Mitigation of BGP Route Leaks - - PowerPoint PPT Presentation

mitigation of bgp route leaks
SMART_READER_LITE
LIVE PREVIEW

Mitigation of BGP Route Leaks - - PowerPoint PPT Presentation

Nov 21, 2022 141 likes •245 views

Methods for Prevention, Detection and Mitigation of BGP Route Leaks ietf-idr-route-leak-detection-mitigation-06 (Route leak definition: RFC 7908) K. Sriram, D. Montgomery, B. Dickson, K. Patel, and A. Robachevsky IDR Working Group Meeting,

slide-1
SLIDE 1

Methods for Prevention, Detection and Mitigation of BGP Route Leaks

ietf-idr-route-leak-detection-mitigation-06

(Route leak definition: RFC 7908)

  • K. Sriram, D. Montgomery, B. Dickson, K. Patel, and A. Robachevsky

IDR Working Group Meeting, IETF-98 March 2018

1

Acknowledgements: The authors are grateful to many folks in various IETF WGs for commenting, critiquing, and offering very helpful suggestions (see acknowledgements section in the draft.)

slide-2
SLIDE 2

Route Leak: The Tale of Two Culprits

2

prefix (P)

ISP1 (AS1) ISP2 (AS2) Customer (AS3)

peer prefix (P) update prefix (P) update route-leak (P) route-leak propagated (P) route-leak propagated (P)

  • Intra-AS and Inter-AS solutions are necessary.
slide-3
SLIDE 3

Building Blocks

3

OOB communication between operators: Peering relation, ASN, interface IP Intra-AS route leak prevention (iBGP messaging)

  • COMMUNITY, or
  • Attribute

Inter-AS route leak detection/mitigation

  • Optional transitive

attribute (RLP fields)

ietf-idr-route-leak-detection-mitigation-06

OOB = Out of Band

Configure peering relation for each peer (per prefix)

Secure RLP fields with BGPsec

RLP = Route Leak Protection fields (in Optional transitive attribute)

slide-4
SLIDE 4

Configuration Process Flow

4

OOB communication

Provider Customer

  • Lat. Peer

Complex

OOB: Prefix sets with different relations

Configure

slide-5
SLIDE 5

Inter-AS Solution: RLP Attribute

5

ASN: N RLP: N ASN: N RLP: N

…….

Most Recently Added Least Recently Added

Optional Transitive Attribute

slide-6
SLIDE 6

No Single Point of Failure & Large ISPs’ Ring of Security

6

Leak Stopped at AS2

AS5 AS3 AS4 AS1 AS2

AS7 AS9

Leak

Customer cone Customer cone Customer cone Customer cone Customer cone AS15

Major ISP Small ISP / Customer

RLP(1) = 1 RLP(5) = 1

p

AS8

Leak

More robust in partial deployment

(AS7, AS8, AS9 not upgraded)

slide-7
SLIDE 7

Building Blocks (with BGP Role negotiation)

7

OOB communication between operators: Peering relation, ASN, interface IP BGP OPEN / BGP Role Capability negotiations – re- confirming the role stated in OOB communication

ymbk-idr-bgp-open-policy Configure peering relation for each peer (per prefix)

Intra-AS route leak prevention (iBGP messaging)

  • COMMUNITY, or
  • Attribute

Inter-AS route leak detection/mitigation

  • Optional transitive

attribute Secure RLP fields with BGPsec

slide-8
SLIDE 8

Configuration Process Flow (with BGP Role negotiation)

8

OOB communication BGP Role Capability negotiations (re-confirming the role stated in OOB communication)

Provider Customer

  • Lat. Peer

Complex

OOB: Prefix sets with different relations

Mismatch Configuration Re-confirmed Neighbor does not send Role Configure

Actions? Set RLP per ISP’s

  • wn knowledge?
slide-9
SLIDE 9

Merging of the Efforts

9

  • Option A: Two drafts that complement each other
  • Separate draft exclusively dealing with BGP Open

Policy / Role capability

  • Has other applications (e.g. draft-ymbk-idr-isp-border)
  • Keyur and Sriram have offered good feedback and

very happy to continue working with the authors

  • ietf-idr-route-leak-detection-mitigation

describes the other building blocks (intra-AS, inter-AS)

  • Captures nicely the distilled/refined ideas that reflect

five years of WG efforts in SIDR, GROW, and IDR

  • Option B: Merge BGP Open Policy / Role capability

into ietf-idr-route-leak-detection-mitigation (sort

  • ut authorship issues amicably)