Скачать презентацию RPSL Police ing the Net Anwar M Haneef Electrical Скачать презентацию RPSL Police ing the Net Anwar M Haneef Electrical

608b2e7f6641beb1f7541aa0811424cb.ppt

  • Количество слайдов: 63

RPSL: Police’ing’ the Net Anwar M. Haneef Electrical and Computer Engineering University of Massachusetts, RPSL: Police’ing’ the Net Anwar M. Haneef Electrical and Computer Engineering University of Massachusetts, Amherst

RFC-2622: Not the most fun thing to read on a Friday night RFC-2622: Not the most fun thing to read on a Friday night

Aim of my talk n Not to make you expert network managers I want Aim of my talk n Not to make you expert network managers I want all of you to go back home, knowing that you have learnt the BASICS of a new language n Prepare you all for the next talk on the practical applications of RPSL n

Agenda n What is Routing Policy ? n Why define Routing Policy ? n Agenda n What is Routing Policy ? n Why define Routing Policy ? n BGP Configuration n IRR Configuration n RPSL – Introduction n RPSL – Objects n What’s next

Agenda n What is Routing Policy ? n Why define Routing Policy ? n Agenda n What is Routing Policy ? n Why define Routing Policy ? n BGP Configuration n IRR Configuration n RPSL – Introduction n RPSL – Objects n What’s next

What is Routing Policy ? n Public description of the relationships between external BGP What is Routing Policy ? n Public description of the relationships between external BGP peers n Can describe internal BGP peer relationships

Routing Policy Unfortunately, Chun gets to do all the really COOL stuff…. . Who Routing Policy Unfortunately, Chun gets to do all the really COOL stuff…. . Who are the peers § What routes are § Originated by a peer § Imported from each peer § Exported to each peer § Preferred when multiple routes exist § What to do if no route exists §

Routing Policy Example n n AS 1 originates route “d” AS 1 exports “d” Routing Policy Example n n AS 1 originates route “d” AS 1 exports “d” to AS 2, AS 2 imports AS 2 exports “d” to AS 3, AS 3 imports AS 3 exports “d” to AS 5, AS 5 imports

Routing Policy Example AS 5 also imports “d” from AS 4 n Which route Routing Policy Example AS 5 also imports “d” from AS 4 n Which route does it prefer? n

Agenda n What is Routing Policy ? n Why define Routing Policy ? n Agenda n What is Routing Policy ? n Why define Routing Policy ? n BGP Configuration n IRR Configuration n RPSL – Introduction n RPSL – Objects n What’s next

Why define a Routing Policy ? n Documentation n Allows automatic generation of router Why define a Routing Policy ? n Documentation n Allows automatic generation of router configurations n Provides routing security Can peer originate the route? n Can peer act as transit for the route? n n Provides a debugging aid No one ever does anything for n Compare policy versus reality documentation, but its good to have it

Agenda n What is Routing Policy ? n Why define Routing Policy ? n Agenda n What is Routing Policy ? n Why define Routing Policy ? n BGP Configuration n IRR Configuration n RPSL – Introduction n RPSL – Objects n What’s next

BGP Configuration ? !? !? ! Too many routers n Too detailed, large & BGP Configuration ? !? !? ! Too many routers n Too detailed, large & tedious n Consistency n Heavy consequences of mistakes n

Agenda n What is Routing Policy ? n Why define Routing Policy ? n Agenda n What is Routing Policy ? n Why define Routing Policy ? n BGP Configuration n The Internet Routing Registry n RPSL – Introduction n RPSL – Objects n What’s next

IRR – What is it ? Database of n IP networks, n DNS domain IRR – What is it ? Database of n IP networks, n DNS domain Contact Persons and n IP routing policies n Data from the IRR may be used by anyone worldwide to help debug, configure, and engineer Internet routing and addressing. n Currently, the IRR provides the only mechanism for validating the contents of a BGP session or mapping an AS number to a list of networks. n

Internet Routing Registry APNIC, ALTDB, BELLCA, TELSTRA etc. n n Policy and contact information Internet Routing Registry APNIC, ALTDB, BELLCA, TELSTRA etc. n n Policy and contact information

Internet Routing Registry Route: descr: origin: notify: mnt-by: changed: source: 128. 9. 0. 0/ Internet Routing Registry Route: descr: origin: notify: mnt-by: changed: source: 128. 9. 0. 0/ 16 ISI-NET AS 226 [email protected] edu LN-MAINT-MCI [email protected] edu 990420 CW

Internet Routing Registry person: address: phone: fax-no: e-mail: nic-hdl: notify: mnt-by: changed: source: Walt Internet Routing Registry person: address: phone: fax-no: e-mail: nic-hdl: notify: mnt-by: changed: source: Walt Prue USC/ Information Sciences Institute 4676 Admiralty Way Suite 1000 Marina del Rey, California USA +1 310 822 1511 x 89191 +1 310 823 6714 [email protected] edu WP 8 [email protected] edu LN-MAINT-MCI [email protected] edu 20000222 CW

BGP Configuration from IRR RPSL IRR Rt. Config § RPSL: Abstract, high level, per-as BGP Configuration from IRR RPSL IRR Rt. Config § RPSL: Abstract, high level, per-as policies § IRR: Benefit from others’ data & delegation § Rt. Config: Details/ tedious aspects automated

Agenda n What is Routing Policy ? n Why define Routing Policy ? n Agenda n What is Routing Policy ? n Why define Routing Policy ? n BGP Configuration n IRR Configuration n RPSL – Introduction n RPSL – Objects n What’s next

Meet Mr. RPSL – An Introduction RPSL allows a network operator to be able Meet Mr. RPSL – An Introduction RPSL allows a network operator to be able to specify routing policies at various levels in the Internet hierarchy; for example at the Autonomous System (AS) level n At the same time, policies can be specified with sufficient detail in RPSL so that low level router configurations can be generated from them. n RPSL is extensible; new routing protocols and new protocol features can be introduced at any time n

Meet Mr. RPSL – An Introduction n n Object oriented language RPSL is based Meet Mr. RPSL – An Introduction n n Object oriented language RPSL is based on RIPE-181, a language used to register routing policies and configurations in the IRR Operational use of RIPE-181 has shown that it is sometimes difficult (or impossible) to express a routing policy which is used in practice RPSL has been developed to address these shortcomings and to provide a language which can be further extended as the need arises RPSL obsoletes RIPE-181

Meet Mr. RPSL – An Introduction RPSL was designed so that a view of Meet Mr. RPSL – An Introduction RPSL was designed so that a view of the global routing policy can be contained in a single cooperatively maintained distributed database to improve the integrity of Internet's routing n RPSL is not designed to be a router configuration language n RPSL is designed so that router configurations can be generated from the description of the policy for one autonomous system (aut-num class) combined with the description of a router ( inetrtr class), mainly providing router ID, autonomous system number of the router, interfaces and peers of the router, and combined with a global database mappings from AS sets to ASes (as-set class), and from origin ASes and route sets to route prefixes (route and route-set classes) n The accurate population of the RPSL database can help contribute toward such goals as router configurations that protect against accidental (or malicious) distribution of inaccurate routing information, verification of Internet's routing, and aggregation boundaries beyond a single AS n

RPSL: Getting to know it n n RPSL constructs are expressed in one or RPSL: Getting to know it n n RPSL constructs are expressed in one or more database "objects" which are registered in one of the registries Each database object contains some routing policy information and some necessary administrative data When objects are registered in the IRR, they become available for others to query using a whois service Uses RIPE database style (whois) objects

RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 NE Sasquatch Bainbridge Island, WE 98110 USA phone: +1 206 780 0431 # day time fax-no: +1 206 780 0653 e-mail: [email protected] com nic-hdl: RB 366 remarks: This object is automatically converted from RIPE 181 mnt-by: RGNET-MAINT-MCI changed: [email protected] com 19970614 source: MCI

Attribute name Attribute value RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Attribute name Attribute value RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 NE Sasquatch Bainbridge Island, WE 98110 USA phone: +1 206 780 0431 # day time fax-no: +1 206 780 0653 e-mail: [email protected] com nic-hdl: RB 366 remarks: This object is automatically converted from RIPE 181 mnt-by: RGNET-MAINT-MCI changed: [email protected] com 19970614 source: MCI Comment Continuation

Common Attributes for all classes descr: Short free text description of the object remarks: Common Attributes for all classes descr: Short free text description of the object remarks: Free text comment attribute tech-c: Technical contact nic handles admin-c: Administrative contact nic handles notify: Emails to send notification of changes mnt-by: Maintainer authorized to do changes changed: source: Registry

Agenda n What is Routing Policy ? n Why define Routing Policy ? n Agenda n What is Routing Policy ? n Why define Routing Policy ? n BGP Configuration n IRR Configuration n RPSL – Introduction n RPSL – Objects n What’s next

RPSL Classes n Person, Role, Maintainer n. Route n. Set classes: as-set, route-set n. RPSL Classes n Person, Role, Maintainer n. Route n. Set classes: as-set, route-set n. Autonomous System

RPSL Classes n Person, Role, Maintainer Person and Role objects are for contact information RPSL Classes n Person, Role, Maintainer Person and Role objects are for contact information n Maintainer objects are for authentication n n Route n Set classes: as-set, route-set n Autonomous System

Person Class person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 Person Class person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 NE Sasquatch Bainbridge Island, WE 98110 USA phone: +1 206 780 0431 # day time fax-no: +1 206 780 0653 e-mail: [email protected] com nic-hdl: RB 366 remarks: This object is automatically converted from RIPE 181 mnt-by: RGNET-MAINT-MCI changed: [email protected] com 19970614 source: MCI Person class attributes Common attributes Maintenance

Role Class The nic-hdl attributes of the person and role classes share the same Role Class The nic-hdl attributes of the person and role classes share the same name space. role: RIPE NCC Operations address: Singel 258 1016 AB Amsterdam The Netherlands phone: +31 20 535 4444 fax-no: +31 20 545 4445 e-mail: [email protected] net admin-c: CO 19 -RIPE tech-c: RW 488 -RIPE tech-c: JLSD 1 -RIPE nic-hdl: OPS 4 -RIPE notify: [email protected] net changed: [email protected] net 19970926 source: RIPE

Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: MAINT-RGNET RGnet Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: MAINT-RGNET RGnet RADB maintainer RB 366 [email protected] net [email protected] com PGPKEY-23 F 5 CE 3 MAINT-RGNET [email protected] com 19970804 RADB

Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: MAINT-RGNET RGnet Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: MAINT-RGNET RGnet RADB maintainer RB 366 [email protected] net [email protected] com PGPKEY-23 F 5 CE 3 MAINT-RGNET [email protected] com 19970804 RADB

Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: MAINT-RGNET RGnet Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: MAINT-RGNET RGnet RADB maintainer RB 366 [email protected] net [email protected] com PGPKEY-23 F 5 CE 3 MAINT-RGNET [email protected] com 19970804 RADB

Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: MAINT-RGNET RGnet Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: MAINT-RGNET RGnet RADB maintainer RB 366 [email protected] net [email protected] com PGPKEY-23 F 5 CE 3 MAINT-RGNET [email protected] com 19970804 RADB

Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: It defines Maintainer Class mntner: descr: admin-c: tech-c: upd-to: mnt-nfy: auth: mnt-by: changed: source: It defines access control for other objects in the database MAINT-RGNET RGnet RADB maintainer RB 366 [email protected] net [email protected] com PGPKEY-23 F 5 CE 3 MAINT-RGNET [email protected] com 19970804 RADB

Auth Attribute auth: auth: PGPKEY-23 F 5 CE 3 CRYPT-PW lz 1 A 7/Jnfk. Auth Attribute auth: auth: PGPKEY-23 F 5 CE 3 CRYPT-PW lz 1 A 7/Jnfk. TI MAIL-FROM [email protected] edu MAIL-FROM. *@canet. ca NONE

RPSL Classes n Person, Role, Maintainer n Route Specifies origin AS for a route RPSL Classes n Person, Role, Maintainer n Route Specifies origin AS for a route n Can indicate membership of a route set n n Set classes: as-set, route-set n Autonomous System

Route Class route: 156. 36. 0. 0/16 origin: AS 2914 descr: my routes mnt-by: Route Class route: 156. 36. 0. 0/16 origin: AS 2914 descr: my routes mnt-by: MAINT-RGNET tech-c: RB 366 Policy Information changed: [email protected] com 19960829 source: RADB Route 156. 36. 0. 0/16 is originated by AS 2914

Hmm… looks familiar, doesn’t it ? Inter-AS Routing n n AS 1 originates route Hmm… looks familiar, doesn’t it ? Inter-AS Routing n n AS 1 originates route “d” AS 1 exports “d” to AS 2, AS 2 imports AS 2 exports “d” to AS 3, AS 3 imports AS 3 exports “d” to AS 5, AS 5 imports

Route Class route: 156. 36. 0. 0/16 origin: AS 2914 descr: my routes mnt-by: Route Class route: 156. 36. 0. 0/16 origin: AS 2914 descr: my routes mnt-by: MAINT-RGNET tech-c: RB 366 Policy Information changed: [email protected] com 19960829 source: RADB Route 156. 36. 0. 0/16 is originated by AS 2914

Some Notations AS Numbers Address Prefixes Route-set Names AS 2914 156. 36. 0. 0/16 Some Notations AS Numbers Address Prefixes Route-set Names AS 2914 156. 36. 0. 0/16 RS-VERIO AS-VERIO

Rules for Words can have - or _ in the middle n RGNET-MAINT-MCI n Rules for Words can have - or _ in the middle n RGNET-MAINT-MCI n Can have digits n RGNET-MAINT-MCI_ 1 n Case insensitive n rgnet-Ma. In. T-MCI n

RPSL Classes n Person, Role, Maintainer n Route n Set classes: route-set, as-set n RPSL Classes n Person, Role, Maintainer n Route n Set classes: route-set, as-set n Autonomous System

RPSL Classes n Person, Role, Maintainer n Route n Set n classes: Route-set Collects RPSL Classes n Person, Role, Maintainer n Route n Set n classes: Route-set Collects routes together with similar properties n Autonomous System

Route-Set route-set: rs-foo members: 128. 9. 0. 0/16, 128. 9. 0. 0/24, 128. 8. Route-Set route-set: rs-foo members: 128. 9. 0. 0/16, 128. 9. 0. 0/24, 128. 8. 0. 0/16 descr: some address prefixes mnt-by: MAINT-RGNET tech-c: RB 366 changed: [email protected] com 19960829 source: RADB route-set: members: rs-bar 128. 7. 0. 0/16, rs-foo

Route Set route-set: RS-BCMI 2 descr: routes via BCM to be announced to I Route Set route-set: RS-BCMI 2 descr: routes via BCM to be announced to I 2 members: 128. 249. 0. 0/16, 192. 31. 88. 0/24, 192. 147. 26. 0/24 admin-c: JCY tech-c: SM 346 mnt-by: MAINT-AS 302 changed: [email protected] org 20000213 source: demo

Indirect Members route-set: descr: mbrs-by-ref: RS-ANS-IGP_ ONLY ANS IGP aggregates ANY route: origin: member-of: Indirect Members route-set: descr: mbrs-by-ref: RS-ANS-IGP_ ONLY ANS IGP aggregates ANY route: origin: member-of: mnt-by: 207. 25. 17. 0/24 AS 1675 RS-ANS-IGP_ ONLY MNT-ANS route: origin: member-of: mnt-by: 192. 157. 69. 0/24 AS 1675 RS-ANS-IGP_ ONLY MNT-ANS

Restricted Indirect Members route-set: descr: mbrs-by-ref: RS-ANS-IGP_ ONLY ANS IGP aggregates MNT-ANS, MNT-CENGIZ route: Restricted Indirect Members route-set: descr: mbrs-by-ref: RS-ANS-IGP_ ONLY ANS IGP aggregates MNT-ANS, MNT-CENGIZ route: origin: member-of: mnt-by: 207. 25. 17. 0/24 AS 1675 RS-ANS-IGP_ ONLY MNT-ANS route: origin: member-of: mnt-by: 192. 157. 69. 0/24 AS 1675 RS-ANS-IGP_ ONLY MNT-ANS

Direct and Indirect Members route-set: descr: members: RS-ANS-IGP_ ONLY ANS IGP aggregates 207. 25. Direct and Indirect Members route-set: descr: members: RS-ANS-IGP_ ONLY ANS IGP aggregates 207. 25. 17. 0/24, 207. 25. 16. 0/24, 207. 25. 20. 0/24 mbrs-by-ref: MNT-ANS route: origin: member-of: mnt-by: 207. 25. 17. 0/24 AS 1675 RS-ANS-IGP_ ONLY MNT-ANS route: origin: member-of: mnt-by: 192. 157. 69. 0/24 AS 1675 RS-ANS-IGP_ ONLY MNT-ANS

Confusing isn’t it ? More Specific Operators route-set: descr: members: n n rs-martians most Confusing isn’t it ? More Specific Operators route-set: descr: members: n n rs-martians most ASes do not import these routes 0. 0/0^32, 127. 0. 0. 0/8^+, 10. 0/8^+, 172. 16. 0. 0/20^+, 192. 168. 0. 0/16^+, 192. 0/24^+, 128. 0. 0. 0/16^+, 191. 255. 0. 0/16^+, 192. 0. 0. 0/24^+, 223. 255. 0/24^+, 224. 0. 0. 0/3^+, 0. 0/0^26 -32 Inclusive more specifics: ^+ Exclusive more specifics: ^Length n more specifics: ^n Length n-m more specifics: ^n-m

Sorry about that !! Route-Set Name Spaces route-set: AS 4763: RS-ROUTES: AS 681 descr: Sorry about that !! Route-Set Name Spaces route-set: AS 4763: RS-ROUTES: AS 681 descr: prefix filter for AS 681 members: 130. 216. 0. 0/16, 130. 217. 0. 0/16, 132. 181. 0. 0/16, 138. 75. 0. 0/16, 139. 80. 0. 0/16, 140. 200. 0. 0/16, 156. 62. 0. 0/16, 192. 73. 21. 0/24 tech-c: JA 39 mnt-by: MAINT-TELSTRA-NZ changed: [email protected] gen. nz 19991118 source: RADB

RPSL Classes n Person, Role, Maintainer n Route n Set classes: As-set Collect together RPSL Classes n Person, Role, Maintainer n Route n Set classes: As-set Collect together Autonomous Systems with shared properties § Can be used in policy in place of AS § RPSL has hierarchical names § n Autonomous System

AS-Set Class as-set: descr: Same flexibility as route-set class AS-SESQUI-STUB Single Homed Sesquinet Customer AS-Set Class as-set: descr: Same flexibility as route-set class AS-SESQUI-STUB Single Homed Sesquinet Customer ASs members: AS 1832, AS 2712, AS 302, AS 3526, AS 8 tech-c: SB 98 mnt-by: MAINT-AS 114 source: RADB

AS Set as-set: descr: members: tech-c: admin-c: remarks: mnt-by: changed: Source: AS 2764: AS_DOMESTIC AS Set as-set: descr: members: tech-c: admin-c: remarks: mnt-by: changed: Source: AS 2764: AS_DOMESTIC connect. com. au AS set AS 4860, AS 7469, AS 7489, AS 7543, AS 7569, AS 7592, AS 7611, AS 7701, AS 9262, AS 9298 MP 151 CC 89 Customers with domestic connectivity only MAINT-AS 2764 [email protected] com. au 19980607 RADB

Indirect AS-Sets as-set: as-aads-mlpa descr: MLPA participants at the AADS NAP mbrs-by-ref: ANY admin-c: Indirect AS-Sets as-set: as-aads-mlpa descr: MLPA participants at the AADS NAP mbrs-by-ref: ANY admin-c: Andrew Schmidt tech-c: Mark Cnota notify: [email protected] aads. net mnt-by: MAINT-RSPEER changed: [email protected] aads. net 19971123 source: RADB aut-num: AS 4550 member-of: as-aads-mlpa aut-num: AS 683 member-of: as-aads-mlpa

Even more AS-Sets as-set: descr: members: AS-YETANOTHERNET ASs routed through Yet. Another. Net AS Even more AS-Sets as-set: descr: members: AS-YETANOTHERNET ASs routed through Yet. Another. Net AS 5696, AS 1808, AS 1932, AS 2900, AS 3111, AS 3365, AS 3393, AS 3844, AS 3901, AS 4314, . . . AS-ACESRESEARCH, AS-ALPHA, AS-GST, AS-DERU, AS-INQUO admin-c: IP Admin DW 970 tech-c: IP Admin DW 970 notify: [email protected] net mnt-by: MAINT-AS 5696 changed: [email protected] net 20000731 source: demo

To be Continued……. n As per the SLA (Seminar Level Agreement) between myself and To be Continued……. n As per the SLA (Seminar Level Agreement) between myself and Chun, I HAVE to stop here Hey, wanna sneak peak into the next lecture ?

A Sneak Peek n How import/export policies are defined n Autonomous System Objects n A Sneak Peek n How import/export policies are defined n Autonomous System Objects n How to announce your customers Major Backbone Provider Regional Customers

More slimy gossip…… n Setting preferences based on cost and other factors A B More slimy gossip…… n Setting preferences based on cost and other factors A B Slow link Peering n Registering Policies and more n

So tune in, boys and girls, next class, same room, same time, for more So tune in, boys and girls, next class, same room, same time, for more exciting things to do with RPSL !

Thank You !!!! person: address: phone: fax-no: e-mail: nic-hdl: changed: source: Anwar M. Haneef Thank You !!!! person: address: phone: fax-no: e-mail: nic-hdl: changed: source: Anwar M. Haneef Multimedia Networks Laboratory 312 Knowles Engineering Dept. of Electrical and Computer Engg. University of Massachusetts, Amherst +1 413 545 4847 +1 413 545 1993 a. m. [email protected] org AMH 1 [email protected] umass. edu 20001030 UMASS