Professional Documents
Culture Documents
BGP Policy: Jennifer Rexford
BGP Policy: Jennifer Rexford
Jennifer Rexford
Challenges of BGP
Trade-off of goals
Flexible policy
Convergence speed
Large scale
Policies in practice
Business relationships, traffic engineering,
scalability, security,
Outline
Business relationships
Distributing routes inside the AS
Traffic engineering
BGP security
Components of BGP
BGP protocol
Definition of how two BGP neighbors communicate
Message formats, state machine, route attributes, etc.
Standardized by the IETF
Policy specification
Flexible language for filtering and manipulating routes
Indirectly affects the selection of the best route
Varies across vendors, though constructs are similar
1
data traffic
12.34.158.5
3
data traffic
Update messages
Advertisement
New route for the prefix (e.g., 12.34.158.0/24)
Attributes such as the AS path (e.g., 2 1)
Withdrawal
Announcing that the route is no longer available
AS path
Next-hop IP address
Local preference
Multiple-Exit Discriminator
Based on
Attribute
Values
Best
Routes
Best Route
Selection
Best Route
Table
Apply Policy =
filter routes &
tweak attributes
Apply Export
Policies
Install forwarding
Entries for best
Routes.
IP Forwarding Table
11/23/16
Transmit
BGP
Updates
Shortest AS path
Included in the route advertisement
Sprint
Local-pref = 100
Tier-2
Tier-3
Yale
AT&T
Princeton
128.112.0.0/16
USLEC
Examples
Dont announce routes from one peer to
another
Dont announce routes for management
hosts
Sprint
UUNET
AT&T
Princeton
128.112.0.0/16
network
operator
Example: AS prepending
Artificially inflate AS path length seen by
others
Convince some ASes to send traffic another
way
AT&T
88 88
USLEC
Sprint
Princeton
128.112.0.0/16
88
Business Relationships
Common relationships
Customer-provider
Peer-peer
Backup, sibling,
Implementing in BGP
Import policy
Ranking customer routes over peer routes
Export policy
Export only customer routes to peers and
providers
Customer-Provider Relationship
Customer pays provider for access to Internet
Provider exports customers routes to everybody
Customer exports providers routes to customers
AT&T
advertisements
AT&T
traffic
Princeton
Princeton
Peer-Peer Relationship
Peers exchange traffic between customers
AS exports only customer routes to a peer
AS exports a peers routes only to its customers
advertisements
Sprint
AT&T
traffic
Princeton
UBC
Peer
Reduces upstream
transit costs
Can increase end-to-end
performance
May be the only way to
connect your customers
to some part of the
Internet (Tier 1)
Dont Peer
You would rather have
customers
Peers are usually your
competition
Peering relationships
may require periodic
renegotiation
Backup Relationship
Backup provider
Only used if the primary link fails
Routes through other paths
AT&T
Princeton
128.112.0.0/16
USLEC
Sibling Relationship
AT&T
CerfNet
Internal BGP
AS1
eBGP
iBGP
AS2
AS 100
AS 300
AS 256
Local Pref = 90
I-BGP
B
132.239.17.0/24
FT
DT
A
UPMC
send to other
iBGP neighbors
send to other
eBGP neighbors
Wanadoo
FT
Example: Peers
local pref = 90
B
C
select DT route
send to other
iBGP routers
dont send
send to customers
select As route
select As route
132.239.0.0/16
FT
DT
UPMC
Suppose DT, FT,
and BT are peers
Wanadoo
BT
select DT route
send to other
iBGP and eBGP
neighbors
B
132.239.0.0/16
FT
Suppose:
DT is a customer
of FT and BT
FT and BT are peers
DT
UPMC
Wanadoo
BT
local pref = 80
local pref = 80
local pref = 80
select FT route
select FT route
select BT route
FT
What will router
D choose?
DT
UPMC
BT
route to
UPMC
FT
A
B
1
2
C 1
2
5
IGP distances
D-A : 10
D
D-B: 8
D-C: 7
BT
traffic to UPMC
Traffic Engineering
Load balancing
Making good use of network resources
Alleviating network congestion
End-to-end performance
Avoiding paths with downstream congestion
By moving traffic to alternate paths
Mechanisms
Preferring some paths over other paths
E.g., by setting local-preference attribute
Among routes within the same business
class
(2, 1)
(3, 4, 1)
(2, 1)
BGP Security
No denial of service
Prevent overload, session reset, tampered messages?
AS path authentication
Is AS path the sequence of ASes the update traversed?
AS path policy
Does AS path adhere to the routing policies of each AS?
IP Address Ownership
4
3
5
2
12.34.0.0/16
Consequences for the affected ASes
12.34.0.0/16
4
3
5
2
12.34.158.0/24
12.34.0.0/16
Other techniques
Secure extensions to BGP (e.g., S-BGP, soBGP)
Anomaly detection of suspected hijacks
Main defense
Filtering routes based on prefixes and AS path
Main defense
Analyzing BGP updates
or data traffic
for signs of inconsistency
Bad AS
BGP
data
src
Conclusion
Discussion
Gao Paper
Inferring AS relationships
Customer-provider
Peer-peer
Valid
Invalid
Invalid
Characterizations of AS Topology