BGP protocol characteristics (2)
Transkrypt
BGP protocol characteristics (2)
Traffic engineering with BGP Inbound and outbound traffic control Piotr Pacyna Katarzyna Kosek-Szott 1 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited BGP protocol - review questions 2 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Review questions Do czego służy proces decyzyjny BGP ? Co jest rezultatem procesu decyzyjnego BGP ? Co się dzieje z rezultatami procesu decyzyjnego BGP ? Jak są wykorzystywane ? Jaką rolę pełnią tzw. atrybuty BGP ? Jakie są typy (rodzaje) atrybutów ? Jakie są kolejne kryteria decyzyjne procesu decyzyjnego BGP ? Jakie warunki konieczne musi spełniać prefiks BGP, aby mógł być wzięty pod uwagę przez proces decyzyjny BGP ? Do czego służą atrybuty LOCAL_PREFERENCE oraz MULTI_EXIT_DISCRIMINATOR ? 3 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited BGP protocol 4 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited BGP protocol characteristics (1) Goal: select the best path towards destination across several transit domains The best path has a different meaning for diferent ISPs but it often means the cheapest path (cheapest for the service provider) When selecting ‘the best path’, BGP takes into account various information available about the path. The information is carried in BGP attributes. 5 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited BGP protocol characteristics (2) BGP advertises network prefixes, along with path attributes. Attributes include AS path attribute that determines the path to reach the network(s) named in the prefix. AS path is a list of autonomous systems that need to be traversed to reach the network. BGP path attributes convey additional information, which can be considered by a BGP decision process when selecting the best path. BGP path attributes can include attributes, such as LOC_PREF and MED. BGP decision process selects one path for each prefix. The best path is installed in the routing table. BGP decision process is effective when there are two or more paths to choose from, for a given prefix. Reachability of the BGP Next Hop is the precondition to consider a path by the BGP decision process. The best path can be advertised to other domains, depending on export policy. Every AS is autonomous: it has the right to advertise (or not to advertise) a path for some prefix. If the prefix is advertised, the AS must be prepared to accept and forward traffic to the named network. 6 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited BGP Decision Process 1. 2. 3. 4. Prefer the highest value of LOCAL_PREF Prefer paths locally computed on the router Prefer paths with shortest AS_PATH length Prefer paths of lowest origin code ( IGP < EGP < incomplete ) 5. Prefer the lowest value of MULTI_EXIT_DISC 6. Prefer the lowest value of metric to the NEX_HOP rtr 7 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited LAB overview 8 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Objective of this exercise The objective of this laboratory exercise is to show the propagation of prefixes between ISPs in multi-homing scenario. We will see that an ISP can manipulate the prefix during propagation and processing to satisfy its own goals regarding path selection. By doing this an ISP can implement its own policies for inbound and outbound flows. Specifically, we will see that: an ISP can influence path selection process carried out by its own BGP routers and thus can influence the path for outbound traffic. an ISP can attempt to influence path selection process made by routers that belong to neighbor ISPs and thus to try influence the path for inbound traffic. 9 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Exercise outline The general idea is to insert additional information into BGP Update messages. This extra information will be propagated with the prefix and evaluated by BGP routers during BGP decision process. The BGP decision process is known. As a result of the BGP decision process appropriate routes will be installed in routing tables of BGP routers. Inter-domain traffic will be routed following the routes. In the exercise first we will change the routes for outbound traffic. Next, we will try to influence the path along which traffic arrives into our local domain (inbound traffic). The exercise is organised into two parts. 10 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Part I Outbound traffic control with LocPref 11 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Part I Outline In Part I we will influence path selection for outbound traffic, i.e. for traffic originated in our local AS, destined to a network in another AS. Idea: Path selection for outbound traffic is carried out in our local AS by BGP routers, which determine the egress router for the traffic. Method: Normally, the selection of the best path, including selection of the egress router, is determined by the BGP decision process. The decision is based on path attributes. The choice of the preferred egress router can be influenced by modifying path attributes for a prefix, while knowing how the decision is made, i.e. while knowing how BGP best path selection works. Technically speaking, a prefix is manipulated and admitted (propagated) into local AS to let routers decide. Local AS routers select the path, which is “preferred”, over any other path(s), in accordance with the BGP decision process. 12 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Example: the use of Local Preference attribute for controlling outbound traffic AS1 view (provider view) Import: from AS2 RX at R1 set localpref=300; from AS2 RX at R2 set localpref=100; accept AS2 AS 1 Export: to AS2 RX at R1 announce ANY to AS2 RX at R2 announce ANY R2 R1 155 2 AS2 view (customer view) Import: from AS1 R1 at RX set localpref=200; from AS1 R2 at RX set localpref=100; accept ANY RX AS 2 Export: to AS1 R1 at RX announce AS2 to AS1 R2 at RX announce AS2 13 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Example for Local Preference In the figure LocPref is set in AS2 on the received prefix 10.10.1.0 / 24 (the prefix is received from AS1 directly and from AS1 via AS3). The LocPref values indicate that BGP routers in AS2 ”should prefer” path via AS3 to network 10.10.1.0 / 24. AS1 AS3 Net 10.10.1.0 ¨ 24 LocPref 200 LocPref 70 AS2 14 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Lab exercise - network topology AS2 (provider) perspective PC zebra is ‘up and running’ interfaces are up networks are configured note the networks: 10.10.1.0/24 in AS1 10.10.3.0/24 in AS3 e0=.1 net. Z. 10.10.5.0/24 e2=.3 R23 e1=.3 e0=.3 =70 e1=.2 need to configure R21 and R22 with LocPref … but first check configuration of R31 AS 3 e1=.1 LocPref =200 R21 net. C. 192.168.3.0/30 e0=.2 R22 ne t. B 19 2.16 8.2.0 /3 0 Q1: Which paths will be selected by R23 for networks 10.10.1.0/24 and 10.10.3.0/24 before LocPref is installed ? net. G 10. 10.2.0/24 AS 2LocPref 10 n . 1 e t. 0. D 4. 0/ 24 e0=.2 e0=.1 R12 R11 e1=.1 10.10.1.0/24 AS 1 e0=.2 e0=.1 net. A. R31 192.168.1.0/30 10.10.3.0/24 15 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Check configuration of R31 (1) Step 1. Check Zebra routing daemon (general config.) view file: /etc/zebra/zebra.conf hostname zebra pasword zebra interface eth0 bandwidth 100000 log file /var/log/zebra/zebra.log 16 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Check configuration of R31 (2) Step 2. Check if routing daemon is properly configured in Zebra on R31 view file: /etc/zebra/daemons zebra=yes bgpd=yes ospfd=no ospf6d=no ripd=no ripngd=no 17 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Check configuration of R31 (3) Step 3. Verify if the BGP daemon is properly configured. view file: /etc/zebra/bgpd.conf hostname bgpd password zebra enable password zebra [...] debug bgp debug bgp events debug bgp filters debug bgp fsm debug bgp keepalives debug bgp updates 18 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Reachability over BGP Run traceroute 10.10.3.1 on R23. Q1: Which path is selected ? Q2: Why this path has been chosen and not the other? Q3: Is there any method to make the router R23 choose the other path ? What are the options to do so ? 19 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Router configuration: In order to configure R21 and R22 do one of the following: 1. Edit the bgpd.conf file and restart zebra or 2. Telnet to bgpd, configure it and then issue the clear ip bgp * command 20 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Route map – command syntax 21 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Route map – a template Use the following example to configure R21 and R22: router bgp xxx network nn.nn.nn.nn/mm neighbor aa.bb.cc.dd remote-as nnnn neighbor aa.bb.cc.dd route-map myRouteMap in ! route-map myRouteMap permit 10 set local-preference xx ! 22 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Configuration of R21 Expected configuration on router R21 hostname bgpd password zebra enable password zebra ! route-map as1-in permit 10 set local-preference 200 router bgp 2 ! neighbor 192.168.3.1 remote-as 1 neighbor 192.168.3.1 description Router12 neighbor 192.168.3.1 route-map as1-in in neighbor 10.10.4.3 remote-as 2 neighbor 10.10.4.3 next-hop-self ! log file /var/log/zebra/bgpd.log 23 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Configuration of R22 Expected configuration on router R22 hostname bgpd password zebra enable password zebra ! route-map as3-in permit 10 set local-preference 70 router bgp 2 network 192.168.2.0/30 neighbor 192.168.2.1 remote-as 3 neighbor 192.168.2.1 description Router31 neighbor 192.168.2.1 route-map as3-in in see http://www.getnetworking.net/ neighbor 10.10.2.3 remote-as 2 bgp/bgp-next-hop-self neighbor 10.10.2.3 next-hop-self to understand this ! log file /var/log/zebra/bgpd.log 24 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Testing routes from R23 to AS3 Execute traceroute again from R23 to 10.10.3.1/24 Execute ping –R from R23 to 10.10.3.1/24 ............ ............ ............ Q1: Which is the route for data traffic to AS3 now ? 25 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Part II Inbound traffic control with MED 26 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Part II Inbound traffic In Part II we will try to influence the paths for inbound traffic, i.e. traffic arriving into our ISP domain. method: it can be done by modifying attributes of AS Path messages advertised by our BGP routers to neighbouring ASs. By modifying attributes prior to message advertisement we will try to influence decisions made by neighbouring BGP routers when selecting best routes to networks located in our AS. 27 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Lab. Part II: Insertion of Multiple Exit Discriminator (MED) AS 2 M ED = 1 0 0 M ED = 5 0 MED value is set on prefixes advertised by AS3 in order to ”tell” AS2 routers that AS3 ’would like’ to receive traffic over the high bandwidth link. AS 3 n e t. 28 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Lab. Part II: Insertion of Multiple Exit Discriminator (MED) AS 2 M ED = 1 0 0 MED value is set on prefix ‘net.’ advertised by AS3 in order to ”tell everybody” M ED = 5 0 that AS3 ’would like’ to receive traffic for AS 1 network ‘net.’ over high bandwidth links M ED = 5 0 M ED = 5 0 AS 3 n e t. Note that MED value related to the same prefix but received in AS2 from different Autonomous Systems will not be compared ! 29 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Network topology with address plan for Part II MED. AS3 (customer) perspective Pre-configured network topology: zebra is ‘up and running’ interfaces are up networks are configured Need to configure: R31 and R32 30 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Testing routes from R23 to R31 before setting MED Execute traceroute from R23 to 10.10.3.1/24 Execute ping –R from R23 to 10.10.3.1/24 Q1: which path is used to route traffic to network 10.10.3.1/24 ? 31 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Changing the router configuration In order to configure R31 and R32 do one of the following: 1. Edit the bgpd.conf file, add what is needed and restart zebra or 2. Telnet to bgpd, configure what is needed and (on R22 and R24) issue the clear ip bgp * command 32 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Route map – template Use the following example to configure R31 and R32: router bgp xxx network nn.nn.nn.nn/mm neighbor aa.bb.cc.dd remote-as nnnn neighbor aa.bb.cc.dd route-map myRouteMap out ! route-map myRouteMap permit 10 set metric xx ! 33 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Configuration of R31 Expected configuration on router R31 hostname bgpd password zebra enable password zebra ! route-map metricOut permit 10 set metric 100 ! router bgp 3 ! network 10.10.3.0/24 ! neighbor 192.168.2.2 remote-as 2 neighbor 192.168.2.2 description Router22 neighbor 192.168.2.2 route-map metricOut out ! neighbor 10.10.3.2 remote-as 3 neighbor 10.10.3.2 description Router32 34 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Configuration of R32 Expected configuration on router R32 hostname bgpd password zebra enable password zebra ! route-map metricOut permit 10 set metric 70 ! router bgp 3 ! network 10.10.3.0/24 ! neighbor 192.168.4.1 remote-as 2 neighbor 192.168.4.1 description Router24 neighbor 192.168.4.1 route-map metricOut out neighbor 10.10.3.1 remote-as 3 neighbor 10.10.3.1 description Router31 neighbor 10.10.3.1 next-hop-self 35 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Testing routes from R23 to R31 after setting MED Execute traceroute from R23 to 10.10.3.1/24 Execute ping –R from R23 to 10.10.3.1/24 Note that traffic is routed over link R24-R32 (because of lower value of MED on that link) 36 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited BGP Decision Process with LOC_PREF and MED used simultaneously in multi-provider scenario AS 2 AS 2 Lo c Pre f= 7 0 Lo c P re f = 200 M ED = 5 0 AS 1 AS 1 M ED = 1 0 0 Pre f ix M ED = 5 0 AS 3 M ED = 5 0 AS 3 Review questions: Q1: Which path will be selected by routers in AS2 to reach AS1 in scenario a) without any LOC_PREF and MED attributes ?, b) with LOC_PREF only ?, c) with MED_ only ?, d) with both LOC_PREF and MED ?. 37 Sieci Komputerowe 2 Sieci IP Unauthorised copying or use is prohibited Conclusions The level of control over flows is different for inbound and outbound flows. Specifically, the level of control over outbound traffic is strong, as it requires configuration of ISPs own routers. An ISP can precisely influence local selection of routes leading to remote destinations,i.e. for the outbound traffic. The control over inbound traffic is , however, weak. An ISP has limited ability to control choices that other ISPs make to direct traffic to local networks (inbound traffic). One can conclude, that the level of control is asymmetric. Sieci Komputerowe 2 Sieci IP 38 38 Unauthorised copying or use is prohibited Internet resources Using BGP’s local preference to influence outbound routing: http://evilrouters.net/2009/03/07/using-bgpslocal-preference-to-influence-outbound-routing/ Using AS path prepending to influence inbound routing: http://evilrouters.net/2009/03/07/using-as-pathprepending-to-influence-inbound-routing/ Sieci Komputerowe 2 Sieci IP 39 39 Unauthorised copying or use is prohibited