IETF Logo Mail Archive

Re: [GROW] [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Wed, 10 May 2017 00:46 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF94512EB78 for <grow@ietfa.amsl.com>; Tue, 9 May 2017 17:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c50MRS1GiOs9 for <grow@ietfa.amsl.com>; Tue, 9 May 2017 17:46:20 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53EB31200FC for <grow@ietf.org>; Tue, 9 May 2017 17:46:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6932; q=dns/txt; s=iport; t=1494377180; x=1495586780; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=zsbhJPOPp6Vce8Ficsk4ydiX5p1Ft35Jxo8xlst/b5U=; b=bKM76ue5kcM1HHHFDTexxkPoNMFk76UKDFy+IN9i931z515RJhSsqfOc rHwAsas3kCufLO1tX1vUMdrqe2YA01IYHoYA2kTWiNyJIWNPcFTVCMx0r yC19S2zpXhvTpdlUFf8J3PIk6pMFo51FgSukKpxxRBlBQPEnKU3QjySXG U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CZAACjYRJZ/4oNJK1dGQEBAQEBAQEBAQEBBwEBAQEBg1VigQwHjXqRVZVygg8ohXwChG8/GAECAQEBAQEBAWsohRUBAQEBAzpLBAIBCBEEAQEBHgUEBzIUCQgCBAESCAyKDbR9inABAQEBAQEBAQEBAQEBAQEBAQEghl+BXoIPgQyEQIVtHwWeBQGTEJF0i1OIbgEfOIEKcBVGhHYcGYFJAXaGOIEvgQ0BAQE
X-IronPort-AV: E=Sophos;i="5.38,316,1491264000"; d="scan'208";a="422391400"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 10 May 2017 00:46:19 +0000
Received: from xch-rcd-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v4A0kI7Q019988 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 10 May 2017 00:46:18 GMT
Received: from xch-aln-014.cisco.com (173.36.7.24) by XCH-RCD-011.cisco.com (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 9 May 2017 19:46:18 -0500
Received: from xch-aln-014.cisco.com ([173.36.7.24]) by XCH-ALN-014.cisco.com ([173.36.7.24]) with mapi id 15.00.1210.000; Tue, 9 May 2017 19:46:18 -0500
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: Richard A Steenbergen <ras@e-gerbil.net>, "grow@ietf.org" <grow@ietf.org>
Thread-Topic: [GROW] [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
Thread-Index: AQHSuS0M5jIx7MGdxkC4vGLrHY5gKKHNfK+AgAAERQCAAALDgIAAEt4AgAACugCAB6DegIAF+msAgAAJeICAAIr0gIAAEDgAgAAGkwCAAANTAIAAQPsAgABRBYCACezjQIAAXOgA//+sfACAAcGVAIAEjsaQ
Date: Wed, 10 May 2017 00:46:17 +0000
Message-ID: <35b61038ba054a9480c3ef6a35f9057d@XCH-ALN-014.cisco.com>
References: <CAL9jLaZXqA8-LnAdNOfhCQA+pq1fh1site_shSH+-gH0hCNeqQ@mail.gmail.com> <m2o9vg6snc.wl-randy@psg.com> <CAH1iCirW2qnmXyGQb5Db0UYjKhODhbeRxdZEGCWfiQRjWnkn5w@mail.gmail.com> <m27f246ovd.wl-randy@psg.com> <CA+b+ER=Dj=F6rCmZVtOuYmGQyO5fBZx0=18MdbuOhj3fB=XVKA@mail.gmail.com> <m24lx76djx.wl-randy@psg.com> <CA+b+ERm6LuJv+psrE9+DJSgfMSnSHO1LXsFt274J+Btz3WH_1A@mail.gmail.com> <0b84d588d67e420d9286f56ee45d49c2@XCH-ALN-014.cisco.com> <CA+b+ERnkxUfWeg4sUTdzqX322qUfVgLODhieJ5EieXRsNTfaDA@mail.gmail.com> <fc7e3a818b3347e0be0fadace9c3c3ab@XCH-ALN-014.cisco.com> <20170506201719.GJ94714@gerbil.cluepon.net>
In-Reply-To: <20170506201719.GJ94714@gerbil.cluepon.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.19.135]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/m--hucqc5nZT7_Pf90ZZFI_u0lA>
Subject: Re: [GROW] [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 00:46:23 -0000

My program to create filters does not care about customer/peer/transit.
It does not care about tier-1 or tier-2.
It looks at your BGP table and finds your largest neighbors,
sized by the number of routes it sends you.
Then for each of those neighbors, it examines as-paths in all other routes
to find all other ASNs between you and adjacent to that neigbor.
Then it builds an as-path filter that allows only those ASNs as upstreams
from that neighbor.

For example, AS-2914 and AS-209 are both tier-1 ISPs.
AS-2914 receives some routes from AS-17676 that passed through AS-209. (routeviews)
The simple rule "no peer routes from customers" would drop those routes.

All the filters are collected together into a single route-policy or route-map.
Then you apply the policy to all your ebgp sessions.

Here is an example of how to apply the policy:
route-policy your_neighbor_in
  if apply allow_as then
    pass
  else
    set community (65000:666)
    set local-preference 0
  endif
end-policy

You may list all the routes that were disallowed like this:
show bgp community 65000:666


Thanks,
Jakob.


> -----Original Message-----
> From: Richard A Steenbergen [mailto:ras@e-gerbil.net]
> Sent: Saturday, May 06, 2017 1:17 PM
> To: Jakob Heitz (jheitz) <jheitz@cisco.com>
> Cc: Robert Raszuk <robert@raszuk.net>; grow@ietf.org
> Subject: Re: [GROW] [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route
> Propagation Behavior Without Policies) to Proposed Standard
> 
> On Fri, May 05, 2017 at 10:51:41PM +0000, Jakob Heitz (jheitz) wrote:
> > Thanks Robert.
> >
> > I did it without using ios-regex or other time consuming string conversion stuff.
> > Still, this method cannot scale to cover every one of several thousand AS neighbors that some ISPs have.
> > IOS cannot handle that many as-path access-lists.
> > I can see that the simple rule of "do not allow peer routes from a customer"
> > doesn't cut it, because some tier-1's have a lot of customers with over 10000 routes each.
> > My filters will certainly cover all the major peers as well as major customers of ISPs.
> > I included a limit on the number of policies to write:
> > so that it will just get the major ones.
> > Also, if a routing table includes leaks, then the resulting policies will
> > continue to allow the leaks.
> > Also, some of the filters may need to add some upstreams that are not in the table of the day.
> > Basically, it is a start that may require a bit of tweaking.
> > I have a better idea of what to commit to the IOS.
> > It will be far more efficient, but I want to gauge interest first.
> 
> I built something very similar using Juniper commit scripts many years
> ago, and used it at GTT, a very large Tier 1 network.
> 
> It was fairly straight forward, all you had to do was feed it an ASN
> list of your "tier 1" peers (ASNs which should never be heard behind
> anyone other than ^asn.*), and "tier 2" peers (ASNs which can be heard
> as ^asn.* as well as ^(tier1|list|here) asn.*). It would then
> automatically create custom as-path filters for each BGP peer, based on
> the individual session and where it found the neighbor asn on the list.
> For customer sessions, it was also easy to incorporate simple as-path
> filters for the most common leaks, e.g. you should never here anything
> on the tier 1 list from any of your customers under any circumstances.
> I'd be happy to release the code if anyone is interested.
> 
> For a well-connected well-peered network, this was absurdly effective at
> preventing huge numbers of the most common routing leaks. In my
> experience, the VAST majority of leaks are caused by simple human typos,
> and/or mistakes caused by things like the (IMHO incredibly poor) default
> behavior to announce everything on a new BGP session with no configured
> policy.
> 
> That said, I have great difficulty imagining how you would successfully
> create any kind of 100% automated as-path filter system based on
> observed behavior in the routing table, based on my many years of
> experience running some of the largest Tier 1 networks on the planet.
> It's simply not practical in the real world. I WOULD highly encourage
> you to pursue building better as-path filtering tools similar to the
> scenario I described above though. It would be great if you could easily
> feed your router some as-path-lists, and configure your policy to build
> the filters described above without needing a script to create a per-as
> as-path filter expression. I wouldn't recommend trying to turn it on
> automatically, but you'd probably help a large number of ISPs by giving
> them the ability to build these filters without requiring complex
> scripting, of offline config automation tooling.
> 
> But the one thing I think every vendor COULD do to vastly improve the
> accidental route leak situation is precisely what this draft suggests,
> default to reject for EBGP neighbors with no configured policy. That's
> one of the very first things I've baked into every one of my configs, a
> default DENY-ALL policy for all BGP neighbors (which was easy to do at
> the top level "protocols bgp" with Juniper), and I have no doubt that it
> saved ME from making countless mistakes over the years. To err is human
> (just look at our routing protocols :P), and a default policy of
> "announce everything, and hope the other side is doing perfect
> filtering" simply has no place in THE global routing protocol.
> 
> I certainly understand the need for caution when making such a major
> change in default behaviors, and would absolutely suggest a multi-year
> phased approach with large numbers of warnings for neighbors which lack
> configured policies leading up to the default knob switch. I'd also
> suggest that every router vendor start by adding a simple knob which can
> change the default behavior globally, and then encourage everyone to
> turn that on as a best practice starting immediately. But I'd also argue
> that none of this should get in the way of trying. Yes it will take many
> many years, and it won't solve anything, but the sooner we start the
> sooner the change can happen.
> 
> I'd also argue that this change will be vastly more beneficial than many
> of the other more dubious efforts we've collectively wasted FAR more
> time and energy, such as RPKI. Accidental origination almost NEVER
> happens in the real world, but accidental leaks due to default allow
> policies happen every day. That makes this one of the most practical and
> sensible changes I've seen proposed to BGP in a long, long time.
> 
> --
> Richard A Steenbergen <ras@e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

v2.23.0 | Report a Bug | By Email