The benefit of BGP for every service provider


Published on

Different ways for devops / sysadmin and network engineers to use BGP to increase service availability

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The benefit of BGP for every service provider

  1. 1. The benefits of BGP forevery service providerWhatever a speaker is missing in depth he will compensate for in lengthMontesquieuUKUUG - Spring 201124th of March 2011Thomas ManginExa Networks1Wednesday, 23 March 2011
  2. 2. NO Networking 101I will not coverHow to configure a BGP router for general purpose(But you can grab me after the talk)What is an IGP (Internal Gateway Protocol)I assume that ...You have basic networking knowledge (connected, static routes)Your organisation use some routers you can breakYou know what IPs, netmasks, gateways areI will cover AS MUCH AS I CANWhat is BGP, the Border Gatway ProtocolWhy BGP is a great protocol for sysadminsTruth is more valuable if it takes you a few years to find it.Renard2Wednesday, 23 March 2011
  3. 3. A Protocol to share routing information between ISPsMany RFCs (main one being 4271), many optional features Source implementation in BIRD, Quagga, OpenBGPDTo use it, you do NOT need to :✓ be connected to the internet✓ have real world IPs✓ be or ask an ISP anything (but it can be useful)Use TCP with its own failure detection mechanism.-> minimum 3s for failure detectionBGP only has one active route for a prefix at a time but theIGP may use multiple paths to get to the next-hop.Border Gateway Protocol ?NOTThere are many true statements about complex topics that are too long to fit on a PowerPoint slideEdward Tufte3Wednesday, 23 March 2011
  4. 4. Autonom!s Sy"em NumbersUnique Network identifier30740 Exa Networks BT UK 16bits, now extended to 32 bits (RFC 4893)32 bits usage is a negotiated featureLike RFC 1918, its reserves some IPsSome ASNs are reserved for documentation (like the range)The range 64496-64511Some ASNs are reserved for private useThe range 64512-65532Given to LIR (Local Internet Registry)In the UK, this means RIPE membersdoes not mean ISP onlyA little learning is a dangerous thingAlexander Pope4Wednesday, 23 March 2011
  5. 5. Logic will get you from A to B. Imagination will take you everywhereAlbert EinsteinWhat makes a routea prefix (a block of IP) - the “destination IP regex”a destination (called next-hop)with many optional information (called attributes)use to select one route over anotherThe next-hop is a machine that should know how to contact any IP in theprefix, it does not have to be locally connected but just “known”.Some of the attributes arelocal preference, a value to distinguish two identical routesas path, the chain of ISP who have seen and transmitted the routeBGP will make surethat the data is always sent to a machine nearer to the end point than itselfthat the decision process between multiple routes does not cause loopsBGP transmits R!tes5Wednesday, 23 March 2011
  6. 6. Be regular and orderly in your life, so that you may be violent and original in your workFlaubertOptions for service resilience ?HSRP, VRRPresilience for the gateway, not the hostLinux-HA solutions (Heartbeat, Pacemaker, Wackamole,..)Need both machine in the same Layer 2Lack of IPv6 support !ARP (relation MAC/IP) expiry 4 to 6 hours ..MAC (relation ARP/Port) expiry 5 minutessome kit only allow configuration per interface, not VLANenabling gratuitous ARP is a security riskYahoo! L3DSR load balancing solutionLayer 3 Load Balancing, encoding the destination IP in the DSCP field ....6Wednesday, 23 March 2011
  7. 7. I love fools’ experiments. I am always making them.Charles DarwinWhere does BGP fit ?External BGP : connecting to other networksprotection from ISP outagesEBGP or IBGPAnycast : announce the same IP at different location (CDN, DNS, ...)DDOS "mitigation" : prevent bad traffic to reach serversFlow Routes (firewall rules deployment using BGP)Internal BGP : fully controlled BGPblock/redirect some traffic (customers, countries, organisations, ...)Servers announcing some Service IPs7Wednesday, 23 March 2011
  8. 8. I have always believed that to succeed in life, it is necessary to appear to be mad and to act wiselyMontesquieuRIPE MembershipBecome your own ISPIPv4 - running out !do not wait too long if you want to do it !Provider Aggregate versus Provider IndependantPA: a block of IP owned by the LIR (often the ISP)changing ISP forces you to renumberPI : a block of IP owned by the end userschanging ISP is a routing changeAnnounce your network to the world via BGPNot as hard as it soundsAsk you ISPBe y!r o$ ISPOFF-TOPIC FORTHIS TALK8Wednesday, 23 March 2011
  9. 9. Split personality ..Announcing the same IP with BGP in different locationAnother RFC (4786)The network finds the nearest serverNot best suited for long lived TCP connectionsrouting can changeOn the internet used byRoot servers (UDP mainly)Within a networkscaching DNS (UDP)CDN local DNS (UDP)Proxies (TDP, near DSL exit points, very stable routing)AnyCa"Divide and ConquerJulius Caesar9Wednesday, 23 March 2011
  10. 10. RTBHTell your provider to stop sending you traffic for some IPsAnnounce some more specific routes (/32, ...) part of your networkand TAG the route with communitiesso it can be filtered (dropped by the router)Most useful when you have a public ASN and buy transitTraffic is dropped before it is billedMany Talks (NANOG, APRICOT, ...) on the topic and an RFC (5635)> google RTBH or Remotely triggered blackholeThe goal is to skip the transit provider NOC and NOC response time in time ofemergency.Each ISP implements it differently ..level3 > whois -h AS3356 | grep -B1 -A15 BlackholeIt is dangerous to be right in matters on which the established authorities are wrongVoltaire10Wednesday, 23 March 2011
  11. 11. The secret of business is to know something that nobody else knowsAristotle OnassisUse BGP to transmit firewall like rulesRFC 5575, Juniper routers only (atm)Can be used to transproxy in the core things like ... spammersMatch possible components making the flowPrefix (source and destination)IP Protocol (list of <action, value>)Port (source, destination, either)ICMP (type, code)TCP flagPacket LenDSCP valueFragment (dont, is, first, last)Then take actionDrop, Rate-limit, Redirectexabpg is the only OSS application to support Flow RoutesFlow R!tes11Wednesday, 23 March 2011
  12. 12. Success is a result, not a goalFlaubertIntercept some traffic injecting BGP routesthe route must be more specific or have an higher LOCAL PREFYour own IPsMove a machine to another geographical locationconnected traffic always preferred to a gatewayIntercept trafficweb server (using another server with destination NAT)Another network IPsBlock bad sources of traffic : spammers, proxies, TCP scanners, ...You are affecting the return packetsit will not stop a UDP, SYN flood attackwill prevent TCP 3 way handshake (block the SYN-ACK)Force outgoing traffic to use one upstream over anothereven if default routes and do not use BGP todayBlock / Re%rect traffic12Wednesday, 23 March 2011
  13. 13. I have always believed that to succeed in life, it is necessary to appear to be mad and to act wiselyMontesquieuUse BGP to announce service IPAn extra IP added to a server for the purpose of providing a public service(ie: pop, imap, web, reverse proxy, vpn IP, ...)provide IP stability, not physically bound to a location/machinepeople SHOULD use DNS entries ... but don’tfirewall configuration, etc ...Have servers announcing their own service IPServer outage means the IP stops to be routedOr provision service IPs from a centralised locationService IPs ann!ncementLet’s SPEAKABOUT THIS13Wednesday, 23 March 2011
  14. 14. In revolution there are only two sorts of men, those who cause them and those who profit by themNapoleon BonaparteService IPs ann!ncementSingle serverUse Graceful Restart so the router does not forget the route for aprogrammed number of seconds when BGP goes down unexpectedlyActive / PassiveUse local preference (BGP route preference)Use ipvsadm on the active to still balance trafficActive/ActiveFor machine within the same Layer 2, look at using OSPFOtherwise ANYCAST (if suitable)14Wednesday, 23 March 2011
  15. 15. Active / Passive Scena(oConfigure IP /32 on the loopback interface, linux (debian/Ubuntu)/etc/network/interfacesauto lo:SERVICEiface lo:SERVICE inet staticaddress ARP broadcast (as more than one machine has one IP on itsloopback) and RPF check/etc/sysctl.confnet.ipv4.conf.all.arp_filter = 1net.ipv4.conf.all.arp_ignore = 1net.ipv4.conf.eth0.arp_ignore = 1net.ipv4.conf.all.arp_announce = 2net.ipv4.conf.eth0.arp_announce = 215Wednesday, 23 March 2011
  16. 16. Active / Passive Scena(oActive Server : an exabgp configuration (version 1.2.0 +)Group ANNOUNCE-MY-SERVICE-IP-OF- {# ETH0 GATEWAY (HSRP/VRRP)local-address;# WE SETUP AN IBGP CONNECTIONlocal-as 64520;peer-as 64520;static {# 150 IS A BETTER LOCAL-PREFERENCE VALUE THAN 100 (DEFAULT VALUE)route next-hop LOCAL-PREFERENCE 150;}neighbor {description "BGP router 1 RUNNING HSRP/VRRP";}neighbor {description "BGP router 2 RUNNING HSRP/VRRP";}}16Wednesday, 23 March 2011
  17. 17. Active / Passive Scena(oPassive Server : an exabgp configuration (version 1.2.0 +)Group ANNOUNCE-MY-SERVICE-IP-OF- {# ETH0 GATEWAY (HSRP/VRRP)local-address;# WE SETUP AN IBGP CONNECTIONlocal-as 64520;peer-as 64520;static {# 100 (DEFAULT VALUE) IS A WORSE LOCAL-PREFERENCE VALUE THAN 150route next-hop LOCAL-PREFERENCE 100;}neighbor {description "BGP router 1 RUNNING HSRP/VRRP";}neighbor {description "BGP router 2 RUNNING HSRP/VRRP";}}17Wednesday, 23 March 2011
  18. 18. Active / Passive Scena(oRouter : Router 1 (cisco) BGP configuration example!BGP 64520no synchronizationBGP ROUTER-ID service-ip peer-groupneighbor service-ip remote-as 64520neighbor service-ip description Service IPsneighbor service-ip ebgp-multihop 5neighbor service-ip update-source LOOPBACK1neighbor service-ip default-originateneighbor service-ip route-map bgp-service-ip inneighbor service-ip route-map deny-any outneighbor peer-group service-ipneighbor peer-group service-ipno auto-summary!18Wednesday, 23 March 2011
  19. 19. Active / Passive Scena(oRouter : Router 1 (cisco) BGP configuration example!interface Loopback1description BGPip address!ip prefix-list service-ip seq 10 permit prefix-list service-ip seq 99999 deny le 32!ip access-list standard match-anypermit any!route-map bgp-service-ip permit 10match ip address prefix-list service-ipset community no-export additive!route-map deny-any deny 10match ip address match-any!19Wednesday, 23 March 2011
  20. 20. Resilience wi) IPv6Resilience with IPv62x Router Advertisement-> two default routesBGP (over an IPv4 or IPv6 TCP connection)-> announce the IPv6 service IPAvailable TodayIt is easier to ask for forgiveness than permissionStewart’s law of retraction20Wednesday, 23 March 2011
  21. 21. Thank you for coming and listening.Judge a man by his questions rather than by his answersVoltaireQuestions ?, 23 March 2011