Skuteczna technika wymuszania polityki peeringowej w sieci Internet.pdf

(279 KB) Pobierz
Efficient Technique for
Enforcing Internet
Peering Policies
PLNOG#4 - Warsaw March 5 th , 2010
2010-02-10
Klaudiusz Staniek
Network Consulting Engineer, Cisco
kstanie@cisco.com
1
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
748982375.415.png 748982375.426.png 748982375.437.png 748982375.448.png
Internet Peering Policy Overview
P
PE1
P
Peer-2
Peer-1
PE3
P
ISP
Customer-1
Customer-2
PE2
Peers should only have IP reachability to & from ISP’s customer
prefixes
–  For example, traffic between Peer-1 and Customer-1 is permitted within
the ISP and Peer-1 peering policy
Peers should not use the ISP as transit to one another
–  For example, traffic between Peer-1 and Peer-2 is in violation of the ISP
and Peer-1 peering policy (as well as the ISP and Peer-2 peering policy)
2
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
748982375.001.png 748982375.012.png 748982375.023.png 748982375.034.png 748982375.045.png 748982375.055.png 748982375.066.png 748982375.077.png 748982375.088.png 748982375.099.png 748982375.110.png 748982375.121.png 748982375.132.png 748982375.143.png 748982375.154.png 748982375.165.png 748982375.176.png 748982375.187.png 748982375.198.png 748982375.209.png 748982375.220.png 748982375.230.png 748982375.241.png 748982375.252.png 748982375.263.png 748982375.274.png 748982375.285.png 748982375.296.png 748982375.307.png 748982375.318.png 748982375.329.png 748982375.340.png 748982375.351.png 748982375.362.png 748982375.373.png 748982375.384.png 748982375.395.png 748982375.402.png 748982375.403.png 748982375.404.png 748982375.405.png 748982375.406.png 748982375.407.png 748982375.408.png 748982375.409.png 748982375.410.png 748982375.411.png 748982375.412.png 748982375.413.png 748982375.414.png 748982375.416.png 748982375.417.png 748982375.418.png 748982375.419.png 748982375.420.png 748982375.421.png 748982375.422.png 748982375.423.png 748982375.424.png 748982375.425.png 748982375.427.png 748982375.428.png 748982375.429.png 748982375.430.png 748982375.431.png 748982375.432.png 748982375.433.png 748982375.434.png 748982375.435.png 748982375.436.png 748982375.438.png 748982375.439.png 748982375.440.png 748982375.441.png 748982375.442.png 748982375.443.png 748982375.444.png 748982375.445.png 748982375.446.png 748982375.447.png 748982375.449.png 748982375.450.png 748982375.451.png 748982375.452.png 748982375.453.png 748982375.454.png 748982375.455.png 748982375.456.png 748982375.457.png 748982375.458.png 748982375.002.png 748982375.003.png 748982375.004.png 748982375.005.png 748982375.006.png 748982375.007.png 748982375.008.png 748982375.009.png 748982375.010.png 748982375.011.png 748982375.013.png 748982375.014.png 748982375.015.png 748982375.016.png 748982375.017.png 748982375.018.png 748982375.019.png 748982375.020.png 748982375.021.png 748982375.022.png 748982375.024.png 748982375.025.png 748982375.026.png 748982375.027.png 748982375.028.png 748982375.029.png 748982375.030.png 748982375.031.png 748982375.032.png 748982375.033.png 748982375.035.png 748982375.036.png 748982375.037.png 748982375.038.png 748982375.039.png 748982375.040.png 748982375.041.png 748982375.042.png 748982375.043.png 748982375.044.png 748982375.046.png 748982375.047.png 748982375.048.png 748982375.049.png 748982375.050.png 748982375.051.png
 
Policy Enforcement Using Only BGP
PE1 eBGP advertisements
Customer-1 prefixes, NH = PE1
Customer-2 prefixes, NH = PE1
P
PE1
P
Peer-2
Peer-1
PE3
P
ISP
Peer-1 IP Routing Table
0.0.0.0/0, NH = PE1
Customer-2
Customer-1
PE2
BGP control plane techniques only filter prefix advertisements
If a peer uses IP routing tricks (e.g., default routing), it may bypass
BGP policies and steal bandwidth from the ISP peer
–  For example, using the peer as transit to another peer
This is possible because BGP policies are only enforced within the IP
control plane and not within the IP data forwarding plane
3
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
748982375.052.png 748982375.053.png 748982375.054.png 748982375.056.png 748982375.057.png 748982375.058.png 748982375.059.png 748982375.060.png 748982375.061.png 748982375.062.png 748982375.063.png 748982375.064.png 748982375.065.png 748982375.067.png 748982375.068.png 748982375.069.png 748982375.070.png 748982375.071.png 748982375.072.png 748982375.073.png 748982375.074.png 748982375.075.png 748982375.076.png 748982375.078.png 748982375.079.png 748982375.080.png 748982375.081.png 748982375.082.png 748982375.083.png 748982375.084.png 748982375.085.png 748982375.086.png 748982375.087.png 748982375.089.png 748982375.090.png 748982375.091.png 748982375.092.png 748982375.093.png 748982375.094.png 748982375.095.png 748982375.096.png 748982375.097.png 748982375.098.png 748982375.100.png 748982375.101.png 748982375.102.png 748982375.103.png 748982375.104.png 748982375.105.png 748982375.106.png 748982375.107.png 748982375.108.png 748982375.109.png 748982375.111.png 748982375.112.png 748982375.113.png 748982375.114.png 748982375.115.png 748982375.116.png 748982375.117.png 748982375.118.png 748982375.119.png 748982375.120.png 748982375.122.png 748982375.123.png 748982375.124.png 748982375.125.png 748982375.126.png 748982375.127.png 748982375.128.png 748982375.129.png 748982375.130.png 748982375.131.png 748982375.133.png 748982375.134.png 748982375.135.png 748982375.136.png 748982375.137.png 748982375.138.png 748982375.139.png 748982375.140.png 748982375.141.png 748982375.142.png 748982375.144.png 748982375.145.png 748982375.146.png 748982375.147.png 748982375.148.png 748982375.149.png 748982375.150.png 748982375.151.png 748982375.152.png 748982375.153.png 748982375.155.png 748982375.156.png 748982375.157.png 748982375.158.png 748982375.159.png 748982375.160.png 748982375.161.png 748982375.162.png 748982375.163.png 748982375.164.png 748982375.166.png 748982375.167.png 748982375.168.png 748982375.169.png 748982375.170.png 748982375.171.png 748982375.172.png 748982375.173.png 748982375.174.png 748982375.175.png 748982375.177.png 748982375.178.png 748982375.179.png 748982375.180.png 748982375.181.png 748982375.182.png 748982375.183.png 748982375.184.png 748982375.185.png 748982375.186.png 748982375.188.png 748982375.189.png 748982375.190.png 748982375.191.png 748982375.192.png 748982375.193.png 748982375.194.png 748982375.195.png 748982375.196.png 748982375.197.png 748982375.199.png 748982375.200.png 748982375.201.png 748982375.202.png 748982375.203.png 748982375.204.png 748982375.205.png 748982375.206.png 748982375.207.png 748982375.208.png 748982375.210.png 748982375.211.png 748982375.212.png 748982375.213.png 748982375.214.png 748982375.215.png 748982375.216.png 748982375.217.png 748982375.218.png 748982375.219.png 748982375.221.png 748982375.222.png 748982375.223.png 748982375.224.png
 
Challenges with Alternate Options
PE1 BGP Table
Customer-1 prefixes, NH = PE2
Peer-3
Customer-2 prefixes, NH = PE3
Peer-1 prefixes, NH = Peer-1
Peer-3 prefixes, NH = Peer-3
P
PE1
P
Peer-2
Peer-1
PE3
P
ISP
Customer-1
Customer-
2
PE2
1. Carry partial Internet routing table on peering routers
–  For example, filter Peer-2 prefixes from being carried on PE1
–  Does not prevent IP reachability between peers connected to the same
local peering router (e.g., Peer-1 and Peer-3)
2. Interface ACLs – not scaleable or operationally efficient
–  Adds, moves or changes to ISP customer and downstream provider address
ranges force updates to static ACL policies
4
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
748982375.225.png 748982375.226.png 748982375.227.png 748982375.228.png 748982375.229.png 748982375.231.png 748982375.232.png 748982375.233.png 748982375.234.png 748982375.235.png 748982375.236.png 748982375.237.png 748982375.238.png 748982375.239.png 748982375.240.png 748982375.242.png 748982375.243.png 748982375.244.png 748982375.245.png 748982375.246.png 748982375.247.png 748982375.248.png 748982375.249.png 748982375.250.png 748982375.251.png 748982375.253.png 748982375.254.png 748982375.255.png 748982375.256.png 748982375.257.png 748982375.258.png 748982375.259.png 748982375.260.png 748982375.261.png 748982375.262.png 748982375.264.png 748982375.265.png 748982375.266.png 748982375.267.png 748982375.268.png 748982375.269.png 748982375.270.png 748982375.271.png 748982375.272.png 748982375.273.png 748982375.275.png 748982375.276.png 748982375.277.png 748982375.278.png 748982375.279.png 748982375.280.png 748982375.281.png 748982375.282.png 748982375.283.png 748982375.284.png 748982375.286.png 748982375.287.png 748982375.288.png 748982375.289.png 748982375.290.png 748982375.291.png 748982375.292.png 748982375.293.png 748982375.294.png 748982375.295.png 748982375.297.png 748982375.298.png 748982375.299.png 748982375.300.png 748982375.301.png 748982375.302.png 748982375.303.png 748982375.304.png 748982375.305.png 748982375.306.png 748982375.308.png 748982375.309.png 748982375.310.png 748982375.311.png 748982375.312.png 748982375.313.png 748982375.314.png 748982375.315.png 748982375.316.png 748982375.317.png 748982375.319.png 748982375.320.png 748982375.321.png 748982375.322.png 748982375.323.png 748982375.324.png 748982375.325.png 748982375.326.png 748982375.327.png 748982375.328.png 748982375.330.png 748982375.331.png 748982375.332.png 748982375.333.png 748982375.334.png 748982375.335.png 748982375.336.png 748982375.337.png 748982375.338.png 748982375.339.png 748982375.341.png 748982375.342.png 748982375.343.png 748982375.344.png 748982375.345.png 748982375.346.png 748982375.347.png 748982375.348.png 748982375.349.png 748982375.350.png 748982375.352.png 748982375.353.png 748982375.354.png 748982375.355.png 748982375.356.png 748982375.357.png 748982375.358.png 748982375.359.png 748982375.360.png 748982375.361.png 748982375.363.png 748982375.364.png 748982375.365.png 748982375.366.png 748982375.367.png 748982375.368.png 748982375.369.png 748982375.370.png 748982375.371.png 748982375.372.png 748982375.374.png 748982375.375.png 748982375.376.png 748982375.377.png 748982375.378.png 748982375.379.png 748982375.380.png 748982375.381.png 748982375.382.png 748982375.383.png 748982375.385.png 748982375.386.png 748982375.387.png 748982375.388.png 748982375.389.png 748982375.390.png 748982375.391.png 748982375.392.png 748982375.393.png 748982375.394.png 748982375.396.png 748982375.397.png 748982375.398.png 748982375.399.png 748982375.400.png
 
Proposed Technique
1. ISP tags peer prefixes uniquely within its BGP and FIB tables
–  Peer prefixes set with community attribute (X) and tag (X’) in BGP
and FIB tables, respectively
–  Customer prefixes set with community attribute (Y) and tag (Y’) in
BGP and FIB tables, respectively
2. ISP tags external packets that ingress peering interconnects
based upon longest prefix match within FIB
–  Tag (X’) for packets received from peer and destined to a prefix
in the FIB with tag (X)
–  Tag (Y’) for packets received from peer and destined to a prefix in
the FIB with tag (Y)
3. ISP forwards or discards packets that ingress peering
interconnects based upon associated packet tag value
–  Packets with tag (X’) are discarded since destined to peer prefix
–  Packets with tag (Y’) are forwarded since destined to customer
prefix
5
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
748982375.401.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin