routing policy specification language

1

Routing Policy Specification Language

Ambrose Magee

LM Ericsson Ltd.

<[email protected]>

Tuesday, 28th August, 2001 APNIC-12

Tuesday, 28 August, 2001 ESI/Network Services Solutions 2

Introduction

• Tutorial– not a substitute for reading the RFC documents

• Target Audience– knowledge of Internet Routing– familiar with APNIC Whois Database– no need to know Internet Routing Registry


Contents of this tutorial

• The Internet Routing Registry

• Routing Policy Specification Language

– RIPE Database Version 3

• Routing Policy System Security (RPSS)

– security for Internet Routing Registry (IRR)

• RAToolSet & RtConfig


The Internet Routing Registry

• Background• Structure• Why use it ?• BGP configuration from the Internet Routing Registry


The Internet Routing Registry (IRR)

• Established in 1995• http://www.irr.net/• Stability and consistency of routing

– network operators share information

• Both public and private databases• These databases are independent

– but some exchange data– only register your data in one database


Internet Routing Registry

RIPE

RADB CW

ANS Bell.db

ARIN, ArcStar, FGC, Verio, Bconnex,

Telstra, ...

Policy and contact information is shared.


Why use the Internet Routing Registry ?

• When peering– register your routes and filter your peers

• Some transit providers and big ISP’s ask for this• Useful for fixing problems

– contact information


Why use the Internet Routing Registry ?

• BGP->RIP->BGP injection• 128/7 leak• bogon 0/0, 10/8 leaks• Daily, someone is leaking somelse’s prefix.


BGP Configuration from Internet Routing Registry

• Routing Policy specification Language (RPSL)– abstract, high-level policies– policies for each Autonomous System (AS)

• Internet Routing Registry– policies, routes and contact informatiom– benefit from the data and delegation of others

• RtConfig– RAToolSet– generate router configuration files– automates details and tedious aspects



• Background• RPSL Objects• Contact Information• Specifying Policy• Set Objects• Inet-rtr object• Advanced Features



• Object-based language– route, autonomous system, router, contact and set objects

• Defines the syntax, semantics and format of data in IRR• Vendor independent• Extensible

• IETF Proposed Standard (RFC2622)• Based on RIPE-181 (RFC 1786) • Currently, no support for IPv6


Routing Policy Specification Language 2

• RIPE-181 – some policies cannot be specified

• Internet Routing Registry– needed a more powerful language

• RPSL– more expressive than RIPE-181– policies can be expressed at the AS level– policies can be detailed => router configurations

PRDB RIPE-81 RIPE-181 RPSL



• Background• RPSL Objects• Contact Information• Specifying Policy• Set Objects• inet-rtr object• Advanced Features


RPSL Objects


Objects in RPSL

• RPSL is based on objects• Format of RPSL similar to RIPE-181• Objects and Attributes• Attributes and Values• Object Names• Reserved Names


RPSL is based on Objects

• Each object describes an entity in the real world

• Object classes (= object types)

• 12 types of object

• RPS-Sec defines one more (as-block)


RIPE Database Version 3

• Includes most RPSL object classes

• Excludes dictionary object class

• Defines 4 other object classes


RPSL Object

person: Clare Lancers

address: Corrofin

phone: + 123 123 # day time

e-mail: [email protected]

nic-hdl: CL123-TEST

remarks: This is a

test object

changed: [email protected] 20010730

source: TEST

Attribute value

Comment

Attribute name

Continuation


RPSL Objects

• RPSL objects are similar to RIPE-181 objects• Objects

– set of attributes

• Attributes – mandatory or optional– values: single, list, multiple– see the object template


Template of person object

person: [mandatory] [single] [lookup key]address: [mandatory] [multiple] [ ]phone: [mandatory] [multiple] [ ]fax-no: [optional] [multiple] [ ]e-mail: [optional] [multiple] [lookup key]nic-hdl: [mandatory] [single] [primary/look-up key]remarks: [optional] [multiple] [ ]notify: [optional] [multiple] [inverse key]mnt-by: [optional] [multiple] [inverse key]changed: [mandatory] [multiple] [ ]source: [mandatory] [single] [ ]


RPSL Objects

• Class “key” – set of attributes– usually one attribute has the same name as the object’s class – uniquely identify each object

• Class “key” = primary key– must be specified first


Template of person object

person: [mandatory] [single] [lookup key]address: [mandatory] [multiple] [ ]phone: [mandatory] [multiple] [ ]fax-no: [optional] [multiple] [ ]e-mail: [optional] [multiple] [lookup key]nic-hdl: [mandatory] [single] [primary/look-up key]remarks: [optional] [multiple] [ ]notify: [optional] [multiple] [inverse key]mnt-by: [optional] [multiple] [inverse key]changed: [mandatory] [multiple] [ ]source: [mandatory] [single] [ ]


RPSL Object


address: Corrofin



nic-hdl: CL123-TEST

remarks: This is a

test object


source: TEST

Attribute value

Comment

Attribute name

Continuation


RPSL vs RIPE-181 objects

• Line continuation possible

– space, tab, ‘+’

• Comments

– begin with ‘#’

– can be anywhere inside an object

– but cannot start at beginning of a line (column 0)

• Objects ends at “\n\n” (blank line)

• The order of attribute-value pairs is significant


RPSL Object

person: Ambrose Mageesource: RIPE # Commentaddress: Ericsson Services Irelandaddress: Dun Laoghaire, Ireland.+phone: +353 1 236 2500e-mail: [email protected]: AM3206-RIPEremarks: This is a test object. And this is a test comment.notify: [email protected]: [email protected] 20010731


Attributes

• Case insensitive• ASCII• Value of an attribute has a type

– <object-name>– <as-number>– <ipv4-address>– <address-prefix>– etc.

• Complete list of attributes in RFC 2622 & RIPE-223


Object Names

• Objects names can have - or _ inside– e.g. RIPE-DBM-MNT

• Can have digits• Case-insensitive• First character: alphabetic • Last character: must be a letter or a digit• Reserved names• Reserved prefixes


Reserved Names

any as-any rs-any peeras

and or not

atomic

from to at action accept announce

except refine

networks into inbound outbound


Reserved Prefixes

Prefix Object type

as- as set

rs- route set

rtrs- router set

fltr- filter set

prng- peering set


Contact Information


Contact Information

• person• role• mntner


Person Object


address: Corrofin



nic-hdl: CL123-TEST

remarks: This is a

test object

mnt-by: TEST-MNT


source: TEST

Person object information

Auxiliary information


Person Object 2

• Information about technical or administrative contact• The value of the “person” attribute cannot be changed• The nic-handle is the primary key.• In RIPE-181, name && nic-handle was the primary key• The role object is very similar• Auxiliary information is in all object types


Mntner Object Template

mntner: [mandatory] [single] [primary/look-up key]descr: [mandatory] [multiple] [ ]admin-c: [mandatory] [multiple] [inverse key]tech-c: [optional] [multiple] [inverse key]upd-to: [mandatory] [multiple] [inverse key]mnt-nfy: [optional] [multiple] [inverse key]auth: [mandatory] [multiple] [ ]remarks: [optional] [multiple] [ ]notify: [optional] [multiple] [inverse key]mnt-by: [mandatory] [multiple] [inverse key]auth-override: [optional] [single] [ ]referral-by: [mandatory] [single] [inverse key]changed: [mandatory] [multiple] [ ]source: [mandatory] [single] [ ]


Mntner object

mntner: AMRM-TESTdescr: Ambrose's mntner.admin-c: RD132-RIPEtech-c: AMRM1-RIPEupd-to: [email protected]: [email protected]: [email protected]: CRYPT-PW 984rZ0K0mvMjUremarks: This is a test mntner.notify: [email protected]: AMRM-TESTreferral-by: RIPE-DBM-MNTchanged: [email protected] 19980916source: RIPE


Mntner object 2

• New attribute: referral-by– the mntner that created this mntner

• New attribute: auth-override– date after which the mntner can be modified– only the mntner in “referral-by” can do this


“auth” attribute

• NONE• MAIL-FROM

– e.g. MAIL-FROM [email protected]– e.g. MAIL-FROM .*apnic.net

• CRYPT-PW– produced by the UNIX crypt routine– e.g. CRYPT-PW lz1A7/JnfkTI


“auth” attribute 2

• PGPKEY-<PGP Key ID>– e.g. PGPKEY-1290F9D2– RFC 2726– key-cert object

• Be careful using many authentication methods in mntner– logical OR used– avoid using authentication NONE


Specifying Routing Policy


Specifying Policy

• Internet Routing

• aut-num object

• route-set object

• as-set object

• AS Path Regular Expression

• Composite Policy Filters

• Specifying Actions


Specifying Policy 2

• Community Based Policies

• Ambiguity Resolution


Internet Routing

Interior routing is metric basedInside ISP-2, shortest exit to ISP-3OSPF, IS-IS, …..

Exterior routing is policy basedCan A use ISP-3 to reach B ?BGP

A BISP-1 ISP-3

ISP-2


Inter-AS Topology

Backbone Providers

Regional ISP

Other ASes


AS Relationships

• Customer-Regional Provider– Provider forwards traffice– advertises customer routes

• Peer-Peer– mutual benefit

• Regional Provider-Backbone Provider– similar to Customer-Regional Provider

• Typical routing policies implement these


Inter-AS RoutingRegional ISP

AS1 AS2 128.9.0.0/16import

export

AS level peering

AS2 originates 128.9.0.0/16

AS2 exports 128.9.0.0/16 to AS1

AS1 imports 128.9.0.0/16 from AS2


BGP Routes: Path Attributes

• Destination address prefixes• AS path• Originator AS• List of communities (flags)• Metrices: med, pref


aut-num Object expresses routing policy

aut-num: AS4591 as-name: UNSPECIFIED descr: Syra.NET import: from AS4590

action pref=1;accept AS4590

export: to AS4590announce AS4591

default: to AS4590action pref=1networks {140.222.0.0/16}

Auxiliary information not shown


aut-num Object Template Attribute Value Type

aut-num <as-number> mandatory, single, class key

as-name <object-name> mandatory, single

member-of list of

<as-set-names> optional, multiple

import import policy optional, multiple

export export policy optional, multiple

default default policy optional, multiple


aut-num Object in RIPE-181 and RPSL

• as-out, interas-out => export• as-in, interas-in => import• default => default


Aut-num Object in RIPE DB Version 3

• It has all the attributes described in RFC 2622• Cross-mnt

– a mntner to be notified

• Cross-nfy– a person or role object to be notified


Policy in RPSL

• Prefix• AS Path• community• prefix-length• Future attributes through its dictionary• Structured Policy• Uses


Prefix based Policy128.9.0.0/16

128.8.0.0/16

aut-num: AS1

export: to AS2

announce {128.9.0.0/16, 128.8.0.0/16}

N.B. Filtering is based on Address-Prefix Set

AS2 AS1


Prefix based Policy 2128.9.0.0/16

128.8.0.0/16

aut-num: AS2

import: fromAS1

accept {128.9.0.0/16, 128.8.0.0/16}


AS2 AS1


import Attribute

• importfrom <peering-1> [action <action-1>]

…..

from <peering-N> [action <action-N>]

accept <filter>

• Set of routes matched by filter– imported from all peers in peerings

• While importing routes at <peering-M>– <action-M> is done


Choosing a Peering

1.1.1.2

aut-num: AS1

import: from AS2 at 2.2.2.2

action pref = 10;

accept AS2

AS1 AS2

2.2.2.2

1.1.1.1


Choosing a Peering 2

aut-num: AS1


action pref = 10;

accept AS2

import: from AS2 1.1.1.2 at 1.1.1.1

action pref =5;

accept AS2

N.B. In filter context, AS2 = routes originated by AS2


export Attribute

• exportto <peering-1> [action <action-1>]

…..

to <peering-N> [action <action-N>]

announce <filter>

• Set of routes matched by filter– exported to all peers in peerings

• While exporting routes at <peering-M>– <action-M> is done


default Attribute

• defaultto <peering> [action <action>] [networks <filter>]

• Local AS defaults to the AS in <peering>• <action> == attributes of defaulting• <filter> == policy filter• Router only uses the default policy

– if it received the routes matched by <filter> from this peer


Examples of default

AS1 defaults to AS2 and uses 128.9.0.0/16aut-num: AS1default: to AS2 networks {128.9.0.0/16}

AS1 defaults to AS2 and AS3, but prefers AS2 over AS3aut-num: AS1default: to AS2 action pref=1;default: to AS3 action pref=2;


Routing Protocols

• Default is Exterior Gateway Protocol– BGP

• Valid Protocols– in RPSL dictionary

• Injecting Routes between protocols• Multi-Protocol Routing Protocols


Prefix based Policy128.9.0.0/16

128.8.0.0/16

aut-num: AS1

export: to AS2

announce {128.9.0.0/16, 128.8.0.0/16}


AS2 AS1


Originate more routes ?128.9.0.0/16

128.8.0.0/16 aut-num: AS1 export: to AS2

announce {128.9.0.0/16, 128.8.0.0/16, 128.6.0.0/16}

AS2 AS1 128.6.0.0/16


route-set Objects

route-set: rs-red members: 128.6.0.0/16, 128.8.0.0/16,

128.9.0.0/16 desc: some address prefixes

route-set: rs-yellow members: 128.7.0.0/16, rs-red desc: A route-set that includes rs-red

128.6.0.0/16, 128.8.0.0/16, 128.9.0.0/16 are direct members ofrs-red.

The route-set object replaces the community object fromRIPE-181.


route-set Object Template Attribute Value Typeroute-set <object-name> mandatory, single, class keymembers list of optional, multi-valued

<address-prefix-range> or<route-set-name> or<route-set-name><range-operator> orrs-any

mbrs-by-ref list of optional, multiple-valued<mntner-names> or ANY


Range Operators

• Address-prefix-range– address prefix followed by a range operator

• ^+: inclusive more specifics– 5.0.0.0/8^+

• ^-: exclusive more specifics– 128.9.0.0/16^-

• ^n: length n more specifics– 30.0.0.0/^16

• ^n-m: length n-m more specifics– 30.0.0.0/^24-32


Indirect members of route-set

route-set: RS-ANS-IGP_ONLY desc: ANS IGP aggregates mbrs-by-ref: any

route: 207.25.17.0/24 origin: AS1675 member-of: RS-ANS-IGP_ONLY mnt-by: MNT-ANS



Restricted indirect members of route-set

route-set: RS-ANS-IGP_ONLY desc: ANS IGP aggregates mbrs-by-ref: MNT-ANS, MNT-CENGIZ


route: 192.157.69.0/24 origin: AS1675 member-of: RS-ANS-IGP_ONLY mnt-by: MNT-CURTIS


Direct & indirect members of route-set

route-set: RS-ANS-IGP_ONLY desc: ANS IGP aggregates members: 207.25.17.0/24, 207.25.16.0/24,

207.25.20.0/24 mbrs-by-ref: MNT-ANS




Direct Members

• The member-of attribute of the route object is an extra way to specify the members directly

• If an address-prefix is listed in the members attribute of a route-set, then it is a member of that route set

• The route object corresponding to this address-prefix does not need to contain a member-of attribute referring to this set name.

• Only use the member-of attribute of the route object when using the mbrs-by-ref attribute in the route-set object.


Members of sets in RIPE DB Version 3

• route, aut-num and inet-rtr objects have “member-of” attribute

• This is not enough !!!• The set object has “mbrs-by-ref” and “members”

– if “mbrs-by-ref” is absent, “members” is used

• Database software checks validity of membership– rejects invalid creation or update of object


Example of route-set128.9.0.0/16


announce {128.9.0.0/16, 128.8.0.0/16, 128.6.0.0/16}

AS2 AS1 128.6.0.0/16


Routing policy per route-set

route-set: rs-red members: 128.6.0.0/16, 128.8.0.0/16,

128.9.0.0/16

aut-num: AS1 export: to AS2 announce rs-red

aut-num: AS2 import: to AS1 accept rs-red


Example of route-set 2128.9.0.0/16


announce rs-red

aut-num: AS2import: from AS1

accept rs-red

AS2 AS1 128.6.0.0/16


Range operators and route-sets

route-set: rs-martians desc: most Ases do not import these routes members: 0.0.0.0/0^32, 127.0.0.0/8^+, 10.0.0.0/8^+, 172.16.0.0/20^+,

192.168.0.0/16^+, 192.0.2.0/24^+,128.0.0.0/16^+, 191.255.0.0/16^+,192.0.0.0/24^+, 223.255.255.0/24^+,224.0.0.0/3^+, 0.0.0.0/0^26-32


route Object Template Attribute Value Typeroute: <address-prefix> mandatory, single, class keyorigin: <as-numbers> mandatory, single, class keymember-of: list of optional, multiple

<route-set-names>inject: aggregation info optional, multiplecomponents: aggregation info optional, singleaggr-bndy: <as-expression> optional, singleaggr-mtd: aggregation info optional, singleexport-comps: <filter> optional, singleholes: list of optional, multiple

<address-prefix>


Route Object in RIPE DB Version 3

• Cross-mnt– mntner(s) to be notifed

• Cross-nfy– person or role to be notified

• No admin-c or tech-c in route object

• RFC-2622: admin-c and tech-c in route object


Route Object 1

• Subset of a route !• The route and origin attributes == class key

route: 128.8.0.0/16

origin: AS1

route: 128.8.0.0/16

origin: AS2

N.B. Two different routes


Route Object 2

route: 193.0.0.0/22

origin: AS3333

mnt-by: RIPE-NCC-MNT

Policy information

N.B. Auxiliary information is not shown

•Route 193.0.0.0/22 is originated by AS3333


Using AS numbers in Policy

route: 128.9.0.0/16 route: 128.8.0.0/16 origin: AS1 origin: AS1 aut-num: AS1 export: to AS2 announce AS1

aut-num: AS2import: from AS1 accept AS1

AS2 AS1


Cumbersome ?

aut-num: AS1 export: to AS2 announce AS1 OR AS3 … AS6

aut-num: AS2 import: from AS1 accept AS1 OR AS3 … AS6

AS2 AS1

AS3 AS4 AS5

AS6


Using as-set objects

as-set: AS1:AS-Customers members: AS1, AS3, AS4, AS5, AS6

aut-num: AS1 export: to AS2 announce AS1 OR AS3 … AS6

aut-num: AS2 import: from AS1 accept AS1 OR AS3 … AS6

AS2 AS1

AS3 AS4 AS5

AS6


as-set Object Template Attribute Value Typeas-set <object-name> mandatory, single, class keymembers list of optional, multiple-valued

<as-numbers> or<as-set-names> oras-any

mbrs-by-ref list of optional, multiple-valued<mntner-names> or ANY


Indirect members of as-set

as-set: as-alkmaar desc: IGP aggregates mbrs-by-ref: any

aut-num: AS3333 member-of: as-alkmaarmnt-by: RIPE-NCC-MNT

aut-num: AS1213 member-of: as-alkmaar mnt-by: AS1213-MNT


Using as-set objects 2

as-set: AS6:AS-Customers members: AS6, AS7, AS8

as-set: AS1:AS-Customers members: AS1, AS3, AS4, AS5, AS6:AS-Customers

AS2 AS1

AS3 AS4 AS5

AS6 AS7

AS8


Using as-set objects 3

aut-num: AS1 export: to AS2 announce AS1:AS-Customers

aut-num: AS2 import: from AS1 accept AS1:AS-Customers

AS2 AS1

AS3 AS4 AS5

AS6 AS7

AS8


More Customers ?

aut-num: AS2 import: from AS1 accept AS1:AS-Customers import: from AS3 accept AS3:AS-Customers import: from AS4 accept AS4:AS-Customers

AS3 AS1

AS4

AS2


PeerAS

as-set: AS2:AS-Customers members: AS1, AS3, AS4 aut-num: AS2 import: from AS2:AS-Customers accept PeerAS:AS-Customers

AS3 AS1

AS4

AS2


PeerAS 2

• Keywoord :PeerAS• Used in import attribute

– instead of the AS number of the peer AS

• Useful when using AS expression


Predefined Set Objects

• RS-ANY, rs-any• AS-ANY, as-any


Route-set context

• AS number: ASX == routes originated by ASX

• as-set: AS-X == routes originated by the AS’es in AS-X


Complex example

Solution ?

AS2 AS1

AS3 AS4 AS5

AS6

AS7

AS8 AS9


AS Path Based

AS paths that start in AS1 and end in AS8:

<^AS1 .* AS8$>

No prefix filters here !!!

AS2 AS1

AS3 AS4 AS5

AS6

AS7

AS8 AS9


AS Path Regular ExpressionsAS1 AS1

as-foo any AS in as-foo

X* 0 or more occurrences of X

X+ 1 or more occurrences of X

X? 0 or 1 occurrence of X

^ beginning of path

$ end of path

X|Y X or Y

XY X followed by Y


AS Path Regular Expressions

• Policy filter– only when the expression is between ‘<‘ and ‘>’

• Regular expressions– the alphabet of AS numbers

• Router can check– BGO: AS_PATH– IDRP: RD_PATH

• Regular Expression Operators


AS Path RE Example

<^AS1+ AS1:AS-Customers* $> matches:AS1AS1 AS3AS1 AS4AS1 AS5 AS6AS1 AS1 AS5 AS5 AS6

AS2 AS1

AS3 AS4 AS5

AS6

AS7

AS8 AS9


AS Path Based import/export

import: from AS1 accept <^AS1 .* AS8>

import: from AS1 accept <^AS1 AS1:AS-Customers*$>

No route prefixes here !!!

AS2 AS1

AS3 AS4 AS5

AS6

AS7

AS8 AS9


Composite Policy Filters

• NOT, AND, OR• AS1 == {128.8.00/16, 128.9.0.0/16}• rs-red == {128.6.0.0/16, 128.9.0.0/16}

• AS1 OR rs-red == {128.6.0.0/16, 128.8.0.0/16, 128.9.0.0/16}

• AS1 AND rs-red == {128.9.0.0/16}• AS1 AND NOT rs-red == {128.8.0.0/16}


Composite Policy Filters 2

• aut-num: AS1 import: from AS1

accept (AS1 OR rs-red) AND NOT {0.0.0.0/0}

• N.B. AS numbers & as-set names == routes


Filter Bad Routes

route-set: RS-MARTIANS desc: most Ases do not import these routes members: 0.0.0.0/0^32, 127.0.0.0/8^+, 10.0.0.0/8^+, 172.16.0.0/20^+,

192.168.0.0/16^+, 192.0.2.0/24^+,128.0.0.0/16^+, 191.255.0.0/16^+,192.0.0.0/24^+, 223.255.255.0/24^+,224.0.0.0/3^+, 0.0.0.0/0^26-32

aut-num: AS1 import: from AS-ANY

accept ANY AND NOT RS-MARTIANS


Prefix Length Based Policy

• aut-num: AS1 import: from any

accept ANY AND NOT {192.168.0.0/16^+}

• N.B. Filter == Address-Prefix Set; Composite Policy


Actions

• Preference & Cost• Community


Preference & Cost

aut-num: AS4 import: from AS1 action pref = 10; accept ANY import: from AS4 action pref = 15; accept ANY

Smaller the number, higher the preference !!!

AS2 AS4

AS1

AS3Slow link


Specifying Actions

• RPSL policy actions– set or modify route attributes– instruct routers to do special operations

• route flap dampening

• Which route attributes ?– RPSL dictionary– dictionary object not implemented in RIPE Database Version 3


Specifying Actions 2

• Syntax of a policy action – x.method(arguments)– x “operator” argument

• Terminated by semicolon ‘;’

• Composite policy actions possible– evaluated left-to-right



import: from … action XXX; accept …

export: to … action XXX; announce ...

med = 0;

med = igp_cost;

community.append(NO_EXPORT, 10250, 3561:90);

community.delete(NO_EXPORT);

aspath.prepend(AS1, AS1, AS1);



aut-num: AS4 export: to AS1 announce AS4 export: to AS3 action aspath.prepend(AS4);

announce AS4

Smaller the number, higher the preference !!!

AS2 AS4

AS1

AS3Slow link


Choosing a Peering

1.1.1.2

aut-num: AS1

import: from AS2 accept AS2

AS1 AS2

2.2.2.2

1.1.1.1


Choosing a Peering

1.1.1.2

aut-num: AS1


action pref = 10;

accept AS2

AS1 AS2

2.2.2.2

1.1.1.1


Choosing a Peering 2

aut-num: AS1


action pref = 10;

accept AS2

import: from AS2 1.1.1.2 at 1.1.1.1

action pref = 5;

accept AS2


Community Based Policy

• AS4 wants AS3561 to prefer AS1 path• AS3561 prefers routes with

– no community– with community 3561:90– with community 3561:80– with community 3561:70

AS2 AS4

AS1

AS3Slow link


AS3561’s Policies

aut-num: AS3561import: from AS-ANY

action pref = 30;accept community(3561:70)

import: from AS-ANYaction pref = 20;accept community(3561:80)

import: from AS-ANYaction pref = 10;accept community(3561:90)

import: from AS-ANYaction pref = 0;accept ANY


AS 4’s Policies

aut-num: AS4 export: to AS1 action community.={3561:90}; to AS3 action community.={3561:80};

announce AS4

AS3561 AS4

AS1

AS3Slow link


Ambiguity Resolution

• Two or more peering expressions– describe the same peering

• Which is used ?

• Specification-order rule– the first peering specification is always used


Ambiguity Resolution 2

aut-num: AS1

import: from AS2 action pref = 2; accept AS4

import from AS2 action pref = 1; accept AS4 OR AS5

AS2 accepts AS4’s routes with pref = 2

AS2 accepts AS5’s routes with pref = 1


Set Objects


Set Objects

• Sets of routes, autonomous systems, etc.– route-set– as-set– filter-set– peering-set– rtr-set

• Specify members– directly– indirectly


Set Names

• Example: as-customers• Example: rs-partner


Hierarchical Set Names

• Sequence of set names and AS numbers, separated by “:”

• At least one component must be an actual set name.

• All set name components must be of the same type.

• Authorization

• Mntner of AS1 controls AS1:AS-Customers

• AS1:RS-EXPORT controls AS1:RS-EXPORT:AS2


Filter-Set Objects

filter-set: fltr-red filter: {5.0.0.0/8, 6.0.0.0/8}

fltr-set: fltr-green filter: (AS1 or fltr-red) and <AS2>

<AS2> == AS path filter== matches any route whose AS-pathcontains AS2.

Filter set names: “fltr-“


“filter” attribute

• “filter” attribute defines a policy filter• A policy filter matches routes• Any BGP path attribute can be in the filter

– ANY– Address-Prefix Set– Route Set Name– AS Path Regular Expressions– Composite Policy Filters– Routing Policy Attributes– Filter Set Name


Peering Set Object

• Defines a set of peerings• Peering Set Name: prng-• The peering attribute defines a peering

– used to import or export routes

• No “members” attribute


Peering-Set Objects 2

peering-set: prng-red peering: AS3 at 9.9.9.1

peering-set: prng-green peering: prng-red peering: AS2 at 9.9.9.1

aut-num: AS1 import: from prng-green

accept {128.9.0.0/16}


Rtr-Set Objects

rtr-set: rtrs-red members: rtr1.isp.net, rtr2.isp.net mbrs-by-ref: RED-MNT

rtr-set: rtr-green members: rtr3.isp.net, rtrs-red mbrs-by-ref: ANY

Rtr set names: “rtrs-“

Same rules about “mbrs-by-ref” as before.


rtr-set Object Template

Attribute Value Typertr-set <object-name> mandatory, single, class keymembers list of optional, multi-valued

<inet-rtr-names> or<rtr-set-names> or<ipv4-addresses>

mbrs-by-ref list of optional, multi-valued<mntner-names> or ANY


Inet-rtr Object


Inet-rtr Object

inet-rtr: Amsterdam.ripe.net local-as: AS3333 ifaddr: 192.87.4.28 masklen 24 ifaddr: 193.0.0.222 masklen 27 ifaddr: 192.16.183.128 masklen 24 ifaddr: 193.0.15.130 masklen 24 peer: BGP4 192.87.4.19 asno(AS2121) peer: BGP4 192.16.183.64 asno(AS3317)

Auxiliary information omitted


Inet-Rtr Object Template

Attribute Value Typeinet-rtr <dns-name> mandatory, single, class keyalias <dns-name> optional, multi-valuedlocal-as <as-number> mandatory, singleifaddr interface address mandatory, multi-valuedpeer peering information optional, multi-valuedmember-of list of optional, multi-valued

<rtr-set-names>


Inet-rtr Object 2

ifaddr: <ipv4-address> masklen <integer> [action <action>]

The peer attribute:

<protocol><ipv4-address> <options>

|<protocol><inet-rtr-name> <options>

|<protocol><rtr-set-name> <options>

|<protocol><peering-set-name> <options>

<protocol> is usually BGP.


Routing Policy System Security


Routing Policy System Security (RPSS)

• Background• as-block• mnt-lower• mnt-routes• referral-by• auth-override


Routing Policy System Security (RPS-Auth)

• RFC-2725• Data integrity and security in the Internet Routing Registry• One new object

– as-block

• Four new attributes– mnt-lower– mnt-routes– referral-by– auth-override


New object in RPS-Auth; as-block

as-block: AS3154 - AS3353descr: RIPE NCC ASN blockremarks: These AS numbers are further assigned by RIPE NCCremarks: to LIRs and end-users in the RIPE NCC regionremarks: Please refer to RIPE Document ripe-185remarks: and RIPE Document ripe-147admin-c: NN32-RIPEtech-c: OPS4-RIPEmnt-by: RIPE-NCC-HM-MNTmnt-lower: RIPE-NCC-HM-MNTchanged: [email protected] 20010423source: RIPE


As-block Object

• Used by Regional Internet Registries• Shows the delegation of a range of AS numbers • Controls the creation of aut-num objects

– mnt-lower attribute

• Also controls creation of more specific as-block objects


New attributes in RPS-Auth

• New attributes increase security• mnt-lower• mnt-routes• referral-by• auth-override


Mnt-lower Attribute

• Used in as-block, aut-num, inetnum, route objects• Points to a mntner object• Controls creation of objects underneath root object• as-block object:

– more specific as-block objects– aut-num objects

• aut-num object– hierarchical name objects


Mnt-lower Attribute 2

• inetnum object– inetnum objects with more specific address prefixes

• route object– route objects with more specific address prefixes


As-block Object again

as-block: AS3154 - AS3353descr: RIPE NCC ASN blockremarks: These AS numbers are further assigned by RIPE NCCremarks: to LIRs and end-users in the RIPE NCC regionremarks: Please refer to RIPE Document ripe-185remarks: and RIPE Document ripe-147admin-c: NN32-RIPEtech-c: OPS4-RIPEmnt-by: RIPE-NCC-HM-MNTmnt-lower: RIPE-NCC-HM-MNTchanged: [email protected] 20010423source: RIPE


RPS-Auth; as-block & mnt-lower

as-block: AS3154 - AS3353descr: RIPE NCC ASN blockmnt-lower: RIPE-NCC-HM-MNT…..

aut-num: AS3333as-name: RIPE –NCC-ASmnt-by: RIPE-NCC-MNT…..

The aut-num object AS3333 can only be createdby RIPE-NCC-HM-MNT. If as-block object has no ‘mnt-lower’ attribute,=> ‘mnt-by’ is used.


Aut-num Object & mnt-lower

aut-num: AS1mnt-by: AS1-NOC-MNTmnt-lower: AS1-SALES-MNT…..

as-set: AS1:AS-Customersmnt-by: AS1-CUSTOMERS-MNT…..

The as-set object AS1:AS-Customers can only be createdby AS1-SALES-MNT. If aut-num object has no ‘mnt-lower’ attribute,=> ‘mnt-by’ of as-set object is used.


Inetnum Object & mnt-lower

inetnum: 193.0.2.0 - 193.0.3.255netname: RIPE-NCCdescr: RIPE Network Coordination Centreremarks: RIPE Meetings and other non-permanent usesmnt-by: RIPE-NCC-MNTmnt-lower: RIPE-NCC-MNT

inetnum: 193.0.3.0 - 193.0.3.255netname: RIPE-NCC

The inetnum object 193.0.3.0 - 193.0.3.255 can only be created bythe mntner in the ‘mnt-lower’ of 193.0.2.0 – 193.0.3.255, i.e.RIPE-NCC-MNT.


Route Object & mnt-lower

route: 193.0.0.0/21desc: RIPE-NCCorigin: AS3333mnt-by: RIPE-NCC-MNTmnt-lower: RIPE-NCC-MNT

route: 193.0.0.0/22desc: RIPE-NCCorigin: AS3333

The route object 193.0.0.0/22 can only be created by themntner RIPE-NCC-MNT. If the route object 193.0.0.0/21 hasno ‘mnt-lower’, then the mntner in ‘mnt-by’ is used. The‘mnt-routes’ or ‘mnt-by’ of AS3333 object is also checked.


Mnt-routes Attribute

• Used in aut-num, inetnum, route objects• Points to a mntner object• Does not allow changes to the object where it appears• Controls creation of route objects • <mnt-name> [ {list of <address-prefix-range>} | ANY • Default is ANY == all more specific routes


Mnt-routes; Summary

• Aut-num object– origin attribute of the route object– mnt-routes– mnt-by

• Route object– exact or less specific match– mnt-routes– mnt-lower– mnt-by


Mnt-routes; Summary 2

• Inetnum object– exact or less specific match– mnt-routes– mnt-lower– mnt-by


Aut-num Object & mnt-routes

aut-num: AS1mnt-by: AS1-OPS-MNTmnt-routes: AS1-ROUTES-MNT

route: 128.8.0.0./16origin: AS1mnt-by: NOC-MNT

A route object 128.8.0.0/16 with origin AS1 can only be created when theauthentication in AS1-ROUTES-MNT and the authentication in NOC-MNT is matched.

This is a new object. It doesnot exist in the database yet.


Inetnum Object & mnt-routes


inetnum: 128.8.0.0 – 128.8.255.255mnt-by: LIR-MNTmnt-routes: NOC-MNT

A route object 128.8.0.0/16 with origin AS1 can only be createdwhen the authentication in AS1-ROUTES-MNT and theauthentication in NOC-MNT is matched.

This is also true for more specific prefixes, e.g. 128.8.0.0/24.

This object exists already.


Route Object & mnt-routes


route: 128.8.0.0./16origin: AS1mnt-by: NOC-MNTmnt-routes: SALES-MNT

A route object 128.8.0.0/24 with origin AS1 can only be createdwhen the authentication in AS1-ROUTES-MNT and theauthentication in SALES-MNT is matched.

This object already exists.


Mnt-routes; Summary

• Aut-num object– origin attribute of the route object– mnt-routes– mnt-by

• Route object– exact or less specific match– mnt-routes– mnt-lower– mnt-by


Mnt-routes; Summary 2

• Inetnum object– exact or less specific match– mnt-routes– mnt-lower– mnt-by


Referral-by

• Refers to the mntner that created a mntner object• Is never changed after the mntner object is created• Usually points to database administrator


Auth-override

• Date after which a mntner can be modified• Only the mntner in “referral-by” can do this• Only the mntner in “referral-by” can modify the mntner• auth-override attribute only added if inactive for 60 days• Value must be >= 60 days from current date


Extra Object Types in RIPE Database Version 3


Extra Object Types in RIPE DB Version 3

• Domain– Top Level Domain (TLD) and Reverse Delegations– referral mechanism

• inet6num– IPv6 address space object

• key-cert object– database public key certificate

• limerick– humorous poem, five lines, with rhyming scheme “aabba”


Advanced Features


Advanced Features

• Aggregation• Static Routes• Structured Policy• RAToolSet

– RTConfig


Aggregation

route: 128.8.0.0/15 origin: AS1 components: {128.8.0.0/15^-} aggr-mtd: outbound AS-ANY inject: at 1.1.1.1 action dpa = 100; inject: at 1.1.1.2 action dpa = 110;


Static Routes

route: 128.7.0.0/16 origin: AS1 inject: at 7.7.7.1

action next-hop = 7.7.7.2; cost = 10;upon static

inject: at 7.7.7.1action next-hop = 7.7.7.3; cost = 20;upon static


Structured Policy

• Example: autonomous system, AS1• AS1 prefers routes with

– no community– community 1:20– community 1:10

• AS1 only accepts – AS2 routes from AS2– AS3 and AS4 routes from AS3– the routes of AS5’s customers from AS5


Structured Policy for AS1

import:{from AS-ANY

accept ANY and not RS-MARTIANS;} refine {

from AS-ANY action pref =10;accept community(1:10);

from AS-ANY action pref=20;accept community(1:20);

from AS-ANY action pref=0;accept any;

} refine {from AS2 accept AS2;from AS3 accept AS3 or AS4;from AS5 accept AS5:AS-Customers;

}


Structured Policy for AS3561

import:{from AS-ANY

accept ANY and not RS-MARTIANS;} refine {

from AS-ANY action pref =30;accept community(3561:70);

from AS-ANY action pref=20;accept community(1:20);

from AS-ANY action pref=0;accept any;

} refine {from AS2 accept AS2;from AS3 accept AS3 or AS4;from AS5 accept AS5:AS-Customers;

}


AS3561’s Policies

aut-num: AS3561import: {

from AS-ANY action pref = 30;accept community(3561:70)

from AS-ANY action pref = 20;accept community(3561:80);

} refine {from AS1 accept AS1:AS-Customers;} except {

from AS2 accept AS2;from AS3 accept AS3;

}

AS1:AS-Customers contains AS2 and AS3.


RAToolSet & RtConfig


RAToolSet & RtConfig

• RAToolSet– http://www.isi.edu/ra/RAToolSet/– a set of policy analysis tools– RIPE DB Version 3 supports the query types

• RtConfig– a tool that generates vendor specific router configurations – use the policy data stored in the Internet Routing Registry– supports several formats


Using RtConfig

• Register routing policy in the Internet Routing Regsitry• Create an RtConfig source file

– router configuration file– replace vendor-specific policy configuration commands with

RtConfig commands

• Run RtConfig– source file– Internet Routing Registry– % RtConfig < template > config-file

• Commands beginning with “@RtConfig” are instructions


RAToolSet 2

• Route Object Editor• Autonomous system Object Editor • Other tools

– prtraceroute


Route Object Editor

• Lists routes registered by a provider• Shows discrepancies• Shows holes• Can be used to correct these discrepancies


Route Object Editor (roe) Example


Autonomous system Object Editor (aoe)


Useful Links

• RPSL http://www.isi.edu/ra/rps/training/• IRR http://www.irr.net/• RIPE http://www.ripe.net/

– http://www.ripe.net/rpsl/– http://www.ripe.net/ripe/docs/databaseref-manual.html

• RAToolSet – http://www.isi.edu/ra/RAToolSet


Acknowledgements

• Cengiz Alaettinoglu– Packet Design Inc.– Provided the slides from which many of these slides are derived– But any errors are the responsibility of Ambrose Magee

• RIPE NCC– Joao Luis Silva Damas– Andrei Robachevsky– Engin Guenduez, Shane Kerr, Vesna Manojlovic– Engineering Group


Acknowledgements 2

• Ericsson Services Ireland– Network Services Solutions

routing policy specification language

Documents

format of data

router configurationsprdbripe

contact informatiombenefit

bgp injection1287 leakbogon

apnic whois databaseno

highlevel policiespolicies

informationboth public

standard rfc2622based