SlideShare a Scribd company logo

Route Leak Prevension with BGP Community

Bangladesh Network Operators Group
Bangladesh Network Operators Group

Route Leak Prevension with BGP Community

Technology
1 of 38
Download to read offline
Route Leak Prevension with BGP Community Q S Tahmeed AGM, Network Operations Level3 Carrier Ltd.
Table of Contents • Introduction: Route Leaks • Types of Route Leaks – RFC 7908 • Real-Life Examples • Findings • Solution • Key: BGP Community • Benefits • Important Notes • Overview • LAB: Topology, Output Analysis & Configs • Q&A
Introduction: Route Leaks Defined in RFC: 7908 Type 1: Hairpin Turn with Full Prefix Type 2: Lateral ISP-ISP-ISP Leak Type 3: Leak of Transit Provider Prefixes to Peer Type 4: Leak of Peer Prefixes to Transit Provider Type 5: Prefix Re-Origination with Data Path to Legitimate Origin Type 6: Accidental Leak of Internal Prefixes and More-Specific Prefixes Notes: Types 1 – 4: related with AS-PATH validation problem (not covered in RPKI) Types 5 – 6: related with Route Object validation (covered in RPKI)
Types of Route Leaks
Real-Life Example
Real Life Example Here in Bangladesh, we faced such leaks due to human errors back in 2018 when one of the prominent IIGs got connected with Equinix, SG. They leaked their customer prefixes learned from Equinix towards their Transit. One of the prominent ISPs lost at least 10G transit traffic for almost an hour, till the IIG applied INGRESS filter to drop the ISPs ASN from Equinix. Later, we also faced several cases where customer prefixes were leaked (un-intentionally) to Transit. And those adevertisements were winning at the Global Routing Table. The affiliated ISPs then resolved the problem by filtering each others ASNs in their Transit Filters. More on this in findings section …
Findings Challenges with ISPs AS-PATH based INGRESS Filter for Customer ASNs at IX/Transit Interface(s): • Scenario: • ISPs not receiving client prefixes from Transit, IX, etc. • Clients not advertising full sets of prefixes directly towards the ISPs (Multihoming & Load-Balancing) • Challenges: • IXes are mostly L2 based – No IX-ASN in the learned AS-PATH • No-common AS-PATH filter can be applied • Possibility of a very complex configuration (too many logics, very large config etc.) • Outcome: • If direct Customer ASNs are filtered using INGRESS AS-PATH-Filters at IX/Transit Interface(s) then the ISP will loose shortest/best routes and end up diverting the traffic to more expensive Transit or will direct traffic based on default route only (sub-optimal performance) Challenges with ISPs AS-PATH based EGRESS Filter for Customer ASNs at IX/Transit Interface(s): • ISPs implementing only AS-PATH based EGRESS filters leaks Customer routes learned from other PEERs (eg. IX) due to macth is AS-PATH-List.
Findings (contd.) Why we need to be concerned about it? - Many Tier-1 carriers set higher Local-Preference for Customer Routes. This will eventually win the unintended (leaked) prefix. - Many/Almost all Tier-1 carriers allows their customers to set higher local-preference for their own routes (via bgp community). If any provider changes the parameter, chances of winning the unintended (leaked) prefix is present. Notes: - This is more likely a regional/localized scenario - Further study is required to assess the overall impact at global scale
Solution Key: BGP Community BGP Community is a very powerful Attribute for effective route policy implementation • It offers a wide variety of Route TAG-ing which subsequently can be used for route policy • Route TAGs have wide range of implications – ranging from Simple to Very Complex deployment
Solution Benfits • Route Leak Prevension • Preventing “unwanted trasit” situations (RFC7908: Types 1 – 4) • Scalability & Operational Scopes: • Gain more Granular Control on BGP Advertisement Policy (both iBGP & eBGP) • Reduce Operational overhead for ASN/Prefix Add/Remove activities (time savings) • Reduce Operational Risks for human errors
Solution Overview - Important Notes The proposed solution is in addition to already implemented Routing Security Methods: - RPKI/ROA validation - INGRESS Filters - EGRESS Filters
Soultion Overview INGRESS Policy • TAG all received routes based on PEER Types • Transit • IX • PNI • Customer EGRESS (Transit/IX/PNI) Policy • Filter all TAGs matching Transit/IX/PNI • Allow Customer ASNs/Prefixes based on organization business policy Customer EGRESS Policy • Advertise towards clients as per Agreement Notes: The proposed solution is a very simple approach to implement BGP community based filtering (in addition to existing route filters/validations) to prevent Route Leaks (Types 1 – 4). Extensive detailing is possible for larger and complex network topology.
LAB Topology Output Analysis Configurations
LAB Topology
Confiugration Logic
01 – BGP Table Analysis As per configuration logic (without BGP community TAGs)
LAB Outputs ASN: 1000 CE BGP Advertisement to ISP-A o 192.168.0.0/24 o 192.168.0.0/23 CE BGP Advertisement to ISP-B o 192.168.1.0/24 o 192.168.0.0/23
LAB Outputs – ISP-A ASN: 100 BGP Advertisement output from ISP-A Router: - Advertisement to ISP-01 - Advertisement to ISP-02 - Advertisement to IX-LAB Analysis: - Problematic prefix 192.168.1.0/24 is being learned from IX-LAB and not Client - The same prefix is then advertised towards Transit (ISP-01 & ISP-02)
LAB Outputs – ISP-B ASN: 200 BGP Advertisement output from ISP-A Router: - Advertisement to ISP-01 - Advertisement to ISP-02 - Advertisement to IX-LAB Analysis: - Problematic prefix 192.168.0.0/24 is being learned from IX-LAB and not Client - The same prefix is then advertised towards Transit (ISP-01 & ISP-02)
LAB Outputs – ISP-01 ASN: 10 BGP Table Output 192.168.0.0/24 - One of the entry shows path via IX-LAB 192.168.1.0/24 - One of the entry shows path via IX-LAB
LAB Outputs – ISP-01 ASN: 10 BGP Route Lookup 192.168.0.0/24 - One of the entry shows path via IX-LAB 192.168.1.0/24 - One of the entry shows path via IX-LAB
LAB Outputs – ISP-02 ASN: 20 BGP Table Output 192.168.0.0/24 - One of the entry shows path via IX-LAB 192.168.1.0/24 - One of the entry shows path via IX-LAB
LAB Outputs – ISP-02 ASN: 20 BGP Route Lookup 192.168.0.0/24 - One of the entry shows path via IX-LAB 192.168.1.0/24 - One of the entry shows path via IX-LAB
Solution Adding BGP Community based Filters
Configuration Logic – ISP-A (ASN100) INGRESS Policy: • Apply BGP Community TAG 100:9 • Peering types: IX & Transit (ASN150, ASN10, ASN20) EGRESS Policy: • Apply Filter towards IX/Transit to discard all Prefixes with TAG 100:9 • Peering types: IX & Transit (ASN150, ASN10, ASN20) • Also may remove existing AS-PATH filters (applicable for the LAB, may not be a viable option in real-life scenario)
Configuration Logic – ISP-B (ASN200) INGRESS Policy: • Apply BGP Community TAG 200:9 • Peering types: IX & Transit (ASN150, ASN10, ASN20) EGRESS Policy: • Apply Filter towards IX/Transit to discard all Prefixes with TAG 200:9 • Peering types: IX & Transit (ASN150, ASN10, ASN20) • Also may remove existing AS-PATH filters (applicable for the LAB, may not be a viable option in real-life scenario)
02 – BGP Table Analysis As per configuration logic (with BGP community TAGs)
LAB Configs (ISP-A & ISP-B) Pre vs. Post BGP Community implementation
Questions & Answers
Thank You

Recommended

Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
Bangladesh Network Operators Group
 
Border Gatway Protocol
Border Gatway ProtocolBorder Gatway Protocol
Border Gatway Protocol
Shashank Asthana
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
Duane Bodle
 
MPLS Traffic Engineering
MPLS Traffic EngineeringMPLS Traffic Engineering
MPLS Traffic Engineering
APNIC
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)
Nutan Singh
 
Juniper Bgp
Juniper BgpJuniper Bgp
Juniper Bgp
Hussein Elmenshawy
 
IPv6 header
IPv6 headerIPv6 header
IPv6 header
Heba_a
 

Recommended

Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
Bangladesh Network Operators Group
 
Border Gatway Protocol
Border Gatway ProtocolBorder Gatway Protocol
Border Gatway Protocol
Shashank Asthana
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
Duane Bodle
 
MPLS Traffic Engineering
MPLS Traffic EngineeringMPLS Traffic Engineering
MPLS Traffic Engineering
APNIC
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)
Nutan Singh
 
Juniper Bgp
Juniper BgpJuniper Bgp
Juniper Bgp
Hussein Elmenshawy
 
IPv6 header
IPv6 headerIPv6 header
IPv6 header
Heba_a
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
APNIC
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
GLC Networks
 
Open Shortest Path First
Open Shortest Path FirstOpen Shortest Path First
Open Shortest Path First
Kashif Latif
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
Cisco Canada
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab Guide
Salachudin Emir
 
JUNOS: OSPF and BGP
JUNOS: OSPF and BGPJUNOS: OSPF and BGP
JUNOS: OSPF and BGP
Zenith Networks
 
OSPF- Multi area
OSPF- Multi area OSPF- Multi area
OSPF- Multi area
Ahmed Ali
 
31, Get more from your IPv4 resources
31, Get more from your IPv4 resources31, Get more from your IPv4 resources
31, Get more from your IPv4 resources
Bangladesh Network Operators Group
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
GLC Networks
 
Dynamic routing
Dynamic routingDynamic routing
Dynamic routing
ajeela mushtaq
 
M2M Protocols for Constrained Environments in the Context of IoT: A Compariso...
M2M Protocols for Constrained Environments in the Context of IoT: A Compariso...M2M Protocols for Constrained Environments in the Context of IoT: A Compariso...
M2M Protocols for Constrained Environments in the Context of IoT: A Compariso...
Edielson P. Frigieri
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking Protocol
Netwax Lab
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
sarasanandam
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)
Netwax Lab
 
MPLS Traffic Engineering
MPLS Traffic EngineeringMPLS Traffic Engineering
MPLS Traffic Engineering
APNIC
 
Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess Communication
Deepak H L
 
Ccnp collaboration plus module 1 chapter 8 dial plan and call routing
Ccnp collaboration plus module 1 chapter 8 dial plan and call routingCcnp collaboration plus module 1 chapter 8 dial plan and call routing
Ccnp collaboration plus module 1 chapter 8 dial plan and call routing
Faisal Khan
 
IGMP
IGMPIGMP
IGMP
Raghavendra Hamilpure
 
Juniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliJuniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by Soricelli
Febrian ‎
 
How to Configure QinQ?
How to Configure QinQ?How to Configure QinQ?
How to Configure QinQ?
Huanetwork
 
Wrou01
Wrou01Wrou01
Wrou01
tanawan44
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
tanawan44
 

More Related Content

What's hot

Open Shortest Path First
Open Shortest Path FirstOpen Shortest Path First
Open Shortest Path First
Kashif Latif
 
Juniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliJuniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by Soricelli
Febrian ‎
 

What's hot (20)

BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
 
Open Shortest Path First
Open Shortest Path FirstOpen Shortest Path First
Open Shortest Path First
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab Guide
 
JUNOS: OSPF and BGP
JUNOS: OSPF and BGPJUNOS: OSPF and BGP
JUNOS: OSPF and BGP
 
OSPF- Multi area
OSPF- Multi area OSPF- Multi area
OSPF- Multi area
 
31, Get more from your IPv4 resources
31, Get more from your IPv4 resources31, Get more from your IPv4 resources
31, Get more from your IPv4 resources
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
 
Dynamic routing
Dynamic routingDynamic routing
Dynamic routing
 
M2M Protocols for Constrained Environments in the Context of IoT: A Compariso...
M2M Protocols for Constrained Environments in the Context of IoT: A Compariso...M2M Protocols for Constrained Environments in the Context of IoT: A Compariso...
M2M Protocols for Constrained Environments in the Context of IoT: A Compariso...
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking Protocol
 
Cisco ospf
Cisco ospf Cisco ospf
Cisco ospf
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)
 
MPLS Traffic Engineering
MPLS Traffic EngineeringMPLS Traffic Engineering
MPLS Traffic Engineering
 
Interprocess Communication
Interprocess CommunicationInterprocess Communication
Interprocess Communication
 
Ccnp collaboration plus module 1 chapter 8 dial plan and call routing
Ccnp collaboration plus module 1 chapter 8 dial plan and call routingCcnp collaboration plus module 1 chapter 8 dial plan and call routing
Ccnp collaboration plus module 1 chapter 8 dial plan and call routing
 
IGMP
IGMPIGMP
IGMP
 
Juniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by SoricelliJuniper MPLS Tutorial by Soricelli
Juniper MPLS Tutorial by Soricelli
 
How to Configure QinQ?
How to Configure QinQ?How to Configure QinQ?
How to Configure QinQ?
 

Similar to Route Leak Prevension with BGP Community

E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
tanawan44
 
Computer network (14)
Computer network (14)Computer network (14)
Computer network (14)
NYversity
 
Prefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul IslamPrefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul Islam
MyNOG
 

Similar to Route Leak Prevension with BGP Community (20)

Wrou01
Wrou01Wrou01
Wrou01
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
 
Computer network (14)
Computer network (14)Computer network (14)
Computer network (14)
 
Apricot2004 bgp00
Apricot2004 bgp00Apricot2004 bgp00
Apricot2004 bgp00
 
Bgp (1)
Bgp (1)Bgp (1)
Bgp (1)
 
bgp.ppt
bgp.pptbgp.ppt
bgp.ppt
 
Prefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul IslamPrefix Filtering Design Issues and Best Practise by Nurul Islam
Prefix Filtering Design Issues and Best Practise by Nurul Islam
 
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development32nd TWNIC IP OPM: ROA+ROV deployment & industry development
32nd TWNIC IP OPM: ROA+ROV deployment & industry development
 
Route Server service @ NaMeX
Route Server service @ NaMeXRoute Server service @ NaMeX
Route Server service @ NaMeX
 
CCCNP ROUTE v6_ch05
CCCNP ROUTE v6_ch05CCCNP ROUTE v6_ch05
CCCNP ROUTE v6_ch05
 
【EPN Seminar Nov.10. 2015】 パネルディスカッション その2: BGP Peering Engineering Automatio...
【EPN Seminar Nov.10. 2015】 パネルディスカッション その2: BGP Peering Engineering Automatio...【EPN Seminar Nov.10. 2015】 パネルディスカッション その2: BGP Peering Engineering Automatio...
【EPN Seminar Nov.10. 2015】 パネルディスカッション その2: BGP Peering Engineering Automatio...
 
Prefix Filtering BCP
Prefix Filtering BCP Prefix Filtering BCP
Prefix Filtering BCP
 
Bgp
BgpBgp
Bgp
 
Brkrst 3123 previdi-final
Brkrst 3123 previdi-finalBrkrst 3123 previdi-final
Brkrst 3123 previdi-final
 
ENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptxENCOR_Chapter_6.pptx
ENCOR_Chapter_6.pptx
 
Monitoring Route Changes
Monitoring Route ChangesMonitoring Route Changes
Monitoring Route Changes
 
3 ip routing bgp-updated
3 ip routing bgp-updated3 ip routing bgp-updated
3 ip routing bgp-updated
 
3 ip routing part b
3 ip routing part b3 ip routing part b
3 ip routing part b
 
2) Routing Protocol Basis.pdf
2) Routing Protocol Basis.pdf2) Routing Protocol Basis.pdf
2) Routing Protocol Basis.pdf
 
2) Routing Protocol Basis.pdf
2) Routing Protocol Basis.pdf2) Routing Protocol Basis.pdf
2) Routing Protocol Basis.pdf
 

More from Bangladesh Network Operators Group

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

Route Leak Prevension with BGP Community

  • 1. Route Leak Prevension with BGP Community Q S Tahmeed AGM, Network Operations Level3 Carrier Ltd.
  • 2. Table of Contents • Introduction: Route Leaks • Types of Route Leaks – RFC 7908 • Real-Life Examples • Findings • Solution • Key: BGP Community • Benefits • Important Notes • Overview • LAB: Topology, Output Analysis & Configs • Q&A
  • 3. Introduction: Route Leaks Defined in RFC: 7908 Type 1: Hairpin Turn with Full Prefix Type 2: Lateral ISP-ISP-ISP Leak Type 3: Leak of Transit Provider Prefixes to Peer Type 4: Leak of Peer Prefixes to Transit Provider Type 5: Prefix Re-Origination with Data Path to Legitimate Origin Type 6: Accidental Leak of Internal Prefixes and More-Specific Prefixes Notes: Types 1 – 4: related with AS-PATH validation problem (not covered in RPKI) Types 5 – 6: related with Route Object validation (covered in RPKI)
  • 6. Real Life Example Here in Bangladesh, we faced such leaks due to human errors back in 2018 when one of the prominent IIGs got connected with Equinix, SG. They leaked their customer prefixes learned from Equinix towards their Transit. One of the prominent ISPs lost at least 10G transit traffic for almost an hour, till the IIG applied INGRESS filter to drop the ISPs ASN from Equinix. Later, we also faced several cases where customer prefixes were leaked (un-intentionally) to Transit. And those adevertisements were winning at the Global Routing Table. The affiliated ISPs then resolved the problem by filtering each others ASNs in their Transit Filters. More on this in findings section …
  • 7. Findings Challenges with ISPs AS-PATH based INGRESS Filter for Customer ASNs at IX/Transit Interface(s): • Scenario: • ISPs not receiving client prefixes from Transit, IX, etc. • Clients not advertising full sets of prefixes directly towards the ISPs (Multihoming & Load-Balancing) • Challenges: • IXes are mostly L2 based – No IX-ASN in the learned AS-PATH • No-common AS-PATH filter can be applied • Possibility of a very complex configuration (too many logics, very large config etc.) • Outcome: • If direct Customer ASNs are filtered using INGRESS AS-PATH-Filters at IX/Transit Interface(s) then the ISP will loose shortest/best routes and end up diverting the traffic to more expensive Transit or will direct traffic based on default route only (sub-optimal performance) Challenges with ISPs AS-PATH based EGRESS Filter for Customer ASNs at IX/Transit Interface(s): • ISPs implementing only AS-PATH based EGRESS filters leaks Customer routes learned from other PEERs (eg. IX) due to macth is AS-PATH-List.
  • 8. Findings (contd.) Why we need to be concerned about it? - Many Tier-1 carriers set higher Local-Preference for Customer Routes. This will eventually win the unintended (leaked) prefix. - Many/Almost all Tier-1 carriers allows their customers to set higher local-preference for their own routes (via bgp community). If any provider changes the parameter, chances of winning the unintended (leaked) prefix is present. Notes: - This is more likely a regional/localized scenario - Further study is required to assess the overall impact at global scale
  • 9. Solution Key: BGP Community BGP Community is a very powerful Attribute for effective route policy implementation • It offers a wide variety of Route TAG-ing which subsequently can be used for route policy • Route TAGs have wide range of implications – ranging from Simple to Very Complex deployment
  • 10. Solution Benfits • Route Leak Prevension • Preventing “unwanted trasit” situations (RFC7908: Types 1 – 4) • Scalability & Operational Scopes: • Gain more Granular Control on BGP Advertisement Policy (both iBGP & eBGP) • Reduce Operational overhead for ASN/Prefix Add/Remove activities (time savings) • Reduce Operational Risks for human errors
  • 11. Solution Overview - Important Notes The proposed solution is in addition to already implemented Routing Security Methods: - RPKI/ROA validation - INGRESS Filters - EGRESS Filters
  • 12. Soultion Overview INGRESS Policy • TAG all received routes based on PEER Types • Transit • IX • PNI • Customer EGRESS (Transit/IX/PNI) Policy • Filter all TAGs matching Transit/IX/PNI • Allow Customer ASNs/Prefixes based on organization business policy Customer EGRESS Policy • Advertise towards clients as per Agreement Notes: The proposed solution is a very simple approach to implement BGP community based filtering (in addition to existing route filters/validations) to prevent Route Leaks (Types 1 – 4). Extensive detailing is possible for larger and complex network topology.
  • 16. 01 – BGP Table Analysis As per configuration logic (without BGP community TAGs)
  • 17. LAB Outputs ASN: 1000 CE BGP Advertisement to ISP-A o 192.168.0.0/24 o 192.168.0.0/23 CE BGP Advertisement to ISP-B o 192.168.1.0/24 o 192.168.0.0/23
  • 18. LAB Outputs – ISP-A ASN: 100 BGP Advertisement output from ISP-A Router: - Advertisement to ISP-01 - Advertisement to ISP-02 - Advertisement to IX-LAB Analysis: - Problematic prefix 192.168.1.0/24 is being learned from IX-LAB and not Client - The same prefix is then advertised towards Transit (ISP-01 & ISP-02)
  • 19. LAB Outputs – ISP-B ASN: 200 BGP Advertisement output from ISP-A Router: - Advertisement to ISP-01 - Advertisement to ISP-02 - Advertisement to IX-LAB Analysis: - Problematic prefix 192.168.0.0/24 is being learned from IX-LAB and not Client - The same prefix is then advertised towards Transit (ISP-01 & ISP-02)
  • 20. LAB Outputs – ISP-01 ASN: 10 BGP Table Output 192.168.0.0/24 - One of the entry shows path via IX-LAB 192.168.1.0/24 - One of the entry shows path via IX-LAB
  • 21. LAB Outputs – ISP-01 ASN: 10 BGP Route Lookup 192.168.0.0/24 - One of the entry shows path via IX-LAB 192.168.1.0/24 - One of the entry shows path via IX-LAB
  • 22. LAB Outputs – ISP-02 ASN: 20 BGP Table Output 192.168.0.0/24 - One of the entry shows path via IX-LAB 192.168.1.0/24 - One of the entry shows path via IX-LAB
  • 23. LAB Outputs – ISP-02 ASN: 20 BGP Route Lookup 192.168.0.0/24 - One of the entry shows path via IX-LAB 192.168.1.0/24 - One of the entry shows path via IX-LAB
  • 25. Configuration Logic – ISP-A (ASN100) INGRESS Policy: • Apply BGP Community TAG 100:9 • Peering types: IX & Transit (ASN150, ASN10, ASN20) EGRESS Policy: • Apply Filter towards IX/Transit to discard all Prefixes with TAG 100:9 • Peering types: IX & Transit (ASN150, ASN10, ASN20) • Also may remove existing AS-PATH filters (applicable for the LAB, may not be a viable option in real-life scenario)
  • 26. Configuration Logic – ISP-B (ASN200) INGRESS Policy: • Apply BGP Community TAG 200:9 • Peering types: IX & Transit (ASN150, ASN10, ASN20) EGRESS Policy: • Apply Filter towards IX/Transit to discard all Prefixes with TAG 200:9 • Peering types: IX & Transit (ASN150, ASN10, ASN20) • Also may remove existing AS-PATH filters (applicable for the LAB, may not be a viable option in real-life scenario)
  • 27. 02 – BGP Table Analysis As per configuration logic (with BGP community TAGs)
  • 28.
  • 29.
  • 30.
  • 31.
  • 32. LAB Configs (ISP-A & ISP-B) Pre vs. Post BGP Community implementation
  • 33.
  • 34.
  • 35.
  • 36.