SlideShare ist ein Scribd-Unternehmen logo

RIPE NCC::Educa - 10 April 2018 - ARouteServer

P
Pier Carlo Chiodi

Presentation of ARouteServer, a Python tool to automatically build (and test) feature-rich configurations for BGP route servers. RIPE NCC::Educa, 10 April 2018

Ingenieurwesen
1 von 24
Downloaden Sie, um offline zu lesen
Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ARouteServer IXP automation made easy
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● “A route server redistributes BGP routes received from its BGP clients to other clients according to a prespecified policy” (RFC7948) ● Benefits: ○ One BGP session, many peers; ○ Instantly get lot of routes. ● Drawbacks: ○ May be a SPoF (traffic blackhole); ○ May interfer with traffic engineering policies; ○ Outsourced routing / To trust or not to trust the route server.
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Lot of routes sent to clients: are they actually good? source: “Moving to default Routeserver IRR filtering” RIPE74 presentation by Erik Bais, A2B Internet (Tier-1 ASNs in the middle of the AS_PATH)
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Lot of routes sent to clients: are they actually good? 4651 45328 23456 80.249.210.15 from 80.249.209.0 (80.249.209.0) Origin IGP, metric 0, localpref 100, valid, external, best Community: 3856:53500 Last update: Mon May 1 08:07:12 2017 (The reserved AS_TRANS ASN as origin)
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Lot of routes sent to clients: are they actually good? 12989 33724 64512 80.249.209.70 from 80.249.208.255 (80.249.208.255) Origin IGP, metric 0, localpref 100, valid, external Community: 3856:53500 Last update: Mon May 1 08:10:10 2017 (A private ASN as an Origin AS)
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Lot of routes sent to clients: are they actually good? http://peering.exposed (Job Snijders / Samer Abdel-Hafez)
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Do I totally lose control of how my routes are propagated? AS1 AS2 AS3 RS
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Overview: ARouteServer ● Goal: to help IXs to simplify operations needed to run useful and trustworthy route servers. ● ARouteServer automatically builds configs for route servers... ○ secure and feature-rich configurations! ● … and it also allows to validate them ○ Docker / KVM -based “live test” framework. ● Currently, BIRD and OpenBGPD are supported.
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa How does it work
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa How does it work ● Two YAML files are used to configure vendor-agnostic high-level policies and clients definitions. cfg: rs_as: 64496 router_id: "192.0.2.2" filtering: next_hop: policy: "same-as" blackhole_filtering: policy_ipv4: "rewrite-next-hop" ... clients: - asn: 64511 ip: - "192.0.2.11" - "2001:db8:1:1::11" irrdb: as_sets: - "RIPE::AS-FOO" ...
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa How does it work ● External sources are used to gather additional info: ○ IRRDBs for filters based on prefixes and origin ASNs; ○ PeeringDB for max-prefix limits and AS-SETs; ○ Euro-IX JSON member list files to build clients list automatically.
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa How does it work ● Finally, the route server configuration is automatically generated. ● Custom scripts can be used to validate it and to deploy it to the route server. $ arouteserver bird --ip-ver 4 -o /etc/bird/bird4.new && bird -p -c /etc/bird/bird4.new && cp /etc/bird/bird4.new /etc/bird/bird4.conf && birdcl configure
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Configuration ● Policies can be set on a global scope. ● Clients inherit global policies; ○ client-specific options override inherited ones. ● Client list can be automatically generated from Euro-IX JSON file; ○ this allows an easy integration with IXP-Manager. ● Custom, site-specific behaviours and configurations can be implemented using “hooks” and local files.
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● NEXT_HOP enforcement: strict or same AS. ● Min/max prefix length & max AS_PATH length. ● AS_PATH sanitation: ○ leftmost ASN; ○ private/invalid ASNs; ○ “transit-free” ASNs. ● Bogons and IRR-based filters. ● RPKI BGP Origin Validation. Routes filtering
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Filtering: NEXT_HOP enforcement ● “Strict” mode: accept only routes whose NEXT_HOP is the IP address of the announcing client. AS1 AS1 AS2 AS3 RS 192.0.2.11 192.0.2.12 192.0.2.21 192.0.2.31 NH: 192.0.2.12 NH: 192.0.2.11 NH: 192.0.2.21 NH: 192.0.2.31
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● “Same-AS” mode: allows the NEXT_HOP to be any address among those used by the announcing AS to connect to the IXP. Filtering: NEXT_HOP enforcement AS1 AS1 AS2 AS3 RS 192.0.2.11 192.0.2.12 192.0.2.21 192.0.2.31 NH: 192.0.2.12 NH: 192.0.2.11 NH: 192.0.2.21 NH: 192.0.2.31
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● Leftmost ASN in the AS_PATH must match the ASN of the client. Filtering: AS_PATH sanitation RS AS1 1 4 5 4 5 ● Private/invalid ASNs must not appear in the AS_PATH. RS AS1 1 65534 1 23456
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● “Transit-free” ASNs must not appear in the AS_PATH - unless they are in the first position. Filtering: AS_PATH sanitation RS AS1 1 6762
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● IRR databases are used to get the list of allowed prefixes and origin ASNs on the basis of client’s AS-Macros (bgpq3). Filtering: prefix validation $ whois AS-ONE as-set: AS-ONE members: AS4 RS AS1 1 AS1 4 1 5 $ whois -i origin AS4 route: 192.0.2.0/24 origin: AS4
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● Authoritative data from the ARIN Whois database is also used to get a list of prefixes for which a specific ASN has been authorized to announce routes for. ● Improvement on filters accuracy: 23% (YYCIX data). Filtering: prefix validation source:https://teamarin.net
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● RPKI ROAs (Route Origin Authorisations) are used for Prefix Origin Validation. Filtering: prefix validation RS AS1 1 3320 AS3320 91.0.0.0/10 AS3 3 91.0.0.0/10 4 source:http://roalert.org
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Services for the clients ● Blackhole filtering support: ○ optional NEXT_HOP rewriting to allow Layer-2 level filtering. ● Route propagation control (via BGP communities): ○ announce / do not announce to any / specific peer; ○ prepend to any / specific peer; ○ add NO_EXPORT / NO_ADVERTISE to any / specific peer. ● GRACEFUL_SHUTDOWN support (RFC8326). ● Full list of features available on GitHub.
Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Project status ● Actively developed. Both BIRD and OpenBGPD users. ● Feedback from real life is strongly needed and encouraged. Source code and examples available on GitHub: https://github.com/pierky/arouteserver Full documentation: https://arouteserver.readthedocs.io/ Pier Carlo Chiodi - https://pierky.com/ @pierky
Questions?

Empfohlen

Salottino MIX 2017 - ARouteServer - IXP Automation Made Easy
Salottino MIX 2017 - ARouteServer - IXP Automation Made EasySalottino MIX 2017 - ARouteServer - IXP Automation Made Easy
Salottino MIX 2017 - ARouteServer - IXP Automation Made EasyPier Carlo Chiodi
 
RIPE74 - ARouteServer - IXP Automation Made Easy
RIPE74 - ARouteServer - IXP Automation Made EasyRIPE74 - ARouteServer - IXP Automation Made Easy
RIPE74 - ARouteServer - IXP Automation Made EasyPier Carlo Chiodi
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
Isolario project The real-time internet routing observatory
Isolario project The real-time internet routing observatoryIsolario project The real-time internet routing observatory
Isolario project The real-time internet routing observatoryAPNIC
 
Rfid for carton tracking v8
Rfid for carton tracking v8Rfid for carton tracking v8
Rfid for carton tracking v8Sang Woo
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06Licenciatura en Redes y Sistemas Operativos
 

Empfohlen

Salottino MIX 2017 - ARouteServer - IXP Automation Made Easy
Salottino MIX 2017 - ARouteServer - IXP Automation Made EasySalottino MIX 2017 - ARouteServer - IXP Automation Made Easy
Salottino MIX 2017 - ARouteServer - IXP Automation Made EasyPier Carlo Chiodi
 
RIPE74 - ARouteServer - IXP Automation Made Easy
RIPE74 - ARouteServer - IXP Automation Made EasyRIPE74 - ARouteServer - IXP Automation Made Easy
RIPE74 - ARouteServer - IXP Automation Made EasyPier Carlo Chiodi
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC Presentation - Resource certification by Amreesh Phokeer
AFRINIC Presentation - Resource certification by Amreesh PhokeerAFRINIC
 
SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs SANOG 33: APNIC Routing Registry and ROAs
SANOG 33: APNIC Routing Registry and ROAs APNIC
 
Isolario project The real-time internet routing observatory
Isolario project The real-time internet routing observatoryIsolario project The real-time internet routing observatory
Isolario project The real-time internet routing observatoryAPNIC
 
Rfid for carton tracking v8
Rfid for carton tracking v8Rfid for carton tracking v8
Rfid for carton tracking v8Sang Woo
 
CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06CCCNP ROUTE v6_ch06
CCCNP ROUTE v6_ch06Licenciatura en Redes y Sistemas Operativos
 
Route Server service @ NaMeX
Route Server service @ NaMeXRoute Server service @ NaMeX
Route Server service @ NaMeXFlavio Luciani
 
BGP
BGPBGP
BGPKHNOG
 
bgp-cum.pdf
bgp-cum.pdfbgp-cum.pdf
bgp-cum.pdfRikulRajGupta
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
BGP Scanner - Isolario BGP-MRT Data Reader C Library and Tool
BGP Scanner - Isolario BGP-MRT Data Reader C Library and ToolBGP Scanner - Isolario BGP-MRT Data Reader C Library and Tool
BGP Scanner - Isolario BGP-MRT Data Reader C Library and ToolAPNIC
 
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. ServinInitial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. ServinMyNOG
 
RPKI and Me
RPKI and MeRPKI and Me
RPKI and MeMyNOG
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
Recurrence Behaviour of BGP Traffic
Recurrence Behaviour of BGP TrafficRecurrence Behaviour of BGP Traffic
Recurrence Behaviour of BGP TrafficUniversity of Kufa
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateAPNIC
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715APNIC
 
AFRINIC Routing Registry
AFRINIC Routing RegistryAFRINIC Routing Registry
AFRINIC Routing RegistryFokeerah Keessun
 
NRO Internet Number Resources Status Report
NRO Internet Number Resources Status ReportNRO Internet Number Resources Status Report
NRO Internet Number Resources Status ReportAPNIC
 
Openconfig
OpenconfigOpenconfig
OpenconfigAPNIC
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net ToolsBangladesh Network Operators Group
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricBangladesh Network Operators Group
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Bangladesh Network Operators Group
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxJuliansyahHarahap1
 

Weitere ähnliche Inhalte

Ähnlich wie RIPE NCC::Educa - 10 April 2018 - ARouteServer

Route Server service @ NaMeX
Route Server service @ NaMeXRoute Server service @ NaMeX
Route Server service @ NaMeXFlavio Luciani
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
BGP Scanner - Isolario BGP-MRT Data Reader C Library and Tool
BGP Scanner - Isolario BGP-MRT Data Reader C Library and ToolBGP Scanner - Isolario BGP-MRT Data Reader C Library and Tool
BGP Scanner - Isolario BGP-MRT Data Reader C Library and ToolAPNIC
 
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. ServinInitial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. ServinMyNOG
 
RPKI and Me
RPKI and MeRPKI and Me
RPKI and MeMyNOG
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsAPNIC
 
Recurrence Behaviour of BGP Traffic
Recurrence Behaviour of BGP TrafficRecurrence Behaviour of BGP Traffic
Recurrence Behaviour of BGP TrafficUniversity of Kufa
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateAPNIC
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715APNIC
 
NRO Internet Number Resources Status Report
NRO Internet Number Resources Status ReportNRO Internet Number Resources Status Report
NRO Internet Number Resources Status ReportAPNIC
 
Openconfig
OpenconfigOpenconfig
OpenconfigAPNIC
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricBangladesh Network Operators Group
 

Ähnlich wie RIPE NCC::Educa - 10 April 2018 - ARouteServer (20)

Route Server service @ NaMeX
Route Server service @ NaMeXRoute Server service @ NaMeX
Route Server service @ NaMeX
 
BGP
BGPBGP
BGP
 
bgp-cum.pdf
bgp-cum.pdfbgp-cum.pdf
bgp-cum.pdf
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming Techniques
 
BGP Scanner - Isolario BGP-MRT Data Reader C Library and Tool
BGP Scanner - Isolario BGP-MRT Data Reader C Library and ToolBGP Scanner - Isolario BGP-MRT Data Reader C Library and Tool
BGP Scanner - Isolario BGP-MRT Data Reader C Library and Tool
 
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. ServinInitial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin
 
RPKI and Me
RPKI and MeRPKI and Me
RPKI and Me
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
 
LKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure ConnectionsLKNOG 2: Robust and Secure Connections
LKNOG 2: Robust and Secure Connections
 
Recurrence Behaviour of BGP Traffic
Recurrence Behaviour of BGP TrafficRecurrence Behaviour of BGP Traffic
Recurrence Behaviour of BGP Traffic
 
Forensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An UpdateForensic Tracing in the Internet: An Update
Forensic Tracing in the Internet: An Update
 
2017 03-01-forensics 1488330715
2017 03-01-forensics 14883307152017 03-01-forensics 1488330715
2017 03-01-forensics 1488330715
 
AFRINIC Routing Registry
AFRINIC Routing RegistryAFRINIC Routing Registry
AFRINIC Routing Registry
 
NRO Internet Number Resources Status Report
NRO Internet Number Resources Status ReportNRO Internet Number Resources Status Report
NRO Internet Number Resources Status Report
 
Openconfig
OpenconfigOpenconfig
Openconfig
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
 
RPKI with rpki.net Tools
RPKI with rpki.net ToolsRPKI with rpki.net Tools
RPKI with rpki.net Tools
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 

Kürzlich hochgeladen

Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxJuliansyahHarahap1
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationBhangaleSonal
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdfKamal Acharya
 
Introduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfIntroduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfsumitt6_25730773
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiessarkmank1
 
Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxpritamlangde
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxJIT KUMAR GUPTA
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startQuintin Balsdon
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdfKamal Acharya
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesMayuraD1
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsvanyagupta248
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxSCMS School of Architecture
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Ramkumar k
 

Kürzlich hochgeladen (20)

Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
Introduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfIntroduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdf
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptx
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 

RIPE NCC::Educa - 10 April 2018 - ARouteServer

  • 1. Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ARouteServer IXP automation made easy
  • 2. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● “A route server redistributes BGP routes received from its BGP clients to other clients according to a prespecified policy” (RFC7948) ● Benefits: ○ One BGP session, many peers; ○ Instantly get lot of routes. ● Drawbacks: ○ May be a SPoF (traffic blackhole); ○ May interfer with traffic engineering policies; ○ Outsourced routing / To trust or not to trust the route server.
  • 3. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Lot of routes sent to clients: are they actually good? source: “Moving to default Routeserver IRR filtering” RIPE74 presentation by Erik Bais, A2B Internet (Tier-1 ASNs in the middle of the AS_PATH)
  • 4. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Lot of routes sent to clients: are they actually good? 4651 45328 23456 80.249.210.15 from 80.249.209.0 (80.249.209.0) Origin IGP, metric 0, localpref 100, valid, external, best Community: 3856:53500 Last update: Mon May 1 08:07:12 2017 (The reserved AS_TRANS ASN as origin)
  • 5. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Lot of routes sent to clients: are they actually good? 12989 33724 64512 80.249.209.70 from 80.249.208.255 (80.249.208.255) Origin IGP, metric 0, localpref 100, valid, external Community: 3856:53500 Last update: Mon May 1 08:10:10 2017 (A private ASN as an Origin AS)
  • 6. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Lot of routes sent to clients: are they actually good? http://peering.exposed (Job Snijders / Samer Abdel-Hafez)
  • 7. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Intro: route servers ● Do I totally lose control of how my routes are propagated? AS1 AS2 AS3 RS
  • 8. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Overview: ARouteServer ● Goal: to help IXs to simplify operations needed to run useful and trustworthy route servers. ● ARouteServer automatically builds configs for route servers... ○ secure and feature-rich configurations! ● … and it also allows to validate them ○ Docker / KVM -based “live test” framework. ● Currently, BIRD and OpenBGPD are supported.
  • 9. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa How does it work
  • 10. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa How does it work ● Two YAML files are used to configure vendor-agnostic high-level policies and clients definitions. cfg: rs_as: 64496 router_id: "192.0.2.2" filtering: next_hop: policy: "same-as" blackhole_filtering: policy_ipv4: "rewrite-next-hop" ... clients: - asn: 64511 ip: - "192.0.2.11" - "2001:db8:1:1::11" irrdb: as_sets: - "RIPE::AS-FOO" ...
  • 11. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa How does it work ● External sources are used to gather additional info: ○ IRRDBs for filters based on prefixes and origin ASNs; ○ PeeringDB for max-prefix limits and AS-SETs; ○ Euro-IX JSON member list files to build clients list automatically.
  • 12. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa How does it work ● Finally, the route server configuration is automatically generated. ● Custom scripts can be used to validate it and to deploy it to the route server. $ arouteserver bird --ip-ver 4 -o /etc/bird/bird4.new && bird -p -c /etc/bird/bird4.new && cp /etc/bird/bird4.new /etc/bird/bird4.conf && birdcl configure
  • 13. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Configuration ● Policies can be set on a global scope. ● Clients inherit global policies; ○ client-specific options override inherited ones. ● Client list can be automatically generated from Euro-IX JSON file; ○ this allows an easy integration with IXP-Manager. ● Custom, site-specific behaviours and configurations can be implemented using “hooks” and local files.
  • 14. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● NEXT_HOP enforcement: strict or same AS. ● Min/max prefix length & max AS_PATH length. ● AS_PATH sanitation: ○ leftmost ASN; ○ private/invalid ASNs; ○ “transit-free” ASNs. ● Bogons and IRR-based filters. ● RPKI BGP Origin Validation. Routes filtering
  • 15. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Filtering: NEXT_HOP enforcement ● “Strict” mode: accept only routes whose NEXT_HOP is the IP address of the announcing client. AS1 AS1 AS2 AS3 RS 192.0.2.11 192.0.2.12 192.0.2.21 192.0.2.31 NH: 192.0.2.12 NH: 192.0.2.11 NH: 192.0.2.21 NH: 192.0.2.31
  • 16. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● “Same-AS” mode: allows the NEXT_HOP to be any address among those used by the announcing AS to connect to the IXP. Filtering: NEXT_HOP enforcement AS1 AS1 AS2 AS3 RS 192.0.2.11 192.0.2.12 192.0.2.21 192.0.2.31 NH: 192.0.2.12 NH: 192.0.2.11 NH: 192.0.2.21 NH: 192.0.2.31
  • 17. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● Leftmost ASN in the AS_PATH must match the ASN of the client. Filtering: AS_PATH sanitation RS AS1 1 4 5 4 5 ● Private/invalid ASNs must not appear in the AS_PATH. RS AS1 1 65534 1 23456
  • 18. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● “Transit-free” ASNs must not appear in the AS_PATH - unless they are in the first position. Filtering: AS_PATH sanitation RS AS1 1 6762
  • 19. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● IRR databases are used to get the list of allowed prefixes and origin ASNs on the basis of client’s AS-Macros (bgpq3). Filtering: prefix validation $ whois AS-ONE as-set: AS-ONE members: AS4 RS AS1 1 AS1 4 1 5 $ whois -i origin AS4 route: 192.0.2.0/24 origin: AS4
  • 20. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● Authoritative data from the ARIN Whois database is also used to get a list of prefixes for which a specific ASN has been authorized to announce routes for. ● Improvement on filters accuracy: 23% (YYCIX data). Filtering: prefix validation source:https://teamarin.net
  • 21. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa ● RPKI ROAs (Route Origin Authorisations) are used for Prefix Origin Validation. Filtering: prefix validation RS AS1 1 3320 AS3320 91.0.0.0/10 AS3 3 91.0.0.0/10 4 source:http://roalert.org
  • 22. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Services for the clients ● Blackhole filtering support: ○ optional NEXT_HOP rewriting to allow Layer-2 level filtering. ● Route propagation control (via BGP communities): ○ announce / do not announce to any / specific peer; ○ prepend to any / specific peer; ○ add NO_EXPORT / NO_ADVERTISE to any / specific peer. ● GRACEFUL_SHUTDOWN support (RFC8326). ● Full list of features available on GitHub.
  • 23. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - April 10, 2018 - RIPE NCC::Educa Project status ● Actively developed. Both BIRD and OpenBGPD users. ● Feedback from real life is strongly needed and encouraged. Source code and examples available on GitHub: https://github.com/pierky/arouteserver Full documentation: https://arouteserver.readthedocs.io/ Pier Carlo Chiodi - https://pierky.com/ @pierky