Overview
- Border Gateway Protocol
- Basic building block of the Internet
- Allows two routers to exchange the routing information (prefixes)
History
- Currently in version 4 (BGP-4)
- All routers on the internet must "speak" it
- Used as exterior gateway protocol (compare with OSPF used internally)
Model
- Application level - TCP based (port 179)
- Connection between neighbors must be established manually first
- Neighbor IP addresses are defined (point-to-point)
- Public
- Private (can be link local IP Address, e.g. 169.254/16, or IPv6)
- BGP announcement
- prefix
- path attributes
- next hop AS_PATH, local preference, multi-exit discriminator
- BGP neighbor exchange routing information (prefixes)
- iBGP - peering between devices with the same ASN (internal)
- eBGP - peering between devices with different ASN (external)
- Local preference - weighting of identical prefixes
- Decided on Customer end
- Distance vector routing protocol (AS_PATH)
- Looks at the number of hops to destination
Autonomous System
- Autonomous System - identifies network environment
- Basic unit of hierarchy in the Internet
- IANA assigns blocks to Regional Internet Registries (RIRs)
- RIRs (e.g. ARIN) assign to customers
- Not individual devices
- Amazon has one single large number that covers whole network
- Autonomous System Number (ASN)
- Identifies AS
- Public assigned by ARIN
- Private (>=65000) can be self-assigned
- Decomposes Internet into smaller pieces
- Without it routers would be flooded with "route update" information
- Uses Exterior Gateway Protocol (BGP) to exchange information between AS
- Internally "owner" is free to use whatever routing protocol he wants (e.g. OSPF)
- Types
- Single exit ("stub")
- Multi exit ("transit")
BGP Messages
- Open - establish BGP session
- Keep Alive - handshake at regular intervals
- Notifications - shuts down a peering session
- Update
- Announce a new route
- Withdraw a previously announced route
How it works
- Uses Path Vector (AS_PATH)
- Network distance
- Example advertisement : network 171.64/16 can be reached via {AS1, AS5, AS13}
- Paths with loops are detected locally and rejected (you just look for repetition of AS)
- Local policies (private to AS) can pick preferred path
- If number of neighboring AS advertise path to the same prefix I can pick whomever I want
- You can enforce certain path even if it is longer (e.g. you have more bandwidth on it)
- When a link/router fails the path is withdrawn
- More specific prefixes are preferred
- Can be exploited to "hijack" routes (see 2008 YouTube outage)
BGP Community
- Attribute (label) on a route
- 32 bit value
- e.g. 7224:9100
- Examples
- NO_EXPORT (propagate internally (iBGP) only)
- NO_ADVERTISE (no propagation at all)
- Use case
- Control how other router treats your route advertisement
Peering relationship
- Two AS can peer with each other
- Often they exchange packets without paying each other (settlement free)
- Peers provide transit between their respective customers
- Peers do not provider transit between other peers
- again because the peer exchange is settlement free
Route priority
- Enforce relationships
- Highest local preference (local policy)
- e.g. Customer Route over Peer Route
- Highest local preference (local policy)
- Traffic Engineering
- Shortest AS_PATH
- Lowest Multi-Exit Denominator (MED)
- In case of Tie
- Use lowest routerId
Routing Information Base
- Information about routes, e.g. in Juniper Router
- Adj-RIB-In (information received)
- Local RIB (routes used locally)
- Adj-RIB-Out (information to advertise)
MD5 authentication
- 18-20 bytes added in TCP header (options field)
- Calculated on TCP pseudo-header, TCP header, TCP segment, secret key
Billing
- Customer pays ISP for carrying his packets
- Common policy to decide route (economical incentive)
- Customer > Peer > Provider
Security
- No security built-in
- Can be exploited to "hijack" IP ranges
- e.g. government shutdown
- Examples
- 2008 YouTube traffic blackholed
- 2012 CloudFlare traffic sent to Data Center in maintenance
References
No comments:
Post a Comment