| draft-ietf-grow-filtering-threats-02.txt | draft-ietf-grow-filtering-threats-03.txt | |||
|---|---|---|---|---|
| Network Working Group Camilo Cardona | Network Working Group Camilo Cardona | |||
| Internet-Draft IMDEA Networks/UC3M | Internet-Draft IMDEA Networks/UC3M | |||
| Intended status: Informational Pierre Francois | Intended status: Informational Pierre Francois | |||
| Expires: August 17, 2014 IMDEA Networks | Expires: February 5, 2015 IMDEA Networks | |||
| Paolo Lucente | Paolo Lucente | |||
| Cisco Systems | Cisco Systems | |||
| February 13, 2014 | August 4, 2014 | |||
| Making BGP filtering a habit: Impact on policies | Making BGP filtering a habit: Impact on policies | |||
| draft-ietf-grow-filtering-threats-02 | draft-ietf-grow-filtering-threats-03 | |||
| Abstract | Abstract | |||
| Network operators define their BGP policies based on the business | This document describes how unexpected traffic flows can emerge | |||
| relationships that they maintain with their peers. By limiting the | across an autonomous system, as the result of other autonomous | |||
| propagation of BGP prefixes, an autonomous system avoids the | systems filtering, or restricting the propagation of overlapping | |||
| existence of flows between BGP peers that do not provide any | prefixes. We provide a review of the techniques to detect the | |||
| economical gain. This draft describes how unexpected traffic flows | occurrence of this issue and defend against it. | |||
| can emerge in autonomous systems due to the filtering of overlapping | ||||
| BGP prefixes by neighboring domains. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 17, 2014. | This Internet-Draft will expire on February 5, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Filtering overlapping prefixes . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. Local filtering . . . . . . . . . . . . . . . . . . . . . 3 | 2. Unexpected Traffic Flows . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. Remotely triggered filtering . . . . . . . . . . . . . . 6 | 2.1. Local filtering . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Uses of overlapping prefix filtering that create unexpected | 2.1.1. Unexpected traffic flows caused by local filtering of | |||
| traffic flows . . . . . . . . . . . . . . . . . . . . . . . . 6 | overlapping prefixes . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Unexpected traffic Flows . . . . . . . . . . . . . . . . 7 | 2.2. Remote filtering . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1.1. Unexpected traffic flows caused by local filtering of | 2.2.1. Unexpected traffic flows caused by remotely triggered | |||
| overlapping prefixes . . . . . . . . . . . . . . . . 8 | filtering of overlapping prefixes . . . . . . . . . . 7 | |||
| 3.1.2. Unexpected traffic flows caused by remotely triggered | 3. Techniques to detect unexpected traffic flows caused by | |||
| filtering of overlapping prefixes . . . . . . . . . . 12 | filtering of overlapping prefixes . . . . . . . . . . . . . . 8 | |||
| 4. Techniques to detect unexpected traffic flows caused by | 3.1. Existence of unexpected traffic flows within an AS . . . 8 | |||
| filtering of overlapping prefixes . . . . . . . . . . . . . . 15 | 3.2. Contribution to the existence of unexpected traffic flows | |||
| 4.1. Being the 'victim' of unexpected traffic flows . . . . . 15 | in another AS . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.2. Being a contributor to the existence of unexpected | 4. Techniques to counter unexpected traffic flows . . . . . . . 10 | |||
| traffic flows in other networks . . . . . . . . . . . . . 15 | 4.1. Reactive counter-measures . . . . . . . . . . . . . . . . 11 | |||
| 5. Techniques to counter unexpected traffic flows due to the | 4.2. Anticipant counter-measures . . . . . . . . . . . . . . . 12 | |||
| filtering of overlapping prefixes . . . . . . . . . . . . . . 16 | 4.2.1. Access lists . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.1. Reactive counter-measures . . . . . . . . . . . . . . . . 17 | 4.2.2. Neighbor-specific forwarding . . . . . . . . . . . . 13 | |||
| 5.2. Anticipant counter-measures . . . . . . . . . . . . . . . 18 | 5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 5.2.1. Access lists . . . . . . . . . . . . . . . . . . . . 18 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 5.2.2. Automatic overlapping prefix filtering . . . . . . . 19 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 5.2.3. Neighbor-specific forwarding . . . . . . . . . . . . 19 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 | 9.1. References . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. References . . . . . . . . . . . . . . . . . . . . . . . 0 | 9.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 20 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 | ||||
| 1. Introduction | 1. Introduction | |||
| It is common practice for network operators to propagate overlapping | It is common practice for network operators to propagate a more | |||
| prefixes along with the prefixes that they originate. It is also | specific (overlapping) prefix in the BGP routing system, along with | |||
| possible for some Autonomous Systems (ASes) to apply different | the covering prefix that they originate. It is also possible for | |||
| policies to the overlapping (more specific) and the covering (less | some Autonomous Systems (ASes) to apply different policies to the | |||
| specific) prefix. Some ASes can even benefit from filtering the | overlapping and the covering prefix. | |||
| overlapping prefixes. | ||||
| BGP makes independent, policy driven decisions for the selection of | While BGP makes independent, policy driven decisions for the | |||
| the best path to be used for a given IP prefix. However, routers | selection of the best path to be used for a given IP prefix, routers | |||
| must forward packets using the longest-prefix-match rule, which | must forward packets using the longest-prefix-match rule, which | |||
| "precedes" any BGP policy (RFC1812 [1]). Indeed, the existence of a | "precedes" any BGP policy (RFC1812 [1]). The existence of a prefix p | |||
| prefix p that is more specific than a prefix p' in the Forwarding | that is more specific than a prefix p' in the Forwarding Information | |||
| Information Base (FIB) will let packets whose destination matches p | Base (FIB) will let packets whose destination matches p be forwarded | |||
| be forwarded according to the next hop selected as best for p (the | according to the next hop selected as best for p (the overlapping | |||
| overlapping prefix). This process takes place by disregarding the | prefix). This process takes place by disregarding the policies | |||
| policies applied in the control plane for the selection of the best | applied in the control plane for the selection of the best next-hop | |||
| next-hop for p' (the covering prefix). When an Autonomous System | for p'. When an Autonomous System filters overlapping prefixes and | |||
| filters overlapping prefixes and forwards packets according to the | forwards packets according to the covering prefix, the discrepancy in | |||
| covering prefix, the discrepancy in the routing policies applied to | the routing policies applied to covering and overlapping prefixes can | |||
| covering and overlapping prefixes can create unexpected traffic flows | create unexpected traffic flows that infringe the policies of other | |||
| that infringe the policies of other ASes still holding a path towards | ASes, still holding a path towards the overlapping prefix. | |||
| the overlapping prefix. | ||||
| This document presents examples of such cases and discusses solutions | ||||
| to the problem. The objective of this draft is to shed light on the | ||||
| use of prefix filtering by making the routing community aware of the | ||||
| cases where the effects of filtering might turn to be negative for | ||||
| the business of Internet Service Providers (ISPs). | ||||
| The rest of the document is organized as follows: Section 2 | ||||
| illustrates the motivation to filter overlapping prefixes. In | ||||
| Section 3, we provide some scenarios in which the filtering of | ||||
| overlapping prefixes lead to the creation of unexpected traffic flows | ||||
| on other ASes. Section 4 and Section 5 discuss some techniques that | ||||
| ASes can use for, respectively, detect and react to unexpected | ||||
| traffic flows. | ||||
| 2. Filtering overlapping prefixes | ||||
| There are several scenarios where filtering an overlapping prefix is | ||||
| relevant to the operations of an AS. In this section, we provide | ||||
| examples of these scenarios. We differentiate cases in which the | ||||
| filtering is performed locally from those where the filtering is | ||||
| triggered remotely. These scenarios will be used as a base in | ||||
| Section 3 for describing side effects bound with such practices. | ||||
| 2.1. Local filtering | ||||
| Let us first analyze the scenario depicted in Figure 1. AS1 and AS2 | ||||
| are two autonomous systems spanning a large geographical area and | ||||
| peering in 3 different physical locations. Let AS1 announce prefix | ||||
| 10.0.0.0/22 over all peering links with AS1. Additionally, let us | ||||
| define that there is part of AS1's network which exclusively uses | ||||
| prefix 10.0.0.0/24 and which is closer to a peering point than to | ||||
| others. | ||||
| To receive the traffic destined to prefix 10.0.0.0/24 on the link | ||||
| closer to this subnet, AS1 could announce the overlapping prefix only | ||||
| over this specific session. At the time of the establishment of the | ||||
| peering, it can be defined by both ASes that hot potato routing would | ||||
| happen in both directions of traffic. In other words, it was agreed | ||||
| that each AS will deliver the traffic to the other AS on the nearest | ||||
| peering link. In this scenario, it becomes relevant to AS2 to | ||||
| enforce such practice by detecting the described situations and | ||||
| automatically issuing the appropriate filtering. In this case, by | ||||
| implementing these automatic procedures, AS2 would legitimately | ||||
| detect and filter prefix 10.0.0.0/24. | ||||
| ___....-----------....___ | ||||
| ,.--' AS2 `--.. | ||||
| ,' `. | ||||
| | | | ||||
| `._ _.' | ||||
| `--..__ _,,.--' | ||||
| . `'''-----------'''' | | ||||
| | | | | ||||
| | | | | ||||
| 10.0.0.0/22| 10.0.0.0/22| |10.0.0.0/22 | ||||
| | ___....-----------....___ |10.0.0.0/24 | ||||
| ,.--'AS1 `--.. | ||||
| ,' ...........`. | ||||
| | |10.0.0.0/24 | | ||||
| `._ |........._.' | ||||
| `--..__ _,,.--' | ||||
| `'''-----------'''' | ||||
| Figure 1: Basic scenario of local filtering | ||||
| Local filtering could be required in other cases. For example, a | ||||
| dual homed AS receiving an overlapping prefix from only one of its | ||||
| providers. Figure 2 depicts a simple example of this case. | ||||
| _..._ | The objective of this draft is to shed light on possible side effects | |||
| ,' `. | associated with overlapping prefix filtering. This document presents | |||
| / AS4 \ | examples of such side effects and discusses approaches towards | |||
| | | | solutions to the problem. | |||
| \ / | ||||
| ,`-...-'. | ||||
| / '. | ||||
| 10.0.0.0/22 ,' \ | ||||
| 10.0.0.0/24 / \ 10.0.0.0/22 | ||||
| ..:_ >..._ | ||||
| ,' `. ,' `. | ||||
| / AS2 \ / AS3 \ | ||||
| | | | | | ||||
| \ / \ / | ||||
| `-...-', `-...-' | ||||
| \ / | ||||
| \ / | ||||
| 10.0.0.0/22 \_..._ '10.0.0.0/22 | ||||
| 10.0.0.0/24,' `. | ||||
| / AS1 \ | ||||
| | | | ||||
| \ / | ||||
| `-...-' | ||||
| Figure 2: Basic scenario of local filtering | The rest of the document is organized as follows: In Section 2 we | |||
| provide some scenarios in which the filtering of overlapping prefixes | ||||
| leads to the creation of unexpected traffic flows. Section 3 and | ||||
| Section 4 discuss some techniques that ASes can use for, | ||||
| respectively, detect and react to unexpected traffic flows. We | ||||
| conclude in Section 5. | ||||
| In this scenario, prefix 10.0.0.0/22 is advertised by AS1 to AS2 and | 1.1. Terminology | |||
| AS3. Both ASes propagate the prefix to AS4. Additionally, AS1 | ||||
| advertises prefix 10.0.0.0/24 to AS2, which subsequently propagates | ||||
| the prefix to AS4. | ||||
| It is possible that AS4 resolves to filter the more specific prefix | Overlapping prefix: A prefix in the routing table with an address | |||
| 10.0.0.0/24. One potential motivation could be the economical | range that is covered by another prefix present in the routing table. | |||
| preference of the path via AS2 over AS3. Another feasible reason is | ||||
| the existence of a technical policy by AS4 of aggregating incoming | ||||
| prefixes longer than /23. | ||||
| The above examples illustrate two of the many motivations to | Covering prefix: A prefix in the routing table with an address range | |||
| configure routing within an AS with the aim of ignoring more specific | partially covered by other prefixes. | |||
| prefixes. Operators have reported applying these filters in a manual | ||||
| fashion [3]. The relevance of such practice led to investigate | ||||
| automated filtering procedures in I-D.WHITE [2]. | ||||
| 2.2. Remotely triggered filtering | We re-use the definitions of customer-transit peering and settlement- | |||
| free peering of RFC4384 [2]. | ||||
| ISPs can tag the BGP paths that they propagate to neighboring ASes | Selective advertisement: The behavior of only advertising a self | |||
| with communities, in order to tweak the propagation behavior of the | originated BGP path for a prefix over a strict subset of the eBGP | |||
| ASes that handle these paths [1]. | sessions of the AS. | |||
| Some ISPs allow their direct and indirect customers to use such | Selective propagation: The behavior of only propagating a BGP path | |||
| communities to let the receiving AS not export the path to some | for a prefix over a strict subset of the eBGP sessions of an AS. | |||
| selected neighboring AS. By combining communities, the prefix could | ||||
| be advertised only to a given peer of the AS providing this feature. | ||||
| Figure 3 illustrates an example of this case. | ||||
| 10.0.0.0/22 ,' \ | Local filtering: The behavior of explicitly ignoring a BGP path | |||
| 10.0.0.0/24 / \ 10.0.0.0/22 | received over an eBGP session. | |||
| ..:_ >..._ | ||||
| ,' `. ,' `. | ||||
| / AS2 \________ / AS3 \ | ||||
| | |/22 /22| | | ||||
| \ / \ / | ||||
| `-...-', `-...-' | ||||
| \ / | ||||
| \ / | ||||
| 10.0.0.0/22 \_..._ '10.0.0.0/22 | ||||
| 10.0.0.0/24,' `. | ||||
| / AS1 \ | ||||
| | | | ||||
| \ / | ||||
| `-...-' | ||||
| Figure 3: Remote triggered filtering | Remote filtering: The behavior of triggering selective propagation of | |||
| a BGP path at a distant AS. Note that this is typically achieved by | ||||
| tagging a self-originated path with BGP communities defined by the | ||||
| distant AS. | ||||
| AS2 and AS3 are peers. Both ASes are providers of AS1. For traffic | Unexpected traffic flow: Traffic flowing between two neighboring ASes | |||
| engineering purposes, AS1 could use communities to prevent AS2 from | of an AS, although the transit policy of that AS is to not provide | |||
| announcing prefix 10.0.0.0/24 to AS3. | connectivity between these two neighbors. A traffic flow across an | |||
| AS, between two of its transit providers, or between a transit | ||||
| provider and one of its settlement-free peers, are classical examples | ||||
| of unexpected traffic flows. | ||||
| Such technique is useful for operators to tweak routing decisions in | 2. Unexpected Traffic Flows | |||
| order to align with complex transit policies. We will see in later | ||||
| sections that by producing the same effect as filtering, they can | ||||
| also lead to unexpected traffic flows at other, distant, ASes. | ||||
| 3. Uses of overlapping prefix filtering that create unexpected traffic | In this section, we describe how overlapping prefix filtering can | |||
| flows | lead to unexpected traffic flows in other, remote, ASes. We | |||
| differentiate cases in which the filtering is performed locally from | ||||
| those where the filtering is triggered remotely. | ||||
| In this section, we define the concept of unexpected traffic flows | 2.1. Local filtering | |||
| and describe three configuration scenarios that lead to their | ||||
| creation. Note that these examples do not capture all the cases | ||||
| where such issues can take place. | ||||
| 3.1. Unexpected traffic Flows | Local filtering can be motivated by different reasons, such as: (1) | |||
| Traffic engineering, where an AS wants to control their local | ||||
| outbound traffic distribution using only the policy applied to the | ||||
| covering prefix. (2) Enforcing contract compliance, where, for | ||||
| instance, an AS avoids a settlement-free peer to attract traffic to | ||||
| one link by using selective advertisement, when this is not allowed | ||||
| by their peering agreement. | ||||
| The BGP policy of an Internet Service provider includes all actions | Figure 1 illustrates a scenario in which one AS is motivated to | |||
| performed over its originated routes and the routes received | perform local filtering due to outbound traffic engineering. The | |||
| externally. One important part of the BGP policy is the selection of | figure depicts AS64504, and two of its neighboring ASes, AS64502 and | |||
| the routes that are propagated to each neighboring AS. One of the | AS64505. AS 64504 has a settlement-free peering with AS64502 and is | |||
| goals of these policies is to allow ISPs to avoid transporting | a customer of AS64505. AS64504 receives from AS64505 prefixes | |||
| traffic between two ASes without economical gain. For instance, ISPs | 2001:DB8::/32 and 2001:DB8::/34, covering and overlapping prefixes, | |||
| typically propagate to their peers only routes coming from its | respectively. AS64504 receives only the covering prefix | |||
| customers (RFC4384 [3]). We briefly illustrate this operation in | 2001:DB8::/32 from AS64502. | |||
| Figure 4. In the figure, AS2 is establishing a settlement free | ||||
| peering with AS1 and AS3. AS2 receives prefix P3/p3, from AS3. AS2, | ||||
| however, is not interested in transporting traffic from AS1 to AS3, | ||||
| therefore it does not propagate the prefix to AS1. In the figure, we | ||||
| also show a customer of AS2, AS4, which is announcing prefix P4/p4. | ||||
| AS2 propagates this prefix to AS1. | ||||
| ,-----. ,-----. ,-----. | ,-----. | |||
| ,' `. ,' `. ,' `. | / \ | |||
| / AS1 \ / AS2 \ / AS3 \ | ( AS64505 ) | |||
| ( )-----( )-----( ) | \ / | |||
| \ / P4/p4 \ / \ P3/p3 / | `--+--' | |||
| `. ,' `. ,' `. ,' | 2001:DB8::/32 | | | |||
| '-----' '-----' '-----' | 2001:DB8::/34 v | | |||
| | | | | |||
| | | ,--+--. 2001:DB8::/32 ,-----. | |||
| | | / \ <-- / \ | |||
| ,-----. | ( AS64504 )-------------( AS64502 ) | |||
| ,' `. | \ / \ / | |||
| / AS4 \ | `-----' `-----' | |||
| ( ) | ||||
| \ P4/p4 / | ||||
| `. ,' | ||||
| '-----' | ||||
| Figure 4: Prefix exchange among four autonomous systems | Figure 1: Local Filtering | |||
| Although ISPs usually implement the aforementioned policies, | Due to economical reasons, AS64504 might prefer to send traffic to | |||
| unexpected traffic flows may still appear. In Figure 4, unexpected | AS64502 instead of AS64505. However, even if paths received from | |||
| traffic flows are created, when, despite AS2's policy, traffic | AS64502 are given a large local preference, routers in AS64504 will | |||
| arriving from peer AS1 is received and transported to AS3 by AS2. | still send traffic to prefix 2001:DB8::/34 via neighbor AS64505. | |||
| These types of traffic flows can arise due to a number of reasons. | This situation may push AS64504 to apply an inbound filter for the | |||
| Specifically, in this document we explain how the filtering of | overlapping prefix, 2001:DB8::/34, on the session with AS64505. | |||
| overlapping prefixes might cause unexpected traffic flows on ASes. | After the filter is applied, traffic to the overlapping prefix will | |||
| We provide examples of these cases in the next sections. | be sent to AS64502 | |||
| 3.1.1. Unexpected traffic flows caused by local filtering of | 2.1.1. Unexpected traffic flows caused by local filtering of | |||
| overlapping prefixes | overlapping prefixes | |||
| In this section, we describe cases in which an AS locally filters an | In this section, we show how the decision of AS64504 to perform local | |||
| overlapping prefix. We show that, depending on the BGP policies | filtering creates unexpected traffic flows in AS64502. Figure 2 | |||
| applied by surrounding ASes, this decision can lead to unexpected | shows the whole picture of the scenario; where AS64501 is a customer | |||
| traffic flows. | of AS64503 and AS64502. AS64503 is a settlement-free peer with | |||
| AS64502. AS64503 and AS64502 are customers of AS64505. The AS | ||||
| 3.1.1.1. Initial setup | originating the two prefixes, AS64501, performs selective | |||
| advertisement with the overlapping prefix and only announces it to | ||||
| We start by describing the basic scenario of this case in Figure 5. | AS64503. | |||
| ____,,................______ | ||||
| _,.---'''' `''---..._ | ||||
| ,-'' AS5 `-. | ||||
| [ / | ||||
| -.._ __.-' | ||||
| . `'---....______ ______...---'' | ||||
| |/22 `''''''''''''''' | | ||||
| |/24 |/22 | | ||||
| | |/24 | | ||||
| | | | | ||||
| | |/22 |/22 | ||||
| | |/24 |/24 | ||||
| _,,---.:_ _,,---.._ _,,---.._ | ||||
| ,' `. ,' `. ,' `. | ||||
| / AS4 \ / AS2 \ / AS3 \ | ||||
| | |_________| |________| | | ||||
| | | /22 | |/22 /22| | | ||||
| '. ,' /24 . ,'/24 /24 . ,' | ||||
| `. ,' `. ,' `. ,' | ||||
| ``---'' ``---'' ``---'' | ||||
| | | | ||||
| |10.0.0.0/24 |10.0.0.0/24 | ||||
| |10.0.0.0/22 |10.0.0.0/22 | ||||
| | _....---------...._| | ||||
| ,-'AS1 ``-. | ||||
| /' `. | ||||
| `. _, | ||||
| `-.._ _,,,' | ||||
| `''---------''' | ||||
| Figure 5: Initial Setup Local | ||||
| AS1 is a customer of AS2 and AS3. AS2, AS3, and AS4 are customers of | ||||
| AS5. AS2 is establishing a peering with AS3 and AS4. AS1 is | ||||
| announcing a covering prefix, 10.0.0.0/22, and an overlapping prefix | ||||
| 10.0.0.0/24 to its providers. In the initial setup, AS2 and AS3 | ||||
| announce the two prefixes to their peers and transit providers. AS4 | ||||
| receives both prefixes from its peer (AS2) and transit provider | ||||
| (AS5). We will consider that AS5 chooses as best path to AS1 the one | ||||
| received from AS3. | ||||
| 3.1.1.2. Unexpected traffic flows by local filtering - Case 1 | ||||
| In the next scenarios, we show that if AS4 filters the incoming | After AS64504 locally filters the overlapping prefix, traffic from | |||
| overlapping prefix from AS5, there is a situation in which unexpected | AS64504 to prefix 2001:DB8::/34 is forwarded towards AS64502. | |||
| traffic flows are created on other ASes. | Because AS64502 receives the more specific prefix from AS64503, | |||
| traffic from AS64504 to 2001:DB8::/34 follows the path | ||||
| AS64504-AS64502-AS64503-AS64501. AS64502's BGP policies are | ||||
| implemented to avoid transporting traffic between AS64504 and | ||||
| AS64503. However, due to the discrepancies of routes from the | ||||
| overlapping and covering prefixes, unexpected traffic flows between | ||||
| AS64504 and AS64503 exist in AS64502's network. | ||||
| ____,,................______ | ____,,................______ | |||
| _,.---'''' `''---..._ | _,.---'''' `''---..._ | |||
| ,-'' AS5 `-. | ,-'' AS64505 `-. | |||
| [ / | [ / | |||
| -.._ __.-' | -.._ __.-' | |||
| . `'---....______ ______...---'' | . `'---....______ ______...---'' | |||
| |/22 `''''''''''''''' | | + |/32 `''''''''''''''' | | |||
| |/24 |/22 | | | |/34 + |/32 | | |||
| | |/24 | | v | v |/34 | | |||
| | | | | | | ^ | | |||
| | |/22 |/22 | | ^ |/32 | |/32 | |||
| | | |/24 | | + | + |/34 | |||
| _,,---.:_ _,,---.._ _,,---.._ | _,,---.:_ _,,---.._ _,,---.._ | |||
| ,' `. ,' `. ,' `. | ,' `. ,' `. ,' `. | |||
| / AS4 \ / AS2 \ / AS3 \ | / AS64504 \ <-+ / AS64502 \ / AS64503 \ | |||
| | |_________| |________| | | | |_________| |________| | | |||
| | | /22 | |/22 /22| | | | | /32 | |/32 /32| | | |||
| '. ,' . ,' /24 . ,' | '. ,' . ,' /34 . ,' | |||
| `. ,' `. ,' `. ,' | `. ,' `. ,' +-> <-+ `. ,' | |||
| ``---'' ``---'' ``---'' | ``---'' ``---'' ``---'' | |||
| | | | | ^ | | |||
| | |10.0.0.0/24 | ^ |2001:DB8::/32 | |2001:DB8::/32 | |||
| |10.0.0.0/22 |10.0.0.0/22 | | | + |2001:DB8::/34 | |||
| | _,,..---------...._| | + | _....---------...._| | |||
| ,-'AS1 ``-. | ,-'AS64501 ``-. | |||
| /' `. | /' `. | |||
| `. _, | `. _, | |||
| `-.._ _,,,' | `-.._ _,,,' | |||
| `''---------''' | `''---------''' | |||
| Figure 6: Unexpected traffic flows by local filtering - Case 1 | Figure 2: Unexpected traffic flows due to local filtering | |||
| Let us assume the scenario illustrated in Figure 6. For this case, | 2.2. Remote filtering | |||
| AS1 only propagates the overlapping prefix to AS3. AS4 receives the | ||||
| overlapping prefix only from its transit provider, AS5. | ||||
| AS4 now is in a situation in which it would be favorable for it to | ISPs can tag the BGP paths that they propagate to neighboring ASes | |||
| filter the announcement of prefix 10.0.0.0/24 from AS5. | with communities, in order to tweak the propagation behavior of the | |||
| Subsequently, traffic from AS4 to prefix 10.0.0.0/24 is forwarded | ASes that handle these paths [1]. Some ISPs allow their customers to | |||
| towards AS2. Because AS2 receives the more specific prefix from AS3, | use such communities to let the receiving AS not export the path to | |||
| traffic from AS4 to prefix 10.0.0.0/24 follows the path | some selected neighboring ASes. By combining communities, the prefix | |||
| AS4-AS2-AS3-AS1. AS2's BGP policies are implemented to avoid using | could be advertised only to a given peer of the AS providing this | |||
| itself to exchange traffic between AS4 and AS3. However, due to the | feature. Remote filtering can be leveraged by an AS to, for | |||
| discrepancies of routes from the overlapping and covering prefixes, | instance, limit the scope of prefixes and hence perform a more | |||
| unexpected traffic flows between AS4 and AS3 still exist on AS2's | granular inbound traffic engineering. | |||
| network. This situation is economically detrimental for AS2, since | ||||
| it forwards traffic from a peer to a non-customer neighbor. | ||||
| 3.1.1.3. Unexpected traffic flows by local filtering - Case 2 | Figure 3 illustrates a scenario in which an AS uses BGP communities | |||
| ____,,................______ | to command its provider to selectively propagate an overlapping | |||
| _,.---'''' `''---..._ | prefix. Let AS64501 be a customer of AS64502 and AS64503. AS64501 | |||
| ,-'' AS5 `-. | originates prefix 2001:DB8::/32, which it advertises through AS64502 | |||
| [ / | and AS64503. AS64502 and AS64503 are settlement-free peers. Let | |||
| -.._ __.-' | AS64501 do selective advertisement and only propagate 2001:DB8::/34 | |||
| . `'---....______ ______...---'' | over AS64503. AS64503 would normally propagate this prefix to its | |||
| |/22 `''''''''''''''' | | customers, providers, and peers, including AS64502. | |||
| |/24 |/22 | | ||||
| | |/24 | | ||||
| | | | | ||||
| | |/22 |/22 | ||||
| | | |/24 | ||||
| _,,---.:_ _,,---.._ _,,---.._ | ||||
| ,' `. ,' `. ,' `. | ||||
| / AS4 \ / AS2 \ / AS3 \ | ||||
| | |_________| | | | | ||||
| | | /22 | | | | | ||||
| '. ,' . ,' . ,' | ||||
| `. ,' `. ,' `. ,' | ||||
| ``---'' ``---'' ``---'' | ||||
| | | | ||||
| | |10.0.0.0/24 | ||||
| |10.0.0.0/22 |10.0.0.0/22 | ||||
| _;,..---------...._| | ||||
| ,-'AS1 ``-. | ||||
| /' `. | ||||
| `. _, | ||||
| `-.._ _,,,' | ||||
| `''---------''' | ||||
| Figure 7: Unexpected traffic flows after local filtering - Case 2 | Let us consider that AS64501 decides to limit the scope of the | |||
| overlapping prefix. AS64501 can make this decision based on its | ||||
| traffic engineering strategy. To achieve this, AS64501 can tag the | ||||
| overlapping prefix with a set of communities that leads AS64503 to | ||||
| only propagate the path to AS64502. | ||||
| Let us assume a second case where AS2 and AS3 are not peering and AS1 | ^ \ / ^ ^ \ / ^ | |||
| only propagates the overlapping prefix to AS3. AS4 receives the | | /32 \ / /32 | | /32 \ / /32 | | |||
| overlapping prefix only from its transit provider, AS5. This case is | ,-----. ,-----. | |||
| illustrated in Figure 7. | ,' `. ,' `. | |||
| / AS64502 \ / AS64503 \ | ||||
| ( )-------------( ) | ||||
| \ / /32 /32 \ / | ||||
| `. ,' -> /34 `. ,' | ||||
| '-----; <- / '-----' | ||||
| \ / | ||||
| ^ \ / ^ | ||||
| | \ / | | ||||
| | \ / | | ||||
| | \ ,-----.' | 2001:DB8::/32 | ||||
| | ,' `. | 2001:DB8::/34 | ||||
| 2001:DB8::/32 +-- / AS64501 \ --+ | ||||
| ( ) | ||||
| \ / | ||||
| `. ,' | ||||
| '-----' | ||||
| Similar to the scenario described in Section 3.1.1.2, AS4 is in a | Figure 3: Remote triggered filtering | |||
| situation in which it would be favorable to filter the announcement | ||||
| of prefix 10.0.0.0/24 from AS5. Subsequently, traffic from AS4 to | ||||
| prefix 10.0.0.0/24 would be forwarded towards AS2. Due to the | ||||
| existence of a route to prefix 10.0.0.0/24, AS2 receives the traffic | ||||
| heading to this prefix from AS4 and sends it to AS5. This situation | ||||
| creates unexpected traffic flows that contradict AS2's BGP policy, | ||||
| since the AS ends up forwarding traffic from a peer to a transit | ||||
| network. | ||||
| 3.1.2. Unexpected traffic flows caused by remotely triggered filtering | 2.2.1. Unexpected traffic flows caused by remotely triggered filtering | |||
| of overlapping prefixes | of overlapping prefixes | |||
| We present a configuration scenario in which an AS, using the | Figure 4 expands the scenario from Figure 3 and includes other AS | |||
| mechanism described in Section 2.2, informs its provider to | peering with ASes 64502 and 64503. Due to the limitation on the | |||
| selectively propagate an overlapping prefix, leading to the creation | scope performed on the overlapping prefix, ASes that are not | |||
| of unexpected traffic flows in another AS. | customers of AS64502 will not receive a path for 2001:DB8::/34. | |||
| These ASes will forward packets destined to 2001:DB8::/34 according | ||||
| 3.1.2.1. Initial setup | to their routing state for 2001:DB8::/32. Let us assume that AS64505 | |||
| is such an AS, and that its best path towards 2001:DB8::/32 is | ||||
| Let AS1 be a customer of AS2 and AS3. AS1 owns 10.0.0.0/22, which it | through AS64502. Packets sent towards 2001:DB8::1 by AS64505 will | |||
| advertises through AS2 and AS3. Additionally, AS2 and AS3 are peers. | reach AS64502. However, in the data-plane of the nodes of AS64502, | |||
| the longest prefix match for 2001:DB8::1 is 2001:DB8::/34, which is | ||||
| Both AS2 and AS3 select A1's path as best, and propagate it to their | reached through AS64503, a settlement-free peer of AS64502. Since | |||
| customers, providers, and peers. Some remote ASes will route traffic | AS64505 is not in the customer branch of AS64502, we are in a | |||
| destined to 10.0.0.1 through AS2 while others will route traffic | situation in which traffic flows between non-customer ASes take place | |||
| through AS3. | in AS64502. | |||
| \ / \ / | ||||
| /22 \ / /22 /22 \ / /22 | ||||
| ,-----. ,-----. | ||||
| ,' `. ,' `. | ||||
| / AS2 \ /22 / AS3 \ | ||||
| ( )-------------( ) | ||||
| \ / /22 \ / | ||||
| `. ,' `. ,' | ||||
| '-----; / '-----' | ||||
| \ / | ||||
| \ / | ||||
| 10.0.0.0/22\ /10.0.0.0/22 | ||||
| \ / | ||||
| \ ,-----.' | ||||
| ,' `. | ||||
| / AS1 \ | ||||
| ( ) | ||||
| \ / | ||||
| `. ,' | ||||
| '-----' | ||||
| Figure 8: Example scenario | ||||
| 3.1.2.2. Injection of an overlapping prefix | ||||
| Let AS1 advertise 10.0.0.0/24 over AS3 only. AS3 would propagate | ||||
| this prefix to its customers, providers, and peers, including AS2. | ||||
| From AS2's point of view, the path towards 10.0.0.0/24 is a "peer | ||||
| path" and AS2 will only advertise it to its customers. ASes in the | ||||
| customer branch of AS2 will receive a path to the /24 that contains | ||||
| AS3 and AS2. Some multi-homed customers of AS2 may also receive a | ||||
| path through AS3, but not through AS2, from other peering or provider | ||||
| links. Any remote AS that is not lying in the customer branch of | ||||
| AS2, will receive a path for 10.0.0.0/24 through AS3 and not through | ||||
| AS2. | ||||
| \ / /22\ / /22 | ||||
| /22 \ / /22 /24 \ / /24 | ||||
| ,-----. ,-----. | ||||
| ,' `. /22 ,' `. | ||||
| / AS2 \ /24 / AS3 \ | ||||
| ( /22:AS1 )-------------( /22:AS1 ) | ||||
| \ /24:AS3 / /22 \ /24:AS1 / | ||||
| /22 /`. ,' `. ,' | ||||
| /24/ '-----; / '-----' | ||||
| / \ / | ||||
| ,---./ \ / | ||||
| / \ 10.0.0.0/22\ /10.0.0.0/22 | ||||
| | AS4 ) \ / 10.0.0.0/24 | ||||
| \ / \ ,-----.' | ||||
| `---' ,' `. | ||||
| / AS1 \ | ||||
| ( ) | ||||
| \ / | ||||
| `. ,' | ||||
| '-----' | ||||
| Figure 9: Injection of overlapping prefix | ||||
| AS2 only receives traffic destined to 10.0.0.0/24 from its customers, | ||||
| which it forwards to its peer AS3. Routing is consistent with usual | ||||
| Internet Routing Policies in this case. AS3 could receive traffic | ||||
| destined to 10.0.0.0/24 from its customers, providers, and peers, | ||||
| which it directly forwards to its customer AS1. | ||||
| 3.1.2.3. Creation of unexpected traffic flows by limiting the scope of | ||||
| the overlapping prefix | ||||
| Now, let us assume that 10.0.0.0/24, which is propagated by AS1 to | ||||
| AS3, is tagged to have AS3 only propagate that path to AS2, using the | ||||
| techniques described in Section 2.2. | ||||
| ,-------. | ||||
| ,' `. | ||||
| / AS5 \ | ||||
| ( /22:AS2 ) | ||||
| \ / | ||||
| `. ,' | ||||
| '-------' \ / \ / | ||||
| /22 \ //22 /22 \ //22 | ||||
| ,-----. ,-----. | ||||
| ,' `. /22 ,' `. | ||||
| / AS2 \ /24 / AS3 \ | ||||
| ( /22:AS1 )-------------( /22:AS1 ) | ||||
| \ /24:AS3 / /22 \ /24:AS1 / | ||||
| /22 /`. ,' `. ,' | ||||
| /24/ '-----; / '-----' | ||||
| / \ / | ||||
| ,---./ \ / | ||||
| / \ 10.0.0.0/22\ /10.0.0.0/22 | ||||
| ( AS4 ) \ / 10.0.0.0/24 | ||||
| \ / \ ,-----.' | ||||
| `---' ,' `. | ||||
| / AS1 \ | ||||
| ( ) | ||||
| \ / | ||||
| `. ,' | ||||
| '-----' | ||||
| Figure 10: More Specific Injection | ||||
| From AS2's point of view, such a path is a "peer path" and will only | ,-----. | |||
| be advertised by AS2 to its customers. | ,' `. | |||
| / AS64505 \ | ||||
| ( ) | ||||
| \ / | ||||
| `. ,' | ||||
| '-----' | ||||
| ^ \ / ^ ^ \ / ^ | ||||
| | /32 \ / /32 | | /32 \ / /32 | | ||||
| + ,-----. + + ,-----. + | ||||
| ,' `. ,' `. | ||||
| / AS64502 \ / AS64503 \ | ||||
| ( )-------------( ) | ||||
| ,-----. \ / /32 /32 \ / | ||||
| ,' `.---------`. ,' +-> /34 `. ,' | ||||
| / AS64504 \ /32 '-----; <-+ / '-----' | ||||
| ( ) /34 \ / | ||||
| \ / <-+ ^ \ / ^ | ||||
| `. ,' | \ / | | ||||
| '-----; | \ / | | ||||
| | \ ,-----.' | 2001:DB8::/32 | ||||
| | ,' `. | 2001:DB8::/34 | ||||
| 2001:DB8::/32 +--+ / AS64501 \ +--+ | ||||
| ( ) | ||||
| \ / | ||||
| `. ,' | ||||
| '-----' | ||||
| ASes that are not customers of AS2 will not receive a path for | Figure 4: Unexpected traffic flows due to remote triggered filtering | |||
| 10.0.0.0/24. These ASes will forward packets destined to 10.0.0.0/24 | ||||
| according to their routing state for 10.0.0.0/22. Let us assume that | ||||
| AS5 is such an AS, and that its best path towards 10.0.0.0/22 is | ||||
| through AS2. Then, packets sent towards 10.0.0.1 by AS5 will | ||||
| eventually reach AS2. However, in the data-plane of the nodes of | ||||
| AS2, the longest prefix match for 10.0.0.1 is 10.0.0.0/24, which is | ||||
| reached through AS3, a peer of AS2. Since AS5 is not in the customer | ||||
| branch of AS2, we are in a situation in which traffic flows between | ||||
| non-customer ASes take place in AS2. | ||||
| 4. Techniques to detect unexpected traffic flows caused by filtering of | 3. Techniques to detect unexpected traffic flows caused by filtering of | |||
| overlapping prefixes | overlapping prefixes | |||
| We differentiate the techniques available for detecting unexpected | 3.1. Existence of unexpected traffic flows within an AS | |||
| traffic flows caused by the described scenarios from the cases in | ||||
| which the interested AS is the victim or contributor of such | ||||
| operations. | ||||
| 4.1. Being the 'victim' of unexpected traffic flows | ||||
| To detect if unexpected traffic flows are taking place in its | To detect if unexpected traffic flows are taking place in its | |||
| network, an ISP can monitor its traffic data and validate if any flow | network, an ISP can monitor its traffic data to check if it is | |||
| entering the ISP network through a non-customer link is forwarded to | providing transit between two of its peers, although his policy is | |||
| a non-customer next-hop. | configured to not provide such transit. IPFIX (RFC7011 [3]) is an | |||
| example of a technology that can be used to export information | ||||
| regarding traffic flows across the network. Traffic information must | ||||
| be analyzed under the perspective of the business relationships with | ||||
| neighboring ASes. Open source tools such as [4] can be used to this | ||||
| end. | ||||
| As mentioned in Section 3.1, unexpected traffic flows might appear | Note that the AS detecting the unexpected traffic flow may simply | |||
| due to different situations. To discover if the problem arose after | realize that his policy configuration is broken. The first | |||
| the filtering of prefixes by neighboring ASes, an operator can | recommended action upon detection of an unexpected traffic flow is to | |||
| analyze available BGP data. For instance, an ISP can seek for | verify the correctness of the BGP configuration. | |||
| overlapping prefixes for which the next-hop is through a provider (or | ||||
| peer), while the next-hop for their covering prefix(es) is through a | ||||
| client. Direct communication or looking glasses can be used to check | ||||
| whether non-customer neighboring ASes are propagating a path towards | ||||
| the covering prefix and not the path towards the overlapping prefix. | ||||
| This situation should trigger a warning, as this would mean that ASes | ||||
| in the surrounding area of the current AS are forwarding packets | ||||
| based on the routing entry for the less specific prefix only. | ||||
| 4.2. Being a contributor to the existence of unexpected traffic flows | Once it has been assessed that the local configuration is correct, | |||
| in other networks | the operator should check if the problem detected in the data-plane | |||
| arose due to filtering of BGP paths by neighboring ASes. The | ||||
| operator should check if the destination address of the unexpected | ||||
| traffic flow is locally routed as per an overlapping prefix only | ||||
| received from non-customer peers. The operator should also checks if | ||||
| there are paths to a covering prefix received from a customer, and | ||||
| hence propagated to peers. If these two situations happen at the | ||||
| same time, the neighboring AS at the entry point of the unexpected | ||||
| flow is routing the traffic based on the covering prefix, although | ||||
| the ISP is actually forwarding the traffic via non-customer links. | ||||
| To detect the origin of the problem, human interaction or looking | ||||
| glasses can be used in order to find out whether local filtering, | ||||
| remote filtering, or selective propagation was performed on the | ||||
| overlapping prefix. Due to the distributed nature and restricted | ||||
| visibility of the steering of BGP policies, such analysis is deemed | ||||
| to not identify the origin of the problem with guaranteed accuracy. | ||||
| We are not aware, at the time of this writing, of any openly | ||||
| available tool that can automatically perform this operation. | ||||
| 3.2. Contribution to the existence of unexpected traffic flows in | ||||
| another AS | ||||
| It can be considered problematic to be causing unexpected traffic | It can be considered problematic to be causing unexpected traffic | |||
| flows on other ASes. This situation may appear as an abuse to the | flows in other ASes. This situation may appear as an abuse to the | |||
| network resources of other ISPs. | network resources of other ISPs. | |||
| There may be justifiable reasons for one ISP to perform filtering, | There may be justifiable reasons for one ISP to perform filtering; | |||
| either to enforce established policies or to provide prefix | either to enforce established policies or to provide prefix | |||
| advertisement scoping features to its customers. These can vary from | advertisement scoping features to its customers. These can vary from | |||
| trouble-shooting purposes to business relationships implementations. | trouble-shooting purposes to business relationship implementations. | |||
| Restricting such features for the sake of avoiding the creation of | Restricting the use of these features for the sake of avoiding the | |||
| unexpected traffic flows is not a practical option. | creation of unexpected traffic flows is not a practical option. | |||
| Traffic data does not help an ISP detect that it is acting as a | ||||
| contributor of the creation of the unexpected traffic flow. It is | ||||
| thus advisable to obtain as much information as possible about the | ||||
| Internet environment of the AS and assess the risks of filtering | ||||
| overlapping prefixes before implementing them. | ||||
| Monitoring the manipulation of the communities that implement the | It is advisable for an AS to assess the risks of filtering | |||
| scoping of prefixes is recommended to the ISPs that provide these | overlapping prefixes before implementing them by obtaining as much | |||
| features. The monitored behavior should then be compared with their | data information as possible about its surrounding routing | |||
| terms of use. | environment. The AS would need information of the routing policies | |||
| and the relationships among external ASes to detect if its actions | ||||
| could trigger the appearance of unexpected traffic flows. With this | ||||
| information, the operator could detect other ASes receiving the | ||||
| overlapping prefix from non-customer ASes, while announcing the | ||||
| covering prefix to other non-customer ASes. If the filtering of the | ||||
| overlapping prefix leads other ASes to send traffic for the | ||||
| overlapping prefix to these ASes, an unexpected traffic flow can | ||||
| arise. However, the information required for this operation is | ||||
| difficult to obtain, due to the distributed nature of BGP policies. | ||||
| We are not aware, at the time of this writing, of any openly | ||||
| available tool that can automatically perform this procedure. | ||||
| 5. Techniques to counter unexpected traffic flows due to the filtering | 4. Techniques to counter unexpected traffic flows | |||
| of overlapping prefixes | ||||
| Network Operators can adopt different approaches with respect to | Network Operators can adopt different approaches with respect to | |||
| unexpected traffic flows. We classify these actions according to | unexpected traffic flows. Note that due the complexity of inter- | |||
| whether they are anticipant or reactive. | domain routing policies, there is not a single solution that can be | |||
| applied to all situations. We provide potential solutions that ISPs | ||||
| must evaluate against each particular case. We classify these | ||||
| actions according to whether they are anticipant or reactive. | ||||
| Reactive approaches are those in which the operator tries to detect | Reactive approaches are those in which the operator tries to detect | |||
| the situations via monitoring and solve unexpected traffic flows, | the situations via monitoring and solve unexpected traffic flows, | |||
| manually, on a case-by-case basis. | manually, on a case-by-case basis. | |||
| Anticipant or preventive approaches are those in which the routing | Anticipant or preventive approaches are those in which the routing | |||
| system will not let the unexpected traffic flows actually take place | system will not let the unexpected traffic flows actually take place | |||
| when the configuration scenario is set up. | when the scenario arises. | |||
| We use the scenario depicted in Figure 11 to describe these two kinds | We use the scenario depicted in Figure 5 to describe these two kinds | |||
| of approaches. Based on our analysis, we observe that anticipant | of approaches. Based on our analysis, we observe that anticipant | |||
| approaches can be complex to implement and can lead to undesired | approaches can be complex to implement and can lead to undesired | |||
| repercussions. Therefore, we conclude that the reactive approach is | effects. Therefore, we conclude that the reactive approach is the | |||
| the more reasonable recommendation to deal with unexpected flows. | more reasonable recommendation to deal with unexpected flows. | |||
| ____,,................______ | ____,,................______ | |||
| _,.---'''' `''---..._ | _,.---'''' `''---..._ | |||
| ,-'' AS5 `-. | ,-'' AS64505 `-. | |||
| [ / | [ / | |||
| -.._ __.-' | -.._ __.-' | |||
| . `'---....______ ______...---'' | . `'---....______ ______...---'' | |||
| |/22 `''''''''''''''' | | + |/32 `''''''''''''''' | | |||
| |/24 |/22 | | | |/34 + |/32 | | |||
| | |/24 | | v | v |/34 | | |||
| | | | | | | ^ | | |||
| | |/22 |/22 | | ^ |/32 | |/32 | |||
| | | |/24 | | + | + |/34 | |||
| _,,---.:_ _,,---.._ _,,---.._ | _,,---.:_ _,,---.._ _,,---.._ | |||
| ,' `. ,' `. ,' `. | ,' `. ,' `. ,' `. | |||
| / AS4 \ / AS2 \ / AS3 \ | / AS64504 \ <-+ / AS64502 \ / AS64503 \ | |||
| | |_________| | | | | | |_________| | | | | |||
| | | /22 | | | | | | | /32 | | | | | |||
| '. ,' . ,' . ,' | '. ,' . ,' . ,' | |||
| `. ,' `. ,' `. ,' | `. ,' `. ,' `. ,' | |||
| ``---'' ``---'' ``---'' | ``---'' ``---'' ``---'' | |||
| | | | | ^ | | |||
| | |10.0.0.0/24 | ^ |2001:DB8::/32 | |2001:DB8::/32 | |||
| |10.0.0.0/22 |10.0.0.0/22 | | | + |2001:DB8::/34 | |||
| _;,..---------...._| | + | _....---------...._| | |||
| ,-'AS1 ``-. | ,-'AS64501 ``-. | |||
| /' `. | /' `. | |||
| `. _, | `. _, | |||
| `-.._ _,,,' | `-.._ _,,,' | |||
| `''---------''' | `''---------''' | |||
| Figure 11: Anticipant counter-measures - Base example | Figure 5: Counter-measures for unexpected traffic flows - Base | |||
| example | ||||
| 5.1. Reactive counter-measures | 4.1. Reactive counter-measures | |||
| An operator who detects unexpected traffic flows originated by any of | An operator who detects unexpected traffic flows originated by any of | |||
| the cases described in Section 3 can contact the ASes that are likely | the cases described in Section 2 can contact the ASes that are likely | |||
| to have performed the propagation tweaks, inform them of the | to have performed the propagation tweaks, inform them of the | |||
| situation, and persuade them to change their behavior. | situation, and persuade them to change their behavior. | |||
| If the situation remains, the operator can implement prefix filtering | If the situation remains, the operator can implement prefix filtering | |||
| in order to stop the unexpected flows. The operator can decide to | in order to stop the unexpected flows. The operator can decide to | |||
| perform this action over the session with the operator announcing the | perform this action over the session with the operator announcing the | |||
| overlapping prefix or over the session with the neighboring AS from | overlapping prefix or over the session with the neighboring AS from | |||
| which it is receiving the traffic. Each of these options carry a | which it is receiving the traffic. Each of these options carry a | |||
| different repercussion for the affected AS. We describe briefly the | different repercussion for the affected AS. We describe briefly the | |||
| two alternatives. | two alternatives. | |||
| o An operator can decide to stop announcing the covering prefix at | o An operator can decide to stop announcing the covering prefix at | |||
| the peering session with the neighboring AS from which it is | the peering session with the neighboring AS from which it is | |||
| receiving traffic to the overlapping prefix. In the example of | receiving traffic to the overlapping prefix. In the example of | |||
| Figure 11, AS2 would filter out the prefix 10.0.0.0/22 from the | Figure 5, AS64502 would filter out the prefix 2001:DB8::/32 from | |||
| eBGP session with AS4. In this case, all the traffic heading to | the eBGP session with AS64504. In this case, not all traffic | |||
| the prefix 10.0.0.0/22 from AS1 would not longer traverse AS2. | heading to the prefix 2001:DB8::/32 from AS64501 would no longer | |||
| AS2 should evaluate if solving the inconvenient originated by the | traverse AS64502. AS64502 should evaluate if solving the issues | |||
| unexpected traffic flows are worth the loss of this traffic share. | originated by the unexpected traffic flows are worth the loss of | |||
| this traffic share. | ||||
| o An operator can decide to filter-out the concerned overlapping | o An operator can decide to filter out the overlapping prefix at the | |||
| prefix at the peering session over which it was received. In the | peering session over which it was received. In the example of | |||
| example of Figure 11, AS2 would filter out the incoming prefix | Figure 5, AS64502 would filter out the incoming prefix | |||
| 10.0.0.0/24 from the eBGP session with AS5. As a result, the | 2001:DB8::/34 from the eBGP session with AS64505. As a result, | |||
| traffic destined to that /24 would be forwarded by AS2 along its | the traffic destined to that /32 would be forwarded by AS64502 | |||
| link with AS1, despite the actions performed by AS1 to have this | along its link with AS64501, despite the actions performed by | |||
| traffic coming in through its link with AS3. However, as AS2 will | AS64501 to have this traffic coming in through its link with | |||
| no longer possess a route to the overlapping prefix, it risks | AS64503. However, as AS64502 will no longer know a route to the | |||
| losing the traffic share from customers different from AS1 to that | overlapping prefix, it risks losing the traffic share from | |||
| prefix. Furthermore, this action can generate conflicts between | customers different from AS64501 to that prefix. Furthermore, | |||
| AS2 and AS1, since AS2 does not follow the policy expressed by AS1 | this action can generate conflicts between AS64502 and AS64501, | |||
| in its BGP announcements. | since AS64502 does not follow the routing information expressed by | |||
| AS64501 in its BGP announcements. | ||||
| It is possible that the behavior from the neighboring AS that is | It is possible that the behavior of the neighboring AS causing the | |||
| causing the unexpected traffic flows opposes the peering agreement. | unexpected traffic flows opposes the peering agreement. In this | |||
| In this case, an operator can account the amount of traffic that has | case, an operator could account the amount of traffic that has been | |||
| been subject to the unexpected flows and charge the peer for that | subject to the unexpected flows, using traffic measurement protocols | |||
| traffic. That is, the operator can claim that it has been a provider | such as IPFIX, and charge the peer for that traffic. That is, the | |||
| of that peer for the traffic that transited between the two ASes. | operator can claim that it has been a provider of that peer for the | |||
| traffic that transited between the two ASes. | ||||
| 5.2. Anticipant counter-measures | 4.2. Anticipant counter-measures | |||
| 5.2.1. Access lists | 4.2.1. Access lists | |||
| An operator can configure its routers to install dynamically an | An operator can configure its routers to install dynamically an | |||
| access-list made of the prefixes towards which the forwarding of | access-list made of the prefixes towards which the forwarding of | |||
| traffic from that interface would lead to unexpected traffic flows. | traffic from that interface would lead to unexpected traffic flows. | |||
| In the example of Figure 11, AS2 would install an access-list denying | In the example of Figure 5, AS64502 would install an access-list | |||
| packets matching 10.0.0.0/24 associated with the interface connecting | denying packets matching 2001:DB8::/34 associated with the interface | |||
| to AS4. As a result, traffic destined to that prefix would be | connecting to AS64504. As a result, traffic destined to that prefix | |||
| dropped, despite the existence of a valid route towards 10.0.0.0/22. | would be dropped, despite the existence of a valid route towards | |||
| 2001:DB8::/32. | ||||
| Note that this technique actually lets packets destined to a valid | ||||
| prefix be dropped while they are sent from a neighboring AS that | ||||
| cannot know about policy conflicts and hence had no means to avoid | ||||
| the creation of unexpected traffic flows. | ||||
| 5.2.2. Automatic overlapping prefix filtering | ||||
| As described in Section 3, filtering of overlapping prefixes can in | This technique actually lets packets destined to a valid prefix be | |||
| some scenarios lead to unexpected traffic flows. Nevertheless, | dropped while they are sent from a neighboring AS that may not know | |||
| depending on the autonomous system implementing such practice, this | about the policy conflict and hence had no means to avoid the | |||
| operation can prevent these cases. This can be illustrated using the | creation of unexpected traffic flows. For this reason, this | |||
| example described in Figure 11: if AS2 or AS3 filter prefix 10.0.0.0/ | technique can be considered harmful and is thus not recommended for | |||
| 24, there would be no unexpected traffic flow in AS2. Nevertheless, | implementation. | |||
| as described in Section 5.1, the filtering of overlapping prefixes | ||||
| can generate conflicts between AS1 and AS2, since AS2 would not | ||||
| forward traffic according to AS1's policy. Additionally, AS2 can | ||||
| lose traffic share for the overlapping prefix from customers | ||||
| different from AS1. | ||||
| 5.2.3. Neighbor-specific forwarding | 4.2.2. Neighbor-specific forwarding | |||
| An operator can technically ensure that traffic destined to a given | An operator can technically ensure that traffic destined to a given | |||
| prefix will be forwarded from an entry point of the network based | prefix will be forwarded from an entry point of the network based | |||
| only on the set of paths that have been advertised over that entry | only on the set of paths that have been advertised over that entry | |||
| point. | point. | |||
| As an example, let us analyze the scenario of Figure 11 from the | As an example, let us analyze the scenario of Figure 5 from the point | |||
| point of view of AS2. The edge router connecting to the AS4 forward | of view of AS64502. The edge router connecting to the AS64504 | |||
| packets destined to prefix 10.0.0.0/24 towards AS5. Likewise, it | forwards packets destined to prefix 2001:DB8::/34 towards AS64505. | |||
| will forward packets destined to prefix 10.0.0.0/22 towards AS1. The | Likewise, it forwards packets destined to prefix 2001:DB8::/32 | |||
| router, however, only propagates the path of the covering prefix | towards AS64501. The router, however, only propagates the path of | |||
| (10.0.0.0/22) to AS4. An operator could implement the necessary | the covering prefix (2001:DB8::/32) to AS64504. An operator could | |||
| techniques to force the edge router to forward packets coming from | implement the necessary techniques to force the edge router to | |||
| AS4 based only on the paths propagated to AS4. Thus, the edge router | forward packets coming from AS64504 based only on the paths | |||
| would forward packets destined to 10.0.0.0/24 towards AS1 in which | propagated to AS64504. Thus, the edge router would forward packets | |||
| case no unexpected traffic flow would occur. | destined to 2001:DB8::/34 towards AS64501 in which case no unexpected | |||
| traffic flow would occur. | ||||
| Different techniques could provide the functionality just described; | Different techniques could provide this functionality; however, their | |||
| however, their technical implementation can be complex to design and | technical implementation can be complex to design and operate. An | |||
| operate. [2] describes an approach to implement this behavior. | operator could, for instance, employ Virtual Routing Forwarding (VRF) | |||
| Similar to the solution described in Section 5.2.2, this approach | tables RFC4364 [4] to store the routes announced to a neighbor and | |||
| could create conflicts between AS2 and AS1, since the traffic | forward traffic exclusively based on those routes. [2] describes this | |||
| forwarding performed by A2 goes against the policy of AS1. | solution and provides a description of its limitations. In the | |||
| future, new network protocols and architectures could provide this | ||||
| functionality with less overhead for management and device resources. | ||||
| 6. Conclusions | Note that similarly to the solution described in Section 4.1, this | |||
| approach could create conflicts between AS64502 and AS64501, since | ||||
| the traffic forwarding performed by AS64502 goes against the policy | ||||
| of AS64501. | ||||
| In this document, we described threats to policies of autonomous | 5. Conclusions | |||
| systems caused by the filtering of overlapping prefixes performed by | ||||
| external networks. We provide examples of scenarios in which | In this document, we described how the filtering of overlapping | |||
| unexpected traffic flows are caused by these practices and introduce | prefixes can potentially create unexpected traffic flows in remote | |||
| some techniques for their detection and prevention. Analyzing the | ASes. We provided examples of scenarios in which unexpected traffic | |||
| different options for dealing with this kind of problems, we | flows are caused by these practices and introduce some techniques for | |||
| recommend potential victims to implement monitoring systems that can | their detection and prevention. Analyzing the different options for | |||
| dealing with this kind of problems, we recommend ASes affected by | ||||
| unexpected traffic flows to implement monitoring systems that can | ||||
| detect them and react to them according to the specific situation. | detect them and react to them according to the specific situation. | |||
| Although we observe that there are reasonable situations in which | Although we observe that there are reasonable situations in which | |||
| ASes could filter overlapping prefixes, we encourage that network | ASes could filter overlapping prefixes, we encourage network | |||
| operators implement this type of filters only after considering the | operators to implement this type of filters considering the cases | |||
| cases described in this document. | described in this document. | |||
| 7. References | 6. Security Considerations | |||
| It is possible for an AS to use any of the methods described in this | ||||
| document to deliberately reroute traffic flowing through another AS. | ||||
| The objective of this document is to inform on this potential routing | ||||
| security issue. | ||||
| 7. IANA Considerations | ||||
| This document has no IANA actions. | ||||
| 8. Acknowledgments | ||||
| The authors would like to thank Wes George, Jon Mitchell, and Bruno | ||||
| Decraene for their useful suggestions and comments. | ||||
| 9. References | ||||
| 9.1. References | ||||
| [1] Donnet, B. and O. Bonaventure, "On BGP Communities", ACM | [1] Donnet, B. and O. Bonaventure, "On BGP Communities", ACM | |||
| SIGCOMM Computer Communication Review vol. 38, no. 2, pp. | SIGCOMM Computer Communication Review vol. 38, no. 2, pp. | |||
| 55-59, April 2008. | 55-59, April 2008. | |||
| [2] Vanbever, L., Francois, P., Bonaventure, O., and J. | [2] Vanbever, L., Francois, P., Bonaventure, O., and J. | |||
| Rexford, "Customized BGP Route Selection Using BGP/MPLS | Rexford, "Customized BGP Route Selection Using BGP/MPLS | |||
| VPNs", Cisco Systems, Routing Symposium | VPNs", Cisco Systems, Routing Symposium | |||
| http://www.cs.princeton.edu/~jrex/talks/cisconag09.pdf, | http://www.cs.princeton.edu/~jrex/talks/cisconag09.pdf, | |||
| October 2009. | October 2009. | |||
| [3] "INIT7-RIPE63", <http://ripe63.ripe.net/presentations/48 | [3] "INIT7-RIPE63", <http://ripe63.ripe.net/presentations/48- | |||
| -How-more-specifics-increase-your-transit-bill-v0.2.pdf>. | How-more-specifics-increase-your-transit-bill-v0.2.pdf>. | |||
| 7.2. URIs | [4] "pmacct project: IP accounting iconoclasm", | |||
| <http://www.pmacct.net>. | ||||
| 9.2. URIs | ||||
| [1] http://www.ietf.org/rfc/rfc1812.txt | [1] http://www.ietf.org/rfc/rfc1812.txt | |||
| [2] http://tools.ietf.org/html/draft-white-grow-overlapping-routes-02 | [2] http://www.ietf.org/rfc/rfc4384.txt | |||
| [3] http://www.ietf.org/rfc/rfc4384.txt | [3] http://www.ietf.org/rfc/rfc7011.txt | |||
| [4] http://www.ietf.org/rfc/rfc4364.txt | ||||
| Authors' Addresses | Authors' Addresses | |||
| Camilo Cardona | Camilo Cardona | |||
| IMDEA Networks/UC3M | IMDEA Networks/UC3M | |||
| Avenida del Mar Mediterraneo, 22 | Avenida del Mar Mediterraneo, 22 | |||
| Leganes 28919 | Leganes 28919 | |||
| Spain | Spain | |||
| Email: juancamilo.cardona@imdea.org | Email: juancamilo.cardona@imdea.org | |||
| End of changes. 83 change blocks. | ||||
| 664 lines changed or deleted | 456 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||