traffic engineering with bgp - kt.agh.edu.pl · traffic engineering with bgp inbound and outbound...
Post on 26-May-2020
2 Views
Preview:
TRANSCRIPT
1
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Traffic engineering
with BGP
Inbound and outbound traffic control
Piotr Pacyna Katarzyna Kosek-Szott
2
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
BGP protocol - review questions
3
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Review questions
Do czego służy proces decyzyjny BGP ? Co jest rezultatem procesu decyzyjnego BGP ?
Co się dzieje z rezultatami procesu decyzyjnego BGP ? Jak są wykorzystywane ?
Jaką rolę pełnią tzw. atrybuty BGP ? Jakie są typy (rodzaje) atrybutów ?
Jakie są kolejne kryteria decyzyjne procesu decyzyjnego BGP ?
Jakie warunki konieczne musi spełniać prefiks BGP, aby mógł być wzięty pod uwagę przez proces decyzyjny BGP ?
Do czego służą atrybuty LOCAL_PREFERENCE oraz MULTI_EXIT_DISCRIMINATOR ?
4
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
BGP protocol
5
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
BGP protocol characteristics (1)
Goal: select the best path towards destination across several transit domains
The best path has a different meaning for diferent ISPs but it often means the cheapest path (cheapest for the service provider)
When selecting ‘the best path’, BGP takes into account various information
available about the path. The information is carried in BGP attributes.
6
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
BGP protocol characteristics (2)
BGP advertises network prefixes, along with path attributes. Attributes include AS path attribute that determines the path to reach the network(s) named in the prefix.
AS path is a list of autonomous systems that need to be traversed to reach the network. BGP path attributes convey additional information, which can be considered by a BGP decision
process when selecting the best path.
BGP path attributes can include attributes, such as LOC_PREF and MED.
BGP decision process selects one path for each prefix. The best path is installed in the routing table.
BGP decision process is effective when there are two or more paths to choose from, for a given prefix.
Reachability of the BGP Next Hop is the precondition to consider a path by the BGP decision
process.
The best path can be advertised to other domains, depending on export policy. Every AS is autonomous: it has the right to advertise (or not to advertise) a path for some prefix.
If the prefix is advertised, the AS must be prepared to accept and forward traffic to the named network.
7
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
BGP Decision Process
1. Prefer the highest value of LOCAL_PREF
2. Prefer paths locally computed on the router
3. Prefer paths with shortest AS_PATH length
4. Prefer paths of lowest origin code
( IGP < EGP < incomplete )
5. Prefer the lowest value of MULTI_EXIT_DISC
6. Prefer the lowest value of metric to the
NEX_HOP rtr
8
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
LAB overview
9
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Objective of this exercise
The objective of this laboratory exercise is to show the propagation of prefixes between ISPs in multi-homing scenario. We will see that an ISP can manipulate the prefix during propagation and processing to satisfy its own goals regarding path selection. By doing this an ISP can implement its own policies for inbound and outbound flows. Specifically, we will see that: an ISP can influence path selection process carried out by its own BGP routers
and thus can influence the path for outbound traffic. an ISP can attempt to influence path selection process made by routers that
belong to neighbor ISPs and thus to try influence the path for inbound traffic.
10
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Exercise outline
The general idea is to insert additional information into BGP Update messages. This extra information will be propagated with the prefix and evaluated by BGP routers during BGP decision process. The BGP decision process is known. As a result of the BGP decision process appropriate routes will be installed in routing tables of BGP routers. Inter-domain traffic will be routed following the routes. In the exercise first we will change the routes for outbound traffic. Next, we will try to influence the path along which traffic arrives into our local domain (inbound traffic). The exercise is organised into two parts.
11
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Part I Outbound traffic control
with LocPref
12
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Part I Outline
In Part I we will influence path selection for outbound traffic, i.e. for traffic originated in our local AS, destined to a network in another AS. Idea: Path selection for outbound traffic is carried out in our local AS by BGP routers,
which determine the egress router for the traffic. Method: Normally, the selection of the best path, including selection of the egress router,
is determined by the BGP decision process. The decision is based on path attributes.
The choice of the preferred egress router can be influenced by modifying path attributes for a prefix, while knowing how the decision is made, i.e. while knowing how BGP best path selection works.
Technically speaking, a prefix is manipulated and admitted (propagated) into local AS to let routers decide. Local AS routers select the path, which is “preferred”, over any other path(s), in accordance with the BGP decision process.
13
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
AS2 view (customer view)
Import: from AS1 R1 at RX set localpref=200;
from AS1 R2 at RX set localpref=100;
accept ANY
Export: to AS1 R1 at RX announce AS2
to AS1 R2 at RX announce AS2
AS1 view (provider view)
Import: from AS2 RX at R1 set localpref=300;
from AS2 RX at R2 set localpref=100;
accept AS2
Export: to AS2 RX at R1 announce ANY
to AS2 RX at R2 announce ANY
A S 1
A S 2
R 1
1 5 5 2
R X
R 2
Example: the use of Local Preference attribute for controlling outbound traffic
14
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Example for Local Preference
In the figure LocPref is set in AS2 on the received prefix 10.10.1.0 / 24 (the prefix is received from AS1 directly and from AS1 via AS3). The LocPref values indicate that BGP routers in AS2 ”should prefer” path via AS3 to network 10.10.1.0 / 24.
AS1
AS3
AS2LocPref 70
LocPref 200
Net 10.10.1.0 ¨ 24
15
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Lab exercise - network topology AS2 (provider) perspective
zebra is ‘up and running’ interfaces are up networks are configured note the networks:
10.10.1.0/24 in AS1 10.10.3.0/24 in AS3
Q1: Which paths will be selected by R23 for networks 10.10.1.0/24 and 10.10.3.0/24 before LocPref is installed ?
need to configure R21 and R22 with LocPref … but first check configuration of R31
AS 2
PC
LocPref =200
LocPref=70
AS 3
AS 1
R31
R12
R11
R22
R21
net. A.192.168.1.0/30
10.10.3.0/24
10.10.1.0/24
net. C.192.168.3.0/30
net. Z.10.10.5.0/24
e1=.1
e1=.1
e0=.1
e0=.1e0=.2
e0=.3e1=.3
e0=.1
e2=.3
e1=.2e0=.2
e0=.2
net. D
10.10.4.0/24n
et. G
10.1
0.2
.0/2
4
ne
t. B
19
2.1
68.2
.0/3
0
R23
16
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Check configuration of R31 (1)
Step 1. Check Zebra routing daemon (general config.) view file: /etc/zebra/zebra.conf
hostname zebra
pasword zebra
interface eth0
bandwidth 100000
log file /var/log/zebra/zebra.log
17
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Check configuration of R31 (2)
Step 2. Check if routing daemon is properly configured in Zebra on R31 view file: /etc/zebra/daemons
zebra=yes
bgpd=yes
ospfd=no
ospf6d=no
ripd=no
ripngd=no
18
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Check configuration of R31 (3)
Step 3. Verify if the BGP daemon is properly configured.
view file: /etc/zebra/bgpd.conf
hostname bgpd
password zebra
enable password zebra
[...]
debug bgp
debug bgp events
debug bgp filters
debug bgp fsm
debug bgp keepalives
debug bgp updates
19
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Run traceroute 10.10.3.1 on R23. Q1: Which path is selected ? Q2: Why this path has been chosen and not the other? Q3: Is there any method to make the router R23 choose the
other path ? What are the options to do so ?
Reachability over BGP
20
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Router configuration:
In order to configure R21 and R22 do one of the following: 1. Edit the bgpd.conf file and restart zebra
or
2. Telnet to bgpd, configure it and then issue the clear ip bgp * command
21
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Route map – command syntax
22
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Route map – a template
Use the following example to configure R21 and R22:
router bgp xxx
network nn.nn.nn.nn/mm
neighbor aa.bb.cc.dd remote-as nnnn
neighbor aa.bb.cc.dd route-map myRouteMap in
!
route-map myRouteMap permit 10
set local-preference xx
!
23
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Configuration of R21
Expected configuration on router R21 hostname bgpd
password zebra
enable password zebra
!
route-map as1-in permit 10
set local-preference 200
router bgp 2
!
neighbor 192.168.3.1 remote-as 1
neighbor 192.168.3.1 description Router12
neighbor 192.168.3.1 route-map as1-in in
neighbor 10.10.4.3 remote-as 2
neighbor 10.10.4.3 next-hop-self
!
log file /var/log/zebra/bgpd.log
24
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Configuration of R22 Expected configuration on router R22
hostname bgpd
password zebra
enable password zebra
!
route-map as3-in permit 10
set local-preference 70
router bgp 2
network 192.168.2.0/30
neighbor 192.168.2.1 remote-as 3
neighbor 192.168.2.1 description Router31
neighbor 192.168.2.1 route-map as3-in in
neighbor 10.10.2.3 remote-as 2
neighbor 10.10.2.3 next-hop-self
!
log file /var/log/zebra/bgpd.log
see http://www.getnetworking.net/
bgp/bgp-next-hop-self to understand this
25
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Testing routes from R23 to AS3
Execute traceroute again from R23 to 10.10.3.1/24 Execute ping –R from R23 to 10.10.3.1/24 ............
............
............
Q1: Which is the route for data traffic to AS3 now ?
26
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Part II Inbound traffic control
with MED
27
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Part II Inbound traffic
In Part II we will try to influence the paths for inbound traffic, i.e. traffic
arriving into our ISP domain. method: it can be done by modifying attributes of AS Path messages advertised by our BGP routers to neighbouring ASs. By modifying attributes prior to message advertisement we will try to influence decisions made by neighbouring BGP routers when selecting best routes to networks located in our AS.
28
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Lab. Part II: Insertion of Multiple Exit Discriminator (MED)
M ED = 5 0M ED = 1 0 0
A S 2
A S 3
n e t.
MED value is set
on prefixes advertised by AS3 in order
to ”tell” AS2 routers that AS3 ’would
like’ to receive traffic over the high
bandwidth link.
29
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Lab. Part II: Insertion of Multiple Exit Discriminator (MED)
M ED = 5 0
M ED = 5 0
M ED = 5 0
M ED = 1 0 0
A S 2
A S 3
A S 1
n e t.
MED value is set
on prefix ‘net.’
advertised by AS3
in order to ”tell everybody”
that AS3 ’would like’ to
receive traffic for
network ‘net.’
over high bandwidth links
Note that MED value related to the same
prefix but received in AS2 from different
Autonomous Systems will not be compared !
30
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Network topology with address plan for Part II MED. AS3 (customer) perspective
Pre-configured
network topology:
zebra is ‘up and running’ interfaces are up networks are configured
Need to configure: R31 and R32
31
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Testing routes from R23 to R31 before setting MED
Execute traceroute from R23 to 10.10.3.1/24 Execute ping –R from R23 to 10.10.3.1/24
Q1: which path is used to route traffic to network 10.10.3.1/24 ?
32
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Changing the router configuration
In order to configure R31 and R32 do one of the following: 1. Edit the bgpd.conf file, add what is needed and restart zebra
or
2. Telnet to bgpd, configure what is needed and (on R22 and R24) issue the clear ip bgp * command
33
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Route map – template
Use the following example to configure R31 and R32:
router bgp xxx
network nn.nn.nn.nn/mm
neighbor aa.bb.cc.dd remote-as nnnn
neighbor aa.bb.cc.dd route-map myRouteMap out
!
route-map myRouteMap permit 10
set metric xx
!
34
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Configuration of R31
Expected configuration on router R31 hostname bgpd
password zebra
enable password zebra
!
route-map metricOut permit 10
set metric 100
!
router bgp 3
!
network 10.10.3.0/24
!
neighbor 192.168.2.2 remote-as 2
neighbor 192.168.2.2 description Router22
neighbor 192.168.2.2 route-map metricOut out
!
neighbor 10.10.3.2 remote-as 3
neighbor 10.10.3.2 description Router32
35
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Configuration of R32
Expected configuration on router R32 hostname bgpd
password zebra
enable password zebra
!
route-map metricOut permit 10
set metric 70
!
router bgp 3
!
network 10.10.3.0/24
!
neighbor 192.168.4.1 remote-as 2
neighbor 192.168.4.1 description Router24
neighbor 192.168.4.1 route-map metricOut out
neighbor 10.10.3.1 remote-as 3
neighbor 10.10.3.1 description Router31
neighbor 10.10.3.1 next-hop-self
36
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
Testing routes from R23 to R31 after setting MED
Execute traceroute from R23 to 10.10.3.1/24 Execute ping –R from R23 to 10.10.3.1/24
Note that traffic is routed over link R24-R32 (because of lower value of MED on that link)
37
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP
BGP Decision Process with LOC_PREF and MED used
simultaneously in multi-provider scenario
M ED = 5 0
M ED = 5 0
M ED = 5 0
M ED = 1 0 0
A S 2
A S 3
A S 1
A S 2
Lo c Pre f
= 2 0 0
Lo c Pre f= 7 0
Pre f ix
A S 3
A S 1
Review questions:
Q1: Which path will be selected by routers in AS2 to reach AS1 in scenario
a) without any LOC_PREF and MED attributes ?,
b) with LOC_PREF only ?,
c) with MED_ only ?,
d) with both LOC_PREF and MED ?.
38
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP 38
The level of control over flows is different for inbound and outbound flows.
Specifically, the level of control over outbound traffic is strong, as it requires configuration of ISPs own routers. An ISP can precisely influence local selection of routes leading to remote destinations,i.e. for the outbound traffic.
The control over inbound traffic is , however, weak. An ISP has limited ability to control choices that other ISPs make to direct traffic to local networks (inbound traffic).
One can conclude, that the level of control is asymmetric.
Conclusions
39
Unauthorised copying or use is prohibited Sieci Komputerowe 2 Sieci IP 39
Internet resources
Using BGP’s local preference to influence outbound routing: http://evilrouters.net/2009/03/07/using-bgps-
local-preference-to-influence-outbound-routing/
Using AS path prepending to influence inbound routing: http://evilrouters.net/2009/03/07/using-as-path-
prepending-to-influence-inbound-routing/
top related