Benefits of Using RIPE Routing Registry and Related RIPE NCC Tools - - PowerPoint PPT Presentation

1

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Benefits of Using RIPE Routing Registry and Related RIPE NCC Tools

TELFOR, 24 November 2004 Vesna Manojlovic RIPE NCC Training Services

2

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Overview

• Intro: RIPE and RIPE NCC
• Why document routing policy
• RPSL
• IRRToolset
• Day-to-day Usage of the RR
• RIS

3

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Intro: RIPE and RIPE NCC

• Réseaux IP Européens (1989)

– Collaborative, open community of Internet operators and administrators – Working groups: DB, Routing; EOF (eqv. to NANOG), etc

• RIPE Network Coordination Centre (1992)

– Independent not-for-profit membership organisation – One of 4 Regional Internet Registries – Member services: distributing IP addresses, ASN, reverse DNS delegation, training courses – Public services: whois DB, K-root, ENUM, RIPE support etc

4

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Intro: RIPE whois Database & the IRR

• Public Network Management Database

– “whois” info about networks & contact data

• Routing Registry - a subset of the RIPE DB

– contains routing information, in RPSL

• RIPE RR is part of the Internet Routing Registry:

– http://www.irr.net/ – Distributed databases that mirror each other – IRR = RIPE DB + RADB + Savvis (ex C&W) + ARIN + …

5

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Intro: Why Document Routing Policy?

• Recreate your policy in case of loss of

hardware / administrators

– Less downtime

• Scaling
• Troubleshooting

6

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Intro: Why Document in RPSL?

• Abstract

– Not vendor specific

• Global AS view, not router specific
• Established standard
• Tools available

– router configuration – expertise built into tools

7

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Intro: Why Document in IRR?

• Required by some Transit Providers
• Required by some Exchange Points
• Allows peers to automatically update filters

– For your announcements – Consistent information between neighbours

• Good housekeeping

8

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Intro: Why Document in RIPE DB?

• Convenience

– inetnums already there – aut-num already there – maintainer already there – person objects already there

• Database most likely used by your peers

9

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RPSL

10

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Routing Policy Specification Language

• Object-oriented language

– Structured whois DB objects

• Describes things interesting for the routing policy

– Routes, AS numbers… – Relations between BGP peers – Management responsibility

• Established standard:

– Routing Policy Specification Language (RFC-2622) – Routing Policy System Security (RFC-2725) – Using RPSL in Practice (RFC-2650)

11

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

aut-num: AS2001 import: from AS3000 action pref=30; accept ANY import: from AS4000 action pref=40; accept ANY export: to AS4000 action aspath.prepend(AS2001,AS2001); announce AS2001 export: to AS3000 announce AS2001 as-name: RRTEST-AS2001 descr: Customer of AS3000 & AS4000 admin-c: JS2-RRTEST tech-c: JS2-RRTEST changed: john.smith@example.net 20040606 source: RIPE mnt-by: john-smith-MNT mnt-routes: third-MNT upd-to: john.smith@example.net mnt-nfy: rr-db-notifications@example.net

RPSL: Example aut-num Object

policy supportive & contact information authentication & notification

12

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RPSL: aut-num Attributes Syntax

• import:

– from <peering> [action <action>] accept <filter>

• export:

– to <peering> [action <action>] announce <filter>

• <peering> = ASN ; as-set ; “ASN IP1 at IP2”
• <filter> matches set of routes

– ASN, as-sets, route-sets; – {0.0.0.0/0}; {1.2.3.4/19, 193.0.0.0/23}

• Range operators: e.g. 192.0.2.0/24^+

– ANY ; PeerAS; AND, OR, NOT

• AS-path filters: regular expressions (i.e. <…>)

import: from AS4003 accept <^AS4003+AS4003:AS-customers*$>

13

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RPSL: Simple Animated Example

AS2000 aut-num: AS2000

export: to AS4000 announce AS2000 import: from AS2000 accept AS2000

AS4000 aut-num: AS4000

export: to as2000 announce AS4000 import: from AS4000 accept AS4000

14

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

AS4000 aut-num: AS4000

import: from AS4000 accept AS4000 export: to AS2001 announce AS4000

RPSL: 2nd Animated Example

AS2001 aut-num: AS2001

export: to AS4000 announce AS2001

Internet aut-num: AS3000

AS3000

export: to AS2001 announce ANY import: from AS2001 accept AS2001 import: from AS3000 accept ANY import: from AS2001 accept AS2001 export: to AS3000 announce AS2001 ANY import: from AS4000 accept ANY action pref=10; action pref=30; action pref=40;

action aspath.prepend (AS2001, AS2001);

15

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RPLS: Localpref / prepend

• Controlling the traffic flow:

– for outbound traffic set the value of local-pref

• “action pref=NN” in the “import” lines of aut-num object
• the lower the “pref”, the more preferred the route

– for inbound traffic, modify as-path length

• “action aspath.prepend(ASN)” in the “export” lines
• Longer the as-path, less preferred the route

– Note: the direction of traffic is reverse from accepting / announcing routes

16

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RPSL: Multiple Links / MED

• By setting the value of MED on export lines, the preferred

entry point into your AS can be controlled

export: to AS4044 at 10.3.0.1 action med=2000; announce AS3033 # less preferred, bigger MED export: to AS4044 at 10.3.0.2 action med=1000; announce AS3033 # more preferred, smaller MED

• The neighbour must agree to honour your MED values

– Instead of MED, it is possible to use as-path prepend on less preferred link

• Controlling outbound traffic:

import: from AS4 10.4.0.7 at 10.3.0.1 action pref=10; accept AS4 import: from AS4 10.4.0.8 at 10.3.0.1 action pref=20; accept AS4

17

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RPSL: BGP Communities

• Elegant solution for implementing policies
• RFC-1998: An application of the BGP Community Attribute

in Multi-home Routing

• ISPs publish values of communities in the RR

– E.g. to tell BT to prepend their ASN when announcing your routes to their peers:

export: to 5400 action community = {5400:2073}; announce MY_ASN

– E.g. to receive KPN NL routes on NL peering:

import: from AS268 <ip-NL> action pref=10; accept AS286 AND community.contains (286:3031)

18

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RPSL: Security / Bogon Filtering

• Problems:

– Bogon address space used as source for spamming, DDoS, probes… – Leaking “martians” & bogons due to mis-configuration – Leaking other people’s ranges => black-holing them

• Add “AND NOT fltr-bogons” to all your import and

export attribute filter rules

• Secure BGP Template

– www.cymru.com/Documents/secure-bgp-template.html

19

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Outdated “bogon” Filters

• Inverse problem:

– Bogon filters in place, but not kept up-to-date – Consequence: when new /8 block is allocated to RIR / LIR, it is unreachable from networks with stale filters

• Solution:

– Use fltr-bogons instead your own manually updated list – Or: follow the lists where RIRs announce new /8 blocks

• E.g. https://www.ripe.net/ripe/docs/smallest-alloc-sizes.html
• E.g. www.ripe.net/ripe/draft-documents/deboganising-draft.html

– Or: use bogon route server

• (AS65333, community 65333:888)(e.g. cymru.com)

=> Keep your bogon filters up-to-date!

20

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RPSL: as-set Object Syntax

• as-set objects for groups of aut-num-s
• previously known as AS-MACRO

– as-set: name starts with “AS-”;

• hierarchical, using “asn:” (e.g. AS4000:AS-CUSTOMERS)

– (direct) members: ASNs, or as-set-s – (indirect) mbrs-by-ref: <mntner-name> | ANY

• Aut-num should have “member-of” to include itself in the as-set
• In your aut-num point to as-set-s

– export/import: to/from ASN announce/accept as-set – export/import: to/from as-set announce/accept <filter>

• expression PeerAS loops through the list of members

21

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RPSL: as-set Objects Usage Example

as-set: AS4:AS-CUSTOMERS members: AS2, AS6, AS8 aut-num: AS4 import: from AS4:AS-CUSTOMERS accept PeerAS export: to AS4:AS-CUSTOMERS announce ANY

• PeerAS meaning:
• from AS2 accept AS2
• from AS6 accept AS6
• from AS8 accept AS8
• Without PeerAS – not correct / not intended!
• E.g. from AS4200 accept AS4200 OR AS4204 OR AS4208

22

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

IRRToolSet / RtConfig

23

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RtConfig: Router Configuration

• RtConfig reads policy from the IRR

– Receives commands from the standard input (or file)

• Generates parts of the router configuration file

– Vendor specific: Cisco, Bay’s BCC, Junos, Gated/RSd – Creates access list, route-map and AS path filters – You need to use other scripts (built around it)!

• Command-line tool

24

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RtConfig: RR Integration: The Big Picture

RPSL DB Objects Template /Input File

RtConfig

Flags, Env_Var

(Partial) Router Configuration

25

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RtConfig Template File Example

• Import / export pair for each link; syntax:

– @RtConfig [import/export] <yourASN> <yourRouterIP> <neighbourASN> <neighbourRouterIP>

! Setting max preference to 100 @RtConfig set cisco_max_preference = 100 ! @RtConfig set cisco_map_name = "AS%d-IMPORT-%d" @RtConfig import AS4 10.4.0.7 AS3 10.3.0.1 ! @RtConfig set cisco_map_name = "AS%d-EXPORT-%d" @RtConfig export AS4 10.4.0.7 AS3 10.3.0.1

26

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

IRRToolSet: The Rest of Tools

• Started as RAToolSet; moved to RIPE NCC;
• Now maintained by ISC:

– http://www.ripe.net/db/irrtoolset/ – Mailing list: <irrtoolset@ripe.net>

• Download: ftp://ftp.ripe.net/tools/IRRToolSet/
• Both source code & precompiled versions available
• Installation needs: lex, yacc and C++ compiler

27

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

IRRToolSet: aoe (Aut-num Object Editor)

• Displays the aut-num object for the ASN as in RR

– GUI (graphical tool) (C++/Tcl/Tk)

• Helps creation / editing import / export attributes

– from IRR, BGP-dump, peer’s ASN – multiple pre-determined templates; or define your own

• Translates BGP dump into RPSL
• Command line options:
• aoe –h <host> -p 43 –s <source> -protocol ripe <ASN>

28

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

IRRToolSet: AOE Screen-dump

29

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Day-to-day Usage of the RR

How to put into daily practice all the things learned by now

30

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Usage: Preliminary Work for Your AS

1. Create person and maintainer objects 2. Describe policy in your aut-num object 3. Create route objects in the database 4. Create various as-set objects, to group different categories of neighbours 5. Create RtConfig template file(s) & additional scripts 6. Run RtConfig / scripts periodically to produce (parts of) router configuration file

31

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Usage: Adding a New Neighbour

• Your neighbour needs to:

– Obtain and register an ASN – Create route objects for the new AS

• Automating the process:

– Add the new AS to (one of) your as-set object(s)

• Or import/export pair to your aut-num

– Add a set of commands to your master RtConfig template file

• {IP-address,AS-num,Description}-tuple

– Run again your scripts / programs

• E.g. Use Make to rebuild RtConfig template file(s)

32

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Usage: Simulating Policy Change

• To avoid the impact of the policy change, can do the

simulation before publishing your aut-num

• 1) Copy the aut-num object into a txt file
• 2) Modify the aut-num and save in the new file
• 3) Run RtConfig with the flag “-f”
• E.g. “rt –f my_new_asn.txt < rt-template > new_router_config”

– Other values will be read from the RR (peer aut-nums etc)

• 4) Compare new router config output with the old

– or check if the result describes desired behaviour

33

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Routing Information Service (RIS)

34

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RIS: Giant Looking-glass w/ History Info

• Goal: integrated DB that provides info about routes

and their development over time, for the entire Internet

• Method: collecting & storing time-stamped BGP

announcements, from the default-free core

– “Remote Route Collectors” at several major IXes

• Aimed at: NOC and ISP engineers, research

community http://www.ripe.net/ris/ , <ris@ripe.net>

35

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RIS: Applications

• Debugging

– e.g. Checking why customer route was not available – in the past (hence – history information) – Verify local policies vs router setup => correct errors – Prefix distribution: aggregation, correct filters

• Analysis

– Routing table convergence times; routing flaps – IP space reachable, ASNs in use, ASN types – Comparing RR policies with actual announcements – More: http://www.ripe.net/ris/analysis.html

36

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RIS: Existing Tools & Services

• ASInUse / PrefixInUse
• Search by AS / prefix
• Looking Glass (also for IPv6)
• RISreport (graphs)
• Statistics: (BGP Traffic Hot Spots, RIS Martians)
• RISwhois
• myASN - notification system

– Monitors route propagation of user-specified address ranges and ASNs – Generates alerts in cases of unexpected routing behavior (conflict with a user’s configuration)

37

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

Routing Registry Consistency Check

• Goal: making RR more accurate, by
• Comparing “real” routing data (via RIS) with the RR
• Spotting inconsistencies & suggest corrections

– e.g. prefixes not announced; not registered; unregistered peerings

• Data output

– Web interface for interactive lookups – Reports per mntner (requests to <auto-rrcc@ripe.net>) – Published on the web, reported to the routing-wg

• Use generated suggestions to update RR!

http://www.ripe.net/rrcc/ , <rrcc@ripe.net>

38

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RIPE Routing Registry & Tools: Summary

• Routing Registry & additional tools enable easier

routers configuration in complex networks

– routing policy published in RR provides for consistency and automation of tasks

• The quality of data provided by tools strongly

depends on the data you/others have in the RR!

– Crucial to maintain RR objects up-to-date

• "In theory, there is no difference between theory

and practice. But, in practice, there is."

39

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RIPE Routing Registry & Tools: Homework

• Tasks to do at home:

– Subscribe to the mailing list (db-wg, routing-wg, irrtoools) – Create route object(s) for all your allocations – Create as-set objects to group your neighbors

• Use PeerAS expression

– Update your aut-num with the latest policy – Use RRCC to find incorrect DB objects wrt routing policy – Register for the training course and RIPE meeting

• Promote IRR to your customers, peers & providers!

40

TELFOR, November 2004, Belgrade . RIPE Routing Registry

.

http://www.ripe.net/

RR Courses Coming-up

• Amsterdam, the Netherlands
• 17 December 2004
• Berlin, Germany
• 14 January 2005
• Barcelona, Spain
• 18 March 2005
• Amsterdam, the Netherlands
• 15 April 2005
• St. Petersburg, Russian Federation
• 22 April 2005
• http://www.ripe.net/training/rr/
• Questions?