WIXLIB

BGP Best PracticesPhilip Smith pfs@cisco.com RIPE NCC Regional MeetingManama, Bahrain14-15 November 2006Session NumberRIPE NCCPresentation IDBahrain 2005 Cisco Systems, Inc. All rights reserved.Cisco Confidential1

Presentation Slides Are available rain-BGP-BCP.pdfAnd on the RIPE NCC Bahrain meeting websiteRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.2

BGP Best PracticesHow to use BGP on the InternetSession NumberRIPE NCCPresentation IDBahrain 2005 Cisco Systems, Inc. All rights reserved.Cisco Confidential3

BGP versus OSPF/ISIS Separation of IGP and BGP Internal Routing Protocols (IGPs)Examples are ISIS and OSPFUsed for carrying infrastructure addresses — infrastructurereachabilityNOT used for carrying Internet prefixes or customerprefixesDesign goal is to minimise number of prefixes in IGP to aidscalability and speed convergenceRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.4

eBGP & iBGP BGP used internally (iBGP) and externally (eBGP) iBGP used to carrysome/all Internet prefixes across ISP backboneISP’s customer prefixesBGP session is run between router loopback interfaces eBGP used toexchange prefixes with other ASesimplement routing policyBGP session is run on inter-AS point to point linksRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.5

BGP/IGP model used in ISP networks Model representationeBGPRIPE NCC BahraineBGPeBGPiBGPiBGPiBGPiBGPIGPIGPIGPIGP 2006 Cisco Systems, Inc. All rights reserved.6

BGP Scaling Techniques Route RefreshTo implement BGP policy changes without hard resetting theBGP peering session Route ReflectorsScaling the iBGP meshA few iBGP speakers can be fully meshedLarge networks have redundant per-PoP route-reflectors Route Flap DampingIs NOT a scaling technique and is now considered HARMFULwww.ripe.net/ripe/docs/ripe-378.htmlRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.7

BGP Communities Another ISP “scaling technique” Prefixes are grouped into different “classes” orcommunities within the ISP network Each community can represent a different policy,has a different result in the ISP network ISP defined communities can be made available tocustomersAllows them to manipulate BGP policies as applied to theiroriginated prefixesRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.8

Aggregation Aggregation means announcing the address blockreceived from the Regional Internet Registry to theother ASes connected to your networkAggregate should be generated internally, not on networkborders Subprefixes of this aggregate may be:Used internally in the ISP networkAnnounced to other ASes to aid with multihoming Unfortunately too many people are still thinkingabout class Cs, resulting in a proliferation of /24s inthe Internet routing tableRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.9

Announcing an Aggregate ISPs who don’t and won’t aggregate are held inpoor regard by community The RIRs publish their minimum allocation sizeAnything from a /20 to a /22 depending on RIR No real reason to see anything longer than a /22prefix in the InternetBUT there are currently 108000 /24s!RIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.10

The Internet Today (November 2006) Current Internet Routing Table StatisticsFrom my Routing Report: http://thyme.apnic.netBGP Routing Table Entries202457Prefixes after maximum aggregation109985Unique prefixes in Internet98204Prefixes smaller than registry alloc102061/24s announced108212only 5754 /24s are from 192.0.0.0/8ASes in useRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.2353211

BGP Report(bgp.potaroo.net) 199336 total announcements in October 2006 129795 prefixesAfter aggregating including full AS PATH infoi.e. including each ASN’s traffic engineering35% saving possible 109034 prefixesAfter aggregating by Origin ASi.e. ignoring each ASN’s traffic engineering10% saving possibleRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.12

Efforts to improve aggregation The CIDR ReportInitiated and operated for many years by Tony BatesNow combined with Geoff Huston’s routing analysishttp://www.cidr-report.orgResults e-mailed on a weekly basis to most operations listsaround the worldLists the top 30 service providers who could do better ataggregatingWebsite allows searches and computations of aggregationto be made on a per AS basisRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.13

Receiving Prefixes There are three scenarios for receiving prefixesfrom other ASNsCustomer talking BGPPeer talking BGPUpstream/Transit talking BGP Each has different filtering requirements and needto be considered separatelyRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.14

Receiving Prefixes:From Customers ISPs should only accept prefixes which have beenassigned or allocated to their downstreamcustomer If ISP has assigned address space to its customer,then the customer IS entitled to announce it back tohis ISP If the ISP has NOT assigned address space to itscustomer, then:Check in the five RIR databases to see if this addressspace really has been assigned to the customerThe tool: whois –h whois.apnic.net x.x.x.0/24RIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.15

Receiving Prefixes:From Peers A peer is an ISP with whom you agree to exchange prefixesyou originate into the Internet routing tablePrefixes you accept from a peer are only those they haveindicated they will announcePrefixes you announce to your peer are only those you haveindicated you will announce Agreeing what each will announce to the other:Exchange of e-mail documentation as part of the peeringagreement, and then ongoing updatesORUse of the Internet Routing Registry and configuration tools suchas the IRRToolSetwww.isc.org/sw/IRRToolSet/RIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.16

Receiving Prefixes:From Upstream/Transit Provider Upstream/Transit Provider is an ISP who you pay togive you transit to the WHOLE Internet Receiving prefixes from them is not desirableunless required for multihoming/traffic engineering Ask upstream/transit provider to either:originate a default-routeORannounce one prefix you can use as defaultRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.17

Receiving Prefixes:From Upstream/Transit Provider If necessary to receive prefixes from any provider,care is requireddon’t accept RFC1918 etc txtdon’t accept your own prefixesdon’t accept default (unless you need it) Check Rob Thomas’ list of ist.html Or get a BGP feed from the Bogon Route Serverhttp://www.cymru.com/BGP/bogon-rs.htmlRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.18

Configuration TipsOf templates, passwords, tricks, and more templatesSession NumberRIPE NCCPresentation IDBahrain 2005 Cisco Systems, Inc. All rights reserved.Cisco Confidential19

iBGP and IGPsReminder! Make sure loopback is configured on routeriBGP between loopbacks, NOT real interfaces Make sure IGP carries loopback /32 address Keep IGP routing table small Consider the DMZ nets:Use unnumbered interfaces?Use next-hop-self on iBGP neighboursOr carry the DMZ /30s in the iBGPBasically keep the DMZ nets out of the IGP!RIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.20

Next-hop-self Used by many ISPs on edge routersPreferable to carrying DMZ /30 addresses in the IGPReduces size of IGP to just core infrastructureAlternative to using unnumbered interfacesHelps scale networkBGP speaker announces external network using localaddress (loopback) as next-hopRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.21

Templates Good practice to configure templates for everythingVendor defaults tend not to be optimal or even very usefulfor ISPsISPs create their own defaults by using configurationtemplates eBGP and iBGP examples followAlso see Project Cymru’s BGP templateshttp://www.cymru.com/DocumentsRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.22

iBGP TemplateExample iBGP between loopbacks! Next-hop-selfKeep DMZ and external point-to-point out of IGP Always send communities in iBGPOtherwise accidents will happen Hardwire BGP to version 4Yes, this is being paranoid! Use passwords on iBGP sessionNot being paranoid, VERY necessaryRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.23

eBGP TemplateExample BGP dampingDo NOT use it unless you understand the impactDo NOT use the vendor defaults without thinking Remove private ASes from announcementsCommon omission today Use extensive filters, with “backup”Use as-path filters to backup prefix filtersKeep policy language for implementing policy, rather thanbasic filtering(cont )RIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.24

eBGP TemplateExample continued Use password agreed between you and your peeron eBGP session Use intelligent maximum-prefix trackingRouter will warn you if there are sudden increases in BGPtable size, bringing down eBGP if desired Log changes of neighbour state and monitor those logs! Make BGP admin distance higher than that of anyIGPOtherwise prefixes heard from outside your network couldoverride your IGP!!RIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.25

Limiting AS Path Length Some BGP implementations have problems withlong AS PATHSMemory corruptionMemory fragmentation Even using AS PATH prepends, it is not normal tosee more than 20 ASes in a typical AS PATH in theInternet todayThe Internet is around 5 ASes deep on averageLargest AS PATH is usually 16-20 ASNs If your implementation supports it, consider limitingthe maximum AS-path length you will acceptRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.26

BGP TTL “hack” Implement RFC3682 on BGP peeringsNeighbour sets TTL to 255Local router expects TTL of incoming BGP packets to be 254No one apart from directly attached devices can send BGPpackets which arrive with TTL of 254, so any possible attackby a remote miscreant is dropped due to TTL mismatchSee http://www.nanog.org/mtg-0302/hack.html for more detailsISPTTL 254R1AS 100R2TTL 253RIPE NCC BahrainAttacker 2006 Cisco Systems, Inc. All rights reserved.TTL 25427

BGP FuturesWhat is around the corner ?Session NumberRIPE NCCPresentation IDBahrain 2005 Cisco Systems, Inc. All rights reserved.Cisco Confidential28

No-Peer Community170.10.0.0/16170.10.X.X No-PeerupstreamDC&D&E arepeers e.g.Tier-1s170.10.0.0/16CAEupstreamBupstream Sub-prefixes marked with no-peer community are not sent to bilateral peersThey are only sent to upstream providersRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.29

32-bit Autonomous System Number (ASN) 32 bit ASNs are coming soon16 bit ASN space is running out — will be exhausted byOctober 2010Represented as “65.4321” — i.e. two 16-bit integersWith AS 23456 reserved for the /prop-032-v002.htmlRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.30

Concern 1:De-aggregation RIR space shows creeping deaggregationIt seems that an RIR /8 block averages around 6000prefixes once fully allocatedSo their existing 74 /8s will eventually cause 444000 prefixannouncements Food for thought:Remaining 59 unallocated /8s and the 74 RIR /8s combinedwill cause:798000 prefixes with 6000 prefixes per /8 densityPlus 12% due to “non RIR space deaggregation” Routing Table size of 893760 prefixesRIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.31

Concern 2:BGP Updates BGP Flapping was the “bad guy” of the mid-90s BGP Updates is the “bad guy” of today & tomorrowWork by Geoff Huston: bgpupdates.potaroo.net 10 providers cause 10% of all the BGP updates onthe Internet todayAll causing more than 2600 updates per day(Connexion by Boeing produces 1450 updates per day)Seeing total of 700k updates per dayIn 5 years time this will be 2.8M updates per day What will this mean for the routers?RIPE NCC Bahrain 2006 Cisco Systems, Inc. All rights reserved.32