Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Salottino MIX 2017 - ARouteServer - IXP Automation Made Easy

154 views

Published on

Presentation of ARouteServer, a Python tool to automatically build (and test) feature-rich configurations for BGP route servers.
Salottino MIX, May 30 2017

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Salottino MIX 2017 - ARouteServer - IXP Automation Made Easy

  1. 1. Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ARouteServer IXP automation made easy
  2. 2. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Intro: route servers ● “A route server redistributes BGP routes received from its BGP clients to other clients according to a prespecified policy” (RFC7948) ● Benefits ○ One BGP session, many peers ○ Instantly get lot of routes ● Drawbacks ○ May be a SPoF (traffic blackhole) ○ May interfer with traffic engineering policies ○ Outsourced routing / To trust the route server
  3. 3. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Intro: route servers ● Lot of routes sent to clients: are they actually good? source: “Moving to default Routeserver IRR filtering” RIPE74 presentation by Erik Bais, A2B Internet
  4. 4. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Intro: route servers ● Lot of routes sent to clients: are they actually good? 4651 45328 23456 80.249.210.15 from 80.249.209.0 (80.249.209.0) Origin IGP, metric 0, localpref 100, valid, external, best Community: 3856:53500 Last update: Mon May 1 08:07:12 2017
  5. 5. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Intro: route servers ● Lot of routes sent to clients: are they actually good? 12989 33724 64512 80.249.209.70 from 80.249.208.255 (80.249.208.255) Origin IGP, metric 0, localpref 100, valid, external Community: 3856:53500 Last update: Mon May 1 08:10:10 2017
  6. 6. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Intro: route servers ● Lot of routes sent to clients: are they actually good? http://peering.exposed (Job Snijders / Samer Abdel-Hafez)
  7. 7. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Intro: route servers ● Do I totally lose control of how my routes are propagated? AS1 AS2 AS3 RS
  8. 8. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Overview: ARouteServer ● Goal: to help IXs to simplify operations needed to run useful and trustworthy route servers ● ARouteServer automatically builds configs for route servers... ○ feature-rich configurations! ● … and it also allows to validate them ○ Docker / KVM -based “live test” framework ● Currently, BIRD and OpenBGPD are supported
  9. 9. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX How does it work
  10. 10. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX How does it work ● Two YAML files are used to configure syntax-agnostic high-level policies and clients definitions cfg: rs_as: 999 router_id: "192.0.2.2" filtering: next_hop: policy: "same-as" blackhole_filtering: policy_ipv4: "rewrite-next-hop" ... clients: - asn: 111 ip: - "192.0.2.11" - "2001:db8:1:1::11" irrdb: as_sets: - "AS-AS111MAIN" ...
  11. 11. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX How does it work ● External sources are used to gather additional info: ○ IRRDBs for filters based on prefixes and origin ASNs ○ PeeringDB for max-prefix limits ○ Euro-IX JSON member list files to build clients list automatically
  12. 12. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX How does it work ● Finally, the route server configuration is automatically generated ● Custom scripts can be used to test it and to deploy it to the route server $ arouteserver bird --ip-ver 4 -o /etc/bird/bird4.new && bird -p -c /etc/bird/bird4.new && cp /etc/bird/bird4.new /etc/bird/bird4.conf && birdcl configure
  13. 13. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Configuration ● Policies can be set on a global scope ● Clients inherit global policies ○ client-specific options override inherited ones ● Client list can be automatically generated from Euro-IX JSON file ○ this allows an easy integration with IXP-Manager ● Custom, site-specific behaviours and configurations can be implemented using “hooks” and local files
  14. 14. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Features: routes filtering ● NEXT_HOP enforcement: strict or same AS ● min/max prefix length & max AS_PATH length ● AS_PATH sanitation ○ leftmost ASN ○ private/invalid ASNs ○ “transit-free” ASNs ● RPKI validation and filtering ● bogons and IRRDBs-based filters (prefixes & origin ASNs)
  15. 15. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Features: NEXT_HOP enforcement ● “Strict” mode: accept only routes whose NEXT_HOP is the IP address of the announcing client AS1 AS1 AS2 AS3 RS 192.0.2.11 192.0.2.12 192.0.2.21 192.0.2.31 NH: 192.0.2.12 NH: 192.0.2.11 NH: 192.0.2.21 NH: 192.0.2.31
  16. 16. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ● “Same-AS” mode: allows the NEXT_HOP to be any address among those used by the announcing AS to connect to the IXP Features: NEXT_HOP enforcement AS1 AS1 AS2 AS3 RS 192.0.2.11 192.0.2.12 192.0.2.21 192.0.2.31 NH: 192.0.2.12 NH: 192.0.2.11 NH: 192.0.2.21 NH: 192.0.2.31
  17. 17. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ● Leftmost ASN in the AS_PATH must match the ASN of the client Features: AS_PATH sanitation RS AS1 1 4 5 4 5 ● Private/invalid ASNs must not appear in the AS_PATH RS AS1 1 65534 1 23456
  18. 18. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ● “Transit-free” ASNs must not appear in the AS_PATH (unless they are in the first position) Features: AS_PATH sanitation RS AS1 1 6762
  19. 19. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ● RPKI ROAs (Route Origin Authorisations) are used for Prefix Origin Validation Features: prefix validation RS AS1 1 3320 AS3320 91.0.0.0/10 AS3 3 91.0.0.0/10 4 source:http://roalert.org
  20. 20. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ● IRR databases are used to get the list of allowed prefixes and origin ASNs on the basis of client’s AS-Macros (bgpq3) Features: prefix validation $ whois AS-ONE as-set: AS-ONE members: AS4 RS AS1 1 AS1 4 1 5 $ whois -i origin AS4 route: 192.0.2.0/24 origin: AS4
  21. 21. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Features: functions ● Blackhole filtering support ○ optional NEXT_HOP rewriting to allow Layer-2 level filtering ● Route propagation control (via BGP communities) ○ announce / do not announce to any / specific peer ○ prepend to any / specific peer ○ add NO_EXPORT / NO_ADVERTISE to any / specific peer ● Full list of features available on GitHub
  22. 22. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Testing configurations ● Live test framework included ○ built-in / custom scenarios define policies and expected results ○ route server configuration is generated by ARouteServer ○ Docker containers (and KVM VM for OpenBGPD) virtualize the route server and its clients ○ a Python-based API interacts with them ○ Python test cases are run to verify that expectations are met
  23. 23. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ● Blackhole filtering offered to clients via BLACKHOLE and L2 ACLs Testing configurations: example cfg: rs_as: 999 router_id: "192.0.2.2" blackhole_filtering: policy_ipv4: "rewrite-next-hop" rewrite_next_hop_ipv4: "192.0.2.66"
  24. 24. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ● Blackhole filtering offered to clients via BLACKHOLE and L2 ACLs ● AS1 wants traffic toward 203.0.113.1/32 to be null-routed Testing configurations: example D o c k e r RS Python live test framework AS1 AS2 AS3 65535:666 203.0.113.1/32
  25. 25. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ● Blackhole filtering offered to clients via BLACKHOLE and L2 ACLs ● AS1 wants traffic toward 203.0.113.1/32 to be null-routed ● Expectations: AS1 & AS2 receive 203.0.113.1/32 with the BNH Testing configurations: example Python live test framework D o c k e r RSAS1 AS2 AS3 65535:666 203.0.113.1/32 NH: 192.0.2.66 203.0.113.1/32 NH: 192.0.2.66 203.0.113.1/32 Python live test framework
  26. 26. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX ● Blackhole filtering offered to clients via BLACKHOLE and L2 ACLs ● AS1 wants traffic toward 203.0.113.1/32 to be null-routed ● Expectations: AS1 & AS2 receive 203.0.113.1/32 with the BNH Testing configurations: example Python live test framework D o c k e r RSAS1 AS2 AS3 65535:666 203.0.113.1/32 NH: 192.0.2.66 203.0.113.1/32 NH: 192.0.2.66 203.0.113.1/32 def test_071_blackholed_prefixes_as_seen_by_enabled_clients(self): for inst in (self.AS2, self.AS3): self.receive_route(inst, "203.0.113.1/32", self.rs, next_hop="192.0.2.66", std_comms=["65535:666"]) Python live test framework
  27. 27. Pier Carlo Chiodi - May 10, 2017Pier Carlo Chiodi - May 30, 2017 - Salottino MIX Project status ● Actively developed! Looking for testers and reviewers ● Feedback from real life is strongly needed and encouraged Source code and examples available on GitHub: https://github.com/pierky/arouteserver Full documentation: https://arouteserver.readthedocs.io/ Pier Carlo Chiodi - https://pierky.com/ @pierky
  28. 28. Questions?

×