Nowoczesne Sieci IP Next Generation IP Networks
Transkrypt
Nowoczesne Sieci IP Next Generation IP Networks
Nowoczesne Sieci IP Next Generation IP Networks P i o t r P a c y n a, K T A G H Aleje Mickiewicza 30, 30-059 Kraków [email protected] Nowoczesne Sieci IP Next Generation IP Networks tel. (012) 617 40 40 (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 1 Traffic engineering with BGP Inbound/outbound traffic control Piotr Pacyna Katarzyna Kosek Szymon Szott Nowoczesne Sieci IP Next Generation IP Networks Kraków, April 2006. (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 2 BGP protocol BGP advertises network prefixes, detailed path to reach these prefixes and attributes of the path. A path is a list of ASs that need to be traversed to reach the network(s). BGP decision process selects a single path – the best path. This path is installed in routing table. Path attributes convey additional information that can be considered by BGP decision process when selecting the best path. A path selected by BGP decision process can be advertised to other domains (depending on policy). Every AS is autonomous – it has the right to advertise a path to a known remote network(s), but it should be ready to accept and forward traffic to that network(s). Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 3 General goal of BGP • Select the best path* towards destination across several transit domains * the best path has a different meaning for diferent ISPs but it often means the cheapest path (cheapest for the service provider) • • When selecting ‘the best path’ BGP takes into account various information it has about the path, The internal topology of transit domains is usually unknown Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 4 BGP Update Message withdrawn Origin attributes AS Path prefixes NextHop MED Loc. Pref. aggregation info. Origin • • AS Path withdrawn multiproto. multiproto. pref. pref. NextHop Prefixes = list of pairs length - prefix , eg. 10.10.1.0 / 24 atributes = ”AS PATH attributes” ( list of ASs on the path to remote network, and other attributes) Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 5 Objective of this exercise The objective of this laboratory exercise is to show exchange of reachability information between ISPs in multi-provider scenario, and that the ISPs can manipulate the advertisements to satisfy their own goals related to traffic engineering. In the exercise we show that an ISP can influence routing decisions of his own BGP routers regarding selection of routes leading to networks in remote domains. We also show that the ISP can try to influence decisions that other ISPs make to reach local networks. Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 6 Outline of the solution The general idea is to insert auxiliary information into BGP Update messages. This information will be propagated with BGP UPDATE and evaluated by BGP speakers in BGP decision process. As a result appropriate routes will be installed in routing tables of BGP speakers. Inter-domain traffic will be routed accordingly. In the exercise we first change the routes for outbound traffic. We also try to influence the path over which traffic arrives into our local domain (inbound traffic). The exercise is split into two parts. Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 7 Example of attribute manipulation: AS PATH pre-pending AS 65100 net 10.10.1.0 / 24 AS 65200 A iBGP eBGP iBGP B AS 65400 eBGP F C D net-pref: 10.10.1.0/24 AS path: empty next-hop: A net-pref: 10.10.1.0/24 AS path: 65100 next-hop: B net-pref: 10.10.1.0/24 AS path: 65100 next-hop: B net-pref: 10.10.1.0/24 AS path: 65100, 65200 next-hop: D Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 8 Part I Outbound traffic In Part I we influence selection of routes for traffic originated in our domain (outbound traffic). method: Local selection of routes can be impacted by modifying attributes of BGP UPDATE messages received from neighbouring ASs which advertise reachability of remote network(s). AS PATH with modified path attributes is announced into our AS. As a result local routers select the path that the local ISP prefers over other path(s). Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 9 Use of Local Preference attribute for controlling outbound traffic with RPSL Import: from AS2 RX at R1 set localpref=300; from AS2 RX at R2 set localpref=100; accept AS2 AS 1 Export: to AS2 RX at R1 announce ANY to AS2 RX at R2 announce ANY R2 R1 Import: from AS1 R1 at RX set localpref=100; from AS1 R2 at RX set localpref=200; accept ANY 155 2 RX AS 2 Export: to AS1 R1 at RX announce AS2 to AS1 R2 at RX announce AS2 Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 10 Example for Local Preference Example: In the following figure LocPref is set in AS2 on prefix 10.10.1.0 / 24 received from AS1 and AS3. AS3 It indicates that BGP speakers in AS2 ”should prefer” path via AS3 to network 10.10.1.0 / 24. AS1 Net 10.10.1.0 ¨24 LocPref 200 Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited LocPref 70 AS2 11 Part I. Local preference PC e0=.1 Pre-configured network topology: net. Z. 10.10.5.0/24 e2=.3 R23 e1=.3 e0=.3 =70 e1=.2 net. G 10. 10.2.0/24 Need to configure: -R21 and R22 AS 3 Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited e0=.2 10.10.3.0/24 e0=.1 net. C. 192.168.3.0/30 R12 R11 e1=.1 R31 e1=.1 LocPref =200 R21 e0=.2 R22 ne t. B 19 2.16 8.2.0 /3 0 - zebra is ‘up and running’ - interfaces are up - networks are configured AS 2LocPref 10 n . 1 e t. 0. D 4. 0/ 24 e0=.2 e0=.1 net. A. 192.168.1.0/30 10.10.1.0/24 AS 1 Notice: e0 = eth0 e1 = eth1 etc. 12 Check configuration of R31 (1) Step 1. Check Zebra routing daemon (general config.) view file: /etc/zebra/zebra.conf hostname zebra pasword zebra interface eth0 bandwidth 100000 log file /var/log/zebra/zebra.log Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 13 Check configuration of R31 (2) Step 2. Check if routing daemon is properly configured in Zebra on R31 view file: /etc/zebra/daemons zebra=yes bgpd=yes ospfd=no ospf6d=no ripd=no ripngd=no Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 14 Check configuration of R31 (3) Step 3. Verify if the BGP daemon is properly configured. view file: /etc/zebra/bgpd.conf hostname bgpd password zebra enable password zebra [...] debug bgp debug bgp events debug bgp filters debug bgp fsm debug bgp keepalives debug bgp updates Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 15 Reachability over BGP Run traceroute 10.10.3.1 on PC to check reachability of that network. Check if the route goes via AS2 over a shorter AS path. Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 16 Route map – command syntax Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 17 Route map – generic example Use the following example to configure R21 and R22: router bgp 100 network nn.nn.nn.nn/mm neighbor aa.bb.cc.dd remote-as nnnn neighbor aa.bb.cc.dd route-map myRouteMap in ! route-map myRouteMap permit 10 set local-preference xx ! Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 18 Changing the router configuration In order to configure R21 and R22 do one of the following: 1. Edit the bgpd.conf file, add what is needed and restart zebra or 2. Telnet to bgpd, configure what is needed and issue the clear ip bgp * command Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 19 Configuration of R21 Expected configuration on router R21 hostname bgpd password zebra enable password zebra ! route-map as1-in permit 10 set local-preference 200 router bgp 2 ! neighbor 192.168.3.1 remote-as 1 neighbor 192.168.3.1 description Router12 neighbor 192.168.3.1 route-map as1-in in neighbor 10.10.4.3 remote-as 2 neighbor 10.10.4.3 next-hop-self ! log file /var/log/zebra/bgpd.log Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 20 Configuration of R22 Expected configuration on router R22 hostname bgpd password zebra enable password zebra ! route-map as3-in permit 10 set local-preference 70 router bgp 2 network 192.168.2.0/30 neighbor 192.168.2.1 remote-as 3 neighbor 192.168.2.1 description Router31 neighbor 192.168.2.1 route-map as3-in in neighbor 10.10.2.3 remote-as 2 neighbor 10.10.2.3 next-hop-self ! log file /var/log/zebra/bgpd.log Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 21 Testing routes from PC to R31 Execute traceroute again from PC to 10.10.3.1/24 ............ ............ ............ Note that traffic is routed over AS1 (because of higher local-pref on R21) Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 22 Part II Inbound traffic In Part II we will try to change the paths via which traffic arrives into our ISP domain (inbound traffic). method: it can be done by modifying attributes of AS Path messages advertised by our BGP speakers to neighbouring Autonomous Systems. By doing this we will try to influence decisions of neighbouring BGP routers when selecting (and advertising) best routes to networks located in our AS. Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 23 Lab. Part II: Insertion of Multiple Exit Discriminator (MED) AS 2 MED=100 MED=50 MED value is set on prefixes related to the network advertised by AS3 in order to ”tell” AS2 routers that AS3 ’would like’ to receive traffic directed to this network over the high bandwidth link. AS 3 net. Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 24 Lab. Part II: Insertion of Multiple Exit Discriminator (MED) AS 2 MED value is set on prefix ‘net.’ advertised by AS3 in order to ”tell everybody” MED=50 that AS3 ’would like’ to receive traffic for AS 1 network ‘net.’ over high bandwidth links MED=100 MED=50 AS 3 MED=50 net. Note that MED value related to the same prefix but received in AS2 from different Autonomous Systems will not be compared ! Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 25 Addressing Plan for the exercise Pre-configured network topology: - zebra is ‘up and running’ - interfaces are up - networks are configured Need to configure: -R31 and R32 Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited Notice: e0 = eth0 e1 = eth1 etc. 26 Testing routes from PC to R31 before setting MED Execute traceroute from PC to 10.10.3.1/24 ............ ............ ............ Note that traffic is routed over link R22-R31 Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 27 Route map – generic example Use the following example to configure R31 and R32: router bgp 100 network nn.nn.nn.nn/mm neighbor aa.bb.cc.dd remote-as nnnn neighbor aa.bb.cc.dd route-map myRouteMap out ! route-map myRouteMap permit 10 set metric xx ! Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 28 Changing the router configuration In order to configure R31 and R32 do one of the following: 1. Edit the bgpd.conf file, add what is needed and restart zebra or 2. Telnet to bgpd, configure what is needed and (on R22 and R24) issue the clear ip bgp * command Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 29 Configuration of R31 Expected configuration on router R31 hostname bgpd password zebra enable password zebra ! route-map metricOut permit 10 set metric 100 ! router bgp 3 ! network 10.10.3.0/24 ! neighbor 192.168.2.2 remote-as 2 neighbor 192.168.2.2 description Router22 neighbor 192.168.2.2 route-map metricOut out ! neighbor 10.10.3.2 remote-as 3 neighbor 10.10.3.2 description Router32 Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 30 Configuration of R32 Expected configuration on router R32 hostname bgpd password zebra enable password zebra ! route-map metricOut permit 10 set metric 70 ! router bgp 3 ! network 10.10.3.0/24 ! neighbor 192.168.4.1 remote-as 2 neighbor 192.168.4.1 description Router24 neighbor 192.168.4.1 route-map metricOut out neighbor 10.10.3.1 remote-as 3 neighbor 10.10.3.1 description Router31 neighbor 10.10.3.1 next-hop-self Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 31 Testing routes from PC to R31 after setting MED Execute traceroute again from PC to 10.10.3.1/24 ............ ............ ............ Note that traffic is routed over link R24-R32 (because of lower value of MED on that link) Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 32 BGP Decision Process with MED AS 2 AS 2 LocPref=70 LocPref =200 MED=50 MED=100 MED=50 AS 3 AS 1 AS 1 MED=50 Prefix AS 3 Review question: a) What path will a router in AS2 select to reach AS3 ? b) Which is the preferred path in multi-provider scenarios ? hint: MED values from different service providers are not compared Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 33 BGP Decision Process 1. 2. 3. 4. Prefer the highest value of LOCAL_PREF Prefer paths locally computed on the router Prefer paths with shortest AS_PATH length Prefer paths of lowest origin code ( IGP < EGP < incomplete ) 5. Prefer the lowest value of MULTI_EXIT_DISC 6. Prefer the lowest value of metric to NEX_HOP rtr Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 34 General conclusion: Level of control over the route selection process is different for incoming traffic and for outgoing traffic. An ISP can precisely influence local selection of routes leading to remote destinations (for outbound traffic) An ISP has limited ability to control choices that other ISPs make to direct traffic to local networks (inbound traffic) Nowoczesne Sieci IP Next Generation IP Networks (C) P i o t r P a c y n a, K T A G H, 2001 - 2005 Unauthorised copying or use is prohibited 35