno(AS29317)mp-peer: MPBGP 2001:1578:0:FFFF::2 asno(AS12657)...
Route-setroute-set: AS29670:RS-IN-BERLINdescr: Individual Network Berlin e.V.org: ORG-INBE1-RIPEmp-members: 192.109.21.0/24mp-members: 217.197.80.0/20mp-members: 2001:bf0:c000::/35...
Objects - Examples #4
Filter-setfilter-set: AS12817:fltr-BOGONSdescr: Generic IPv4/IPv6 Prefix & AS filtermp-filter: { 10.0.0.0/8^+, 127.0.0.0/8^+, 169.254.0.0/16^+, 192.168.0.0/16^+, 0.0.0.0/0^25-32 } AND { 2001:db8::/32^+, 0000::/8^+, fe00::/9^+, ff00::/8^+, 0::/0^49-128 } AND <[AS64512-AS65534]>...
Example
AS AAS 64600
AS BAS 64700
AS CAS 64800
AS DAS 64900
IPv4 Unicast +IPv6 Unicast
IPv6 Multicast
IPv4 Unicast +IPv4 Multicast +IPv6 Unicast
IPv4 Unicast +IPv4 Multicast +IPv6 Unicast
Example – AS A Policy
aut-num: AS 64600as-name: AS Adescr: This is AS Amp-import: afi ipv4.unicast,ipv6.unicast from AS64700 action pref=106;
accept ANY;mp-export: afi ipv4.unicast,ipv6.unicast to AS64700 announce AS-A;
AS AAS 64600
Example – AS B Policy
aut-num: AS64700as-name: AS Bdescr: AS B, This is AS Bimport: from AS64800 action pref=106; accept AS-C;import: from AS64900 action pref=106; accept AS-D;import: from AS64800 action pref=106; accept AS-A;mp-import: afi ipv4.multicast,ipv6.unicast from AS64800 action pref=106; accept AS-C;mp-import: afi ipv4.multicast,ipv6.unicast from AS64900 action pref=106;
accept AS-D;mp-import: afi ipv6.unicast from AS64600 action pref=106; accept AS-A;export: to AS64800 announce ANY;export: to AS64900 announce ANY;export: to AS64600 announce ANY;mp-export: afi ipv4.multicast,ipv6.unicast to AS64800 announce ANY;mp-export: afi ipv4.multicast,ipv6.unicast to AS64900 announce ANY;mp-export: afi ipv6.unicast to AS64600 announce ANY
AS BAS 64700
Example – AS C Policy
aut-num: AS64800as-name: AS Cdescr: AS C, This is AS Cimport: from AS64700 action pref=106; accept ANYmp-import: afi ipv4.multicast,ipv6.unicast from AS64700 action pref=106; accept ANY;mp-import: afi ipv6.multicast from AS D action pref=110; accept AS Dexport: to AS64700 announce AS Cmp-export: afi ipv4.multicast,ipv6.unicast to AS64700 announce AS C;mp-export: afi ipv6.multicast to AS64900 announce AS C
AS CAS 64800
Example – AS D Policy
aut-num: AS64900as-name: AS Ddescr: This is AS Dmp-import: afi ipv4.unicast,ipv4.multicast,ipv6.unicast from AS64700 action pref=106; accept ANY;mp-import: afi ipv6.multicast from AS64800 action pref=110; accept AS-Cmp-export: afi ipv4.unicast,ipv4.multicast,ipv6.unicast to AS64700 announce AS-D;mp-export: afi ipv6.multicast to AS64800 announce AS-D
AS DAS 64900
RPSLng Tools
RIPE’s RPSLng Registry• IPv4 address -> inetnum, route, inet-rtr• IPv6 address -> inet6num, route6, inet-rtr• Inverse queries for aut-num -> route + route6• Production Routing Policies
IRRToolSet• Suite of policy analysis tools• Possible usage: Updating BGP routing
configurations• Produce Cisco & Juniper configuration• Managed by ISC:
http://www.isc.org/software/irrtoolset ftp://ftp.isc.org/isc/IRRToolSet
RPSLng Tools
WHOISd• Free• ftp://ftp.ripe.net/ripe/dbase/software• Managed by RIPE
IRRd• Free• http://www.irrd.net• Managed by MERIT
Conclusions
RPSL is needed to coordinate global IPv4 routing policies. RPSLng is needed for the same purpose, but for IPv6.
It’s rather simple, and someone already dealing with RPSL will easily start to use RPSLng when starting to route IPv6 packets.
Several tools are freely available
Questions
46