Routing Policy Specification Language Ambrose Magee LM Ericsson

Routing Policy Specification Language Ambrose Magee LM Ericsson Ltd. <ambrose. magee@eei. ericsson. se> Tuesday, 28 th August, 2001 APNIC-12 1

Introduction • Tutorial – not a substitute for reading the RFC documents • Target Audience – knowledge of Internet Routing – familiar with APNIC Whois Database – no need to know Internet Routing Registry Tuesday, 28 August, 2001 ESI/Network Services Solutions 2

Contents of this tutorial • The Internet Routing Registry • Routing Policy Specification Language – RIPE Database Version 3 • Routing Policy System Security (RPSS) – security for Internet Routing Registry (IRR) • RATool. Set & Rt. Config Tuesday, 28 August, 2001 ESI/Network Services Solutions 3

The Internet Routing Registry • • Background Structure Why use it ? BGP configuration from the Internet Routing Registry Tuesday, 28 August, 2001 ESI/Network Services Solutions 4

The Internet Routing Registry (IRR) • Established in 1995 • http: //www. irr. net/ • Stability and consistency of routing – network operators share information • Both public and private databases • These databases are independent – but some exchange data – only register your data in one database Tuesday, 28 August, 2001 ESI/Network Services Solutions 5

Internet Routing Registry RIPE CW RADB ANS ARIN, Arc. Star, FGC, Verio, Bconnex, Telstra, . . . Bell. db Policy and contact information is shared. Tuesday, 28 August, 2001 ESI/Network Services Solutions 6

Why use the Internet Routing Registry ? • When peering – register your routes and filter your peers • Some transit providers and big ISP’s ask for this • Useful for fixing problems – contact information Tuesday, 28 August, 2001 ESI/Network Services Solutions 7

Why use the Internet Routing Registry ? • • BGP->RIP->BGP injection 128/7 leak bogon 0/0, 10/8 leaks Daily, someone is leaking somelse’s prefix. Tuesday, 28 August, 2001 ESI/Network Services Solutions 8

BGP Configuration from Internet Routing Registry • Routing Policy specification Language (RPSL) – abstract, high-level policies – policies for each Autonomous System (AS) • Internet Routing Registry – policies, routes and contact informatiom – benefit from the data and delegation of others • Rt. Config – RATool. Set – generate router configuration files – automates details and tedious aspects Tuesday, 28 August, 2001 ESI/Network Services Solutions 9

Routing Policy Specification Language Tuesday, 28 August, 2001 ESI/Network Services Solutions 10

Routing Policy Specification Language • • Background RPSL Objects Contact Information Specifying Policy Set Objects Inet-rtr object Advanced Features Tuesday, 28 August, 2001 ESI/Network Services Solutions 11

Routing Policy Specification Language • Object-based language – route, autonomous system, router, contact and set objects • Defines the syntax, semantics and format of data in IRR • Vendor independent • Extensible • IETF Proposed Standard (RFC 2622) • Based on RIPE-181 (RFC 1786) • Currently, no support for IPv 6 Tuesday, 28 August, 2001 ESI/Network Services Solutions 12

Routing Policy Specification Language 2 • RIPE-181 – some policies cannot be specified • Internet Routing Registry – needed a more powerful language • RPSL – more expressive than RIPE-181 – policies can be expressed at the AS level – policies can be detailed => router configurations PRDB Tuesday, 28 August, 2001 RIPE-81 RIPE-181 RPSL ESI/Network Services Solutions 13

Routing Policy Specification Language • • Background RPSL Objects Contact Information Specifying Policy Set Objects inet-rtr object Advanced Features Tuesday, 28 August, 2001 ESI/Network Services Solutions 14

RPSL Objects Tuesday, 28 August, 2001 ESI/Network Services Solutions 15

Objects in RPSL • • • RPSL is based on objects Format of RPSL similar to RIPE-181 Objects and Attributes and Values Object Names Reserved Names Tuesday, 28 August, 2001 ESI/Network Services Solutions 16

RPSL is based on Objects • Each object describes an entity in the real world • Object classes (= object types) • 12 types of object • RPS-Sec defines one more (as-block) Tuesday, 28 August, 2001 ESI/Network Services Solutions 17

RIPE Database Version 3 • Includes most RPSL object classes • Excludes dictionary object class • Defines 4 other object classes Tuesday, 28 August, 2001 ESI/Network Services Solutions 18

RPSL Object Attribute name person: address: phone: e-mail: nic-hdl: remarks: changed: source: Tuesday, 28 August, 2001 Attribute value Clare Lancers Comment Corrofin + 123 # day time clancers@apnic. net CL 123 -TEST This is a Continuation test object clancers@apnic. net 20010730 TEST ESI/Network Services Solutions 19

RPSL Objects • RPSL objects are similar to RIPE-181 objects • Objects – set of attributes • Attributes – mandatory or optional – values: single, list, multiple – see the object template Tuesday, 28 August, 2001 ESI/Network Services Solutions 20

Template of person object Tuesday, 28 August, 2001 ESI/Network Services Solutions 21

RPSL Objects • Class “key” – set of attributes – usually one attribute has the same name as the object’s class – uniquely identify each object • Class “key” = primary key – must be specified first Tuesday, 28 August, 2001 ESI/Network Services Solutions 22

Template of person object Tuesday, 28 August, 2001 ESI/Network Services Solutions 23

RPSL vs RIPE-181 objects • Line continuation possible – space, tab, ‘+’ • Comments – begin with ‘#’ – can be anywhere inside an object – but cannot start at beginning of a line (column 0) • Objects ends at “nn” (blank line) • The order of attribute-value pairs is significant Tuesday, 28 August, 2001 ESI/Network Services Solutions 25

RPSL Object Tuesday, 28 August, 2001 ESI/Network Services Solutions 26

Attributes • Case insensitive • ASCII • Value of an attribute has a type – – – <object-name> <as-number> <ipv 4 -address> <address-prefix> etc. • Complete list of attributes in RFC 2622 & RIPE-223 Tuesday, 28 August, 2001 ESI/Network Services Solutions 27

Object Names • Objects names can have - or _ inside – e. g. RIPE-DBM-MNT • • • Can have digits Case-insensitive First character: alphabetic Last character: must be a letter or a digit Reserved names Reserved prefixes Tuesday, 28 August, 2001 ESI/Network Services Solutions 28

Reserved Names any as-any rs-any peeras and or not atomic from to at action accept announce except refine networks into inbound outbound Tuesday, 28 August, 2001 ESI/Network Services Solutions 29

Reserved Prefixes Prefix Object type asrsrtrsfltrprng- as set router set filter set peering set Tuesday, 28 August, 2001 ESI/Network Services Solutions 30

Contact Information Tuesday, 28 August, 2001 ESI/Network Services Solutions 32

Contact Information • • • person role mntner Tuesday, 28 August, 2001 ESI/Network Services Solutions 33

Person Object person: address: phone: e-mail: nic-hdl: remarks: Clare Lancers Person object Corrofin information + 123 # day time clancers@apnic. net CL 123 -TEST This is a test object mnt-by: TEST-MNT changed: clancers@apnic. net 20010730 source: TEST Auxiliary information Tuesday, 28 August, 2001 ESI/Network Services Solutions 34

Person Object 2 • • • Information about technical or administrative contact The value of the “person” attribute cannot be changed The nic-handle is the primary key. In RIPE-181, name && nic-handle was the primary key The role object is very similar Auxiliary information is in all object types Tuesday, 28 August, 2001 ESI/Network Services Solutions 35

Mntner Object Template Tuesday, 28 August, 2001 ESI/Network Services Solutions 36

Mntner object Tuesday, 28 August, 2001 ESI/Network Services Solutions 37

Mntner object 2 • New attribute: referral-by – the mntner that created this mntner • New attribute: auth-override – date after which the mntner can be modified – only the mntner in “referral-by” can do this Tuesday, 28 August, 2001 ESI/Network Services Solutions 38

“auth” attribute • NONE • MAIL-FROM – e. g. MAIL-FROM webmaster@apnic. net – e. g. MAIL-FROM. *apnic. net • CRYPT-PW – produced by the UNIX crypt routine – e. g. CRYPT-PW lz 1 A 7/Jnfk. TI Tuesday, 28 August, 2001 ESI/Network Services Solutions 39

“auth” attribute 2 • PGPKEY-<PGP Key ID> – e. g. PGPKEY-1290 F 9 D 2 – RFC 2726 – key-cert object • Be careful using many authentication methods in mntner – logical OR used – avoid using authentication NONE Tuesday, 28 August, 2001 ESI/Network Services Solutions 40

Specifying Routing Policy Tuesday, 28 August, 2001 ESI/Network Services Solutions 42

Specifying Policy • Internet Routing • aut-num object • route-set object • as-set object • AS Path Regular Expression • Composite Policy Filters • Specifying Actions Tuesday, 28 August, 2001 ESI/Network Services Solutions 43

Specifying Policy 2 • Community Based Policies • Ambiguity Resolution Tuesday, 28 August, 2001 ESI/Network Services Solutions 44

Internet Routing ISP-2 A Tuesday, 28 August, 2001 ISP-3 B ESI/Network Services Solutions 45

Inter-AS Topology Regional ISP Backbone Providers Other ASes Tuesday, 28 August, 2001 ESI/Network Services Solutions 46

AS Relationships • Customer-Regional Provider – Provider forwards traffice – advertises customer routes • Peer-Peer – mutual benefit • Regional Provider-Backbone Provider – similar to Customer-Regional Provider • Typical routing policies implement these Tuesday, 28 August, 2001 ESI/Network Services Solutions 47

Inter-AS Routing Regional ISP AS level peering export AS 1 import AS 2 128. 9. 0. 0/16 AS 2 originates 128. 9. 0. 0/16 AS 2 exports 128. 9. 0. 0/16 to AS 1 imports 128. 9. 0. 0/16 from AS 2 Tuesday, 28 August, 2001 ESI/Network Services Solutions 48

BGP Routes: Path Attributes • • • Destination address prefixes AS path Originator AS List of communities (flags) Metrices: med, pref Tuesday, 28 August, 2001 ESI/Network Services Solutions 49

aut-num Object expresses routing policy Auxiliary information not shown Tuesday, 28 August, 2001 ESI/Network Services Solutions 50

aut-num Object Template Attribute Value Type aut-num <as-number> mandatory, single, class key as-name <object-name> mandatory, single member-of list of <as-set-names> optional, multiple import policy optional, multiple export policy optional, multiple default policy Tuesday, 28 August, 2001 optional, multiple ESI/Network Services Solutions 51

aut-num Object in RIPE-181 and RPSL • as-out, interas-out => export • as-in, interas-in => import • default => default Tuesday, 28 August, 2001 ESI/Network Services Solutions 52

Aut-num Object in RIPE DB Version 3 • It has all the attributes described in RFC 2622 • Cross-mnt – a mntner to be notified • Cross-nfy – a person or role object to be notified Tuesday, 28 August, 2001 ESI/Network Services Solutions 53

Policy in RPSL • • Prefix AS Path community prefix-length Future attributes through its dictionary Structured Policy Uses Tuesday, 28 August, 2001 ESI/Network Services Solutions 54

Prefix based Policy AS 2 128. 9. 0. 0/16 AS 1 128. 8. 0. 0/16 aut-num: AS 1 export: to AS 2 announce {128. 9. 0. 0/16, 128. 8. 0. 0/16} N. B. Filtering is based on Address-Prefix Set Tuesday, 28 August, 2001 ESI/Network Services Solutions 55

Prefix based Policy 2 AS 2 128. 9. 0. 0/16 AS 1 128. 8. 0. 0/16 aut-num: AS 2 import: from. AS 1 accept {128. 9. 0. 0/16, 128. 8. 0. 0/16} N. B. Filtering is based on Address-Prefix Set Tuesday, 28 August, 2001 ESI/Network Services Solutions 56

import Attribute • import from <peering-1> [action <action-1>] …. . from <peering-N> [action <action-N>] accept <filter> • Set of routes matched by filter – imported from all peers in peerings • While importing routes at <peering-M> – <action-M> is done Tuesday, 28 August, 2001 ESI/Network Services Solutions 57

1. 1 Choosing a Peering 1. 1. 1. 2 AS 1 AS 2 2. 2 aut-num: AS 1 import: from AS 2 at 2. 2 action pref = 10; accept AS 2 Tuesday, 28 August, 2001 ESI/Network Services Solutions 58

Choosing a Peering 2 aut-num: AS 1 import: from AS 2 at 2. 2 action pref = 10; accept AS 2 import: from AS 2 1. 1. 1. 2 at 1. 1 action pref =5; accept AS 2 N. B. In filter context, AS 2 = routes originated by AS 2 Tuesday, 28 August, 2001 ESI/Network Services Solutions 59

export Attribute • export to <peering-1> [action <action-1>] …. . to <peering-N> [action <action-N>] announce <filter> • Set of routes matched by filter – exported to all peers in peerings • While exporting routes at <peering-M> – <action-M> is done Tuesday, 28 August, 2001 ESI/Network Services Solutions 60

default Attribute • default to <peering> [action <action>] [networks <filter>] • • Local AS defaults to the AS in <peering> <action> == attributes of defaulting <filter> == policy filter Router only uses the default policy – if it received the routes matched by <filter> from this peer Tuesday, 28 August, 2001 ESI/Network Services Solutions 61

Examples of default AS 1 defaults to AS 2 and uses 128. 9. 0. 0/16 aut-num: AS 1 default: to AS 2 networks {128. 9. 0. 0/16} AS 1 defaults to AS 2 and AS 3, but prefers AS 2 over AS 3 aut-num: AS 1 default: to AS 2 action pref=1; default: to AS 3 action pref=2; Tuesday, 28 August, 2001 ESI/Network Services Solutions 62

Routing Protocols • Default is Exterior Gateway Protocol – BGP • Valid Protocols – in RPSL dictionary • Injecting Routes between protocols • Multi-Protocol Routing Protocols Tuesday, 28 August, 2001 ESI/Network Services Solutions 63

Originate more routes ? AS 2 AS 1 128. 9. 0. 0/16 128. 6. 0. 0/16 128. 8. 0. 0/16 aut-num: AS 1 export: to AS 2 announce {128. 9. 0. 0/16, 128. 8. 0. 0/16, 128. 6. 0. 0/16} Tuesday, 28 August, 2001 ESI/Network Services Solutions 65

route-set Objects Tuesday, 28 August, 2001 ESI/Network Services Solutions 66

route-set Object Template Attribute route-set members mbrs-by-ref Tuesday, 28 August, 2001 Value Type <object-name> mandatory, single, class key list of optional, multi-valued <address-prefix-range> or <route-set-name><range-operator> or rs-any list of optional, multiple-valued <mntner-names> or ANY ESI/Network Services Solutions 67

Range Operators • Address-prefix-range – address prefix followed by a range operator • ^+: inclusive more specifics – 5. 0. 0. 0/8^+ • ^-: exclusive more specifics – 128. 9. 0. 0/16^- • ^n: length n more specifics – 30. 0/^16 • ^n-m: length n-m more specifics – 30. 0/^24 -32 Tuesday, 28 August, 2001 ESI/Network Services Solutions 68

Indirect members of route-set Tuesday, 28 August, 2001 ESI/Network Services Solutions 69

Restricted indirect members of route-set Tuesday, 28 August, 2001 ESI/Network Services Solutions 70

Direct & indirect members of route-set Tuesday, 28 August, 2001 ESI/Network Services Solutions 71

Direct Members • The member-of attribute of the route object is an extra way to specify the members directly • If an address-prefix is listed in the members attribute of a route-set, then it is a member of that route set • The route object corresponding to this address-prefix does not need to contain a member-of attribute referring to this set name. • Only use the member-of attribute of the route object when using the mbrs-by-ref attribute in the route-set object. Tuesday, 28 August, 2001 ESI/Network Services Solutions 72

Members of sets in RIPE DB Version 3 • route, aut-num and inet-rtr objects have “member-of” attribute • This is not enough !!! • The set object has “mbrs-by-ref” and “members” – if “mbrs-by-ref” is absent, “members” is used • Database software checks validity of membership – rejects invalid creation or update of object Tuesday, 28 August, 2001 ESI/Network Services Solutions 73

Example of route-set AS 2 AS 1 128. 9. 0. 0/16 128. 6. 0. 0/16 128. 8. 0. 0/16 aut-num: AS 1 export: to AS 2 announce {128. 9. 0. 0/16, 128. 8. 0. 0/16, 128. 6. 0. 0/16} Tuesday, 28 August, 2001 ESI/Network Services Solutions 74

Routing policy per route-set Tuesday, 28 August, 2001 ESI/Network Services Solutions 75

Example of route-set 2 AS 2 aut-num: AS 1 export: to AS 2 announce rs-red AS 1 128. 9. 0. 0/16 128. 6. 0. 0/16 128. 8. 0. 0/16 aut-num: AS 2 import: from AS 1 accept rs-red Tuesday, 28 August, 2001 ESI/Network Services Solutions 76

Range operators and route-sets Tuesday, 28 August, 2001 ESI/Network Services Solutions 77

route Object Template Attribute Value Type route: <address-prefix> mandatory, single, class key origin: <as-numbers> mandatory, single, class key member-of: list of optional, multiple <route-set-names> inject: aggregation info optional, multiple components: aggregation info optional, single aggr-bndy: <as-expression> optional, single aggr-mtd: aggregation info optional, single export-comps: <filter> optional, single holes: list of optional, multiple <address-prefix> Tuesday, 28 August, 2001 ESI/Network Services Solutions 78

Route Object in RIPE DB Version 3 • Cross-mnt – mntner(s) to be notifed • Cross-nfy – person or role to be notified • No admin-c or tech-c in route object • RFC-2622: admin-c and tech-c in route object Tuesday, 28 August, 2001 ESI/Network Services Solutions 79

Route Object 1 • Subset of a route ! • The route and origin attributes == class key route: 128. 8. 0. 0/16 origin: AS 1 route: 128. 8. 0. 0/16 origin: AS 2 N. B. Two different routes Tuesday, 28 August, 2001 ESI/Network Services Solutions 80

Route Object 2 route: origin: mnt-by: 193. 0. 0. 0/22 AS 3333 RIPE-NCC-MNT Policy information • Route 193. 0. 0. 0/22 is originated by AS 3333 N. B. Auxiliary information is not shown Tuesday, 28 August, 2001 ESI/Network Services Solutions 81

Using AS numbers in Policy AS 1 AS 2 route: 128. 9. 0. 0/16 origin: AS 1 route: 128. 8. 0. 0/16 origin: AS 1 aut-num: AS 1 export: to AS 2 announce AS 1 aut-num: AS 2 import: from AS 1 accept AS 1 Tuesday, 28 August, 2001 ESI/Network Services Solutions 82

Cumbersome ? AS 1 AS 2 AS 3 AS 6 AS 4 AS 5 aut-num: AS 1 export: to AS 2 announce AS 1 OR AS 3 … AS 6 aut-num: AS 2 import: from AS 1 accept AS 1 OR AS 3 … AS 6 Tuesday, 28 August, 2001 ESI/Network Services Solutions 83

Using as-set objects AS 1 AS 2 as-set: members: AS 1: AS-Customers AS 1, AS 3, AS 4, AS 5, AS 6 AS 3 AS 4 AS 5 aut-num: AS 1 export: to AS 2 announce AS 1 OR AS 3 … AS 6 aut-num: AS 2 import: from AS 1 accept AS 1 OR AS 3 … AS 6 Tuesday, 28 August, 2001 AS 6 ESI/Network Services Solutions 84

as-set Object Template Attribute as-set members mbrs-by-ref Tuesday, 28 August, 2001 Value <object-name> list of <as-numbers> or <as-set-names> or as-any list of <mntner-names> or ANY Type mandatory, single, class key optional, multiple-valued ESI/Network Services Solutions 85

Indirect members of as-set Tuesday, 28 August, 2001 ESI/Network Services Solutions 86

Using as-set objects 2 AS 6 AS 1 AS 2 AS 7 AS 8 AS 3 AS 4 AS 5 as-set: members: AS 6: AS-Customers AS 6, AS 7, AS 8 as-set: members: AS 1: AS-Customers AS 1, AS 3, AS 4, AS 5, AS 6: AS-Customers Tuesday, 28 August, 2001 ESI/Network Services Solutions 87

Using as-set objects 3 AS 6 AS 1 AS 2 AS 7 AS 8 AS 3 AS 4 AS 5 aut-num: export: AS 1 to AS 2 announce AS 1: AS-Customers aut-num: import: AS 2 from AS 1 accept AS 1: AS-Customers Tuesday, 28 August, 2001 ESI/Network Services Solutions 88

More Customers ? AS 3 AS 2 AS 1 AS 4 aut-num: import: AS 2 from AS 1 from AS 3 from AS 4 Tuesday, 28 August, 2001 accept AS 1: AS-Customers accept AS 3: AS-Customers accept AS 4: AS-Customers ESI/Network Services Solutions 89

Peer. AS AS 3 AS 2 AS 1 AS 4 as-set: members: aut-num: import: AS 2: AS-Customers AS 1, AS 3, AS 4 AS 2 from AS 2: AS-Customers accept Peer. AS: AS-Customers Tuesday, 28 August, 2001 ESI/Network Services Solutions 90

Peer. AS 2 • Keywoord : Peer. AS • Used in import attribute – instead of the AS number of the peer AS • Useful when using AS expression Tuesday, 28 August, 2001 ESI/Network Services Solutions 91

Predefined Set Objects • RS-ANY, rs-any • AS-ANY, as-any Tuesday, 28 August, 2001 ESI/Network Services Solutions 92

Route-set context • AS number: ASX == routes originated by ASX • as-set: AS-X == routes originated by the AS’es in AS-X Tuesday, 28 August, 2001 ESI/Network Services Solutions 93

Complex example AS 7 AS 1 AS 2 AS 6 AS 3 AS 4 AS 8 AS 9 AS 5 Solution ? Tuesday, 28 August, 2001 ESI/Network Services Solutions 94

AS Path Based AS 7 AS 1 AS 2 AS 6 AS 3 AS 4 AS 8 AS 9 AS 5 AS paths that start in AS 1 and end in AS 8: <^AS 1. * AS 8$> No prefix filters here !!! Tuesday, 28 August, 2001 ESI/Network Services Solutions 95

AS Path Regular Expressions AS 1 as-foo any AS in as-foo X* 0 or more occurrences of X X+ 1 or more occurrences of X X? 0 or 1 occurrence of X ^ beginning of path $ end of path X|Y X or Y XY X followed by Y Tuesday, 28 August, 2001 ESI/Network Services Solutions 96

AS Path Regular Expressions • Policy filter – only when the expression is between ‘<‘ and ‘>’ • Regular expressions – the alphabet of AS numbers • Router can check – BGO: AS_PATH – IDRP: RD_PATH • Regular Expression Operators Tuesday, 28 August, 2001 ESI/Network Services Solutions 97

AS Path RE Example AS 7 AS 1 AS 2 AS 6 AS 3 AS 4 AS 8 AS 9 AS 5 <^AS 1+ AS 1: AS-Customers* $> matches: AS 1 AS 3 AS 1 AS 4 AS 1 AS 5 AS 6 Tuesday, 28 August, 2001 ESI/Network Services Solutions 98

AS Path Based import/export AS 7 AS 1 AS 2 AS 6 AS 3 AS 4 AS 8 AS 9 AS 5 import: from AS 1 accept <^AS 1. * AS 8> import: from AS 1 accept <^AS 1: AS-Customers*$> No route prefixes here !!! Tuesday, 28 August, 2001 ESI/Network Services Solutions 99

Composite Policy Filters • NOT, AND, OR • AS 1 == {128. 8. 00/16, 128. 9. 0. 0/16} • rs-red == {128. 6. 0. 0/16, 128. 9. 0. 0/16} • AS 1 OR rs-red == {128. 6. 0. 0/16, 128. 8. 0. 0/16, 128. 9. 0. 0/16} • AS 1 AND rs-red == {128. 9. 0. 0/16} • AS 1 AND NOT rs-red == {128. 8. 0. 0/16} Tuesday, 28 August, 2001 ESI/Network Services Solutions 100

Composite Policy Filters 2 • aut-num: AS 1 import: from AS 1 accept (AS 1 OR rs-red) AND NOT {0. 0/0} • N. B. AS numbers & as-set names == routes Tuesday, 28 August, 2001 ESI/Network Services Solutions 101

Filter Bad Routes Tuesday, 28 August, 2001 ESI/Network Services Solutions 102

Prefix Length Based Policy • aut-num: AS 1 import: from any accept ANY AND NOT {192. 168. 0. 0/16^+} • N. B. Tuesday, 28 August, 2001 Filter == Address-Prefix Set; Composite Policy ESI/Network Services Solutions 103

Actions • Preference & Cost • Community Tuesday, 28 August, 2001 ESI/Network Services Solutions 104

Preference & Cost AS 1 AS 2 AS 3 aut-num: AS 4 import: from AS 1 import: from AS 4 Slow link action pref = 10; accept ANY action pref = 15; accept ANY Smaller the number, higher the preference !!! Tuesday, 28 August, 2001 ESI/Network Services Solutions 105

Specifying Actions • RPSL policy actions – set or modify route attributes – instruct routers to do special operations • route flap dampening • Which route attributes ? – RPSL dictionary – dictionary object not implemented in RIPE Database Version 3 Tuesday, 28 August, 2001 ESI/Network Services Solutions 106

Specifying Actions 2 • Syntax of a policy action – x. method(arguments) – x “operator” argument • Terminated by semicolon ‘; ’ • Composite policy actions possible – evaluated left-to-right Tuesday, 28 August, 2001 ESI/Network Services Solutions 107

Specifying Actions 3 import: from … action XXX; accept … export: to … action XXX; announce. . . med = 0; med = igp_cost; community. append(NO_EXPORT, 10250, 3561: 90); community. delete(NO_EXPORT); aspath. prepend(AS 1, AS 1); Tuesday, 28 August, 2001 ESI/Network Services Solutions 108

Specifying Actions 4 AS 1 AS 2 AS 3 aut-num: export: AS 4 Slow link AS 4 to AS 1 announce AS 4 to AS 3 action aspath. prepend(AS 4); announce AS 4 Smaller the number, higher the preference !!! Tuesday, 28 August, 2001 ESI/Network Services Solutions 109

1. 1 Choosing a Peering 1. 1. 1. 2 AS 1 AS 2 2. 2 aut-num: AS 1 import: from AS 2 accept AS 2 Tuesday, 28 August, 2001 ESI/Network Services Solutions 110

1. 1 Choosing a Peering 1. 1. 1. 2 AS 1 AS 2 2. 2 aut-num: AS 1 import: from AS 2 at 2. 2 action pref = 10; accept AS 2 Tuesday, 28 August, 2001 ESI/Network Services Solutions 111

Choosing a Peering 2 aut-num: import: Tuesday, 28 August, 2001 AS 1 from AS 2 action pref = 10; accept AS 2 from AS 2 1. 1. 1. 2 action pref = 5; accept AS 2 at 2. 2 at 1. 1 ESI/Network Services Solutions 112

Community Based Policy AS 1 AS 2 AS 3 AS 4 Slow link • AS 4 wants AS 3561 to prefer AS 1 path • AS 3561 prefers routes with – – no community with community 3561: 90 with community 3561: 80 with community 3561: 70 Tuesday, 28 August, 2001 ESI/Network Services Solutions 113

AS 3561’s Policies Tuesday, 28 August, 2001 ESI/Network Services Solutions 114

AS 4’s Policies AS 1 AS 3561 AS 3 aut-num: export: AS 4 Slow link AS 4 to AS 1 action community. ={3561: 90}; to AS 3 action community. ={3561: 80}; announce AS 4 Tuesday, 28 August, 2001 ESI/Network Services Solutions 115

Ambiguity Resolution • Two or more peering expressions – describe the same peering • Which is used ? • Specification-order rule – the first peering specification is always used Tuesday, 28 August, 2001 ESI/Network Services Solutions 116

Ambiguity Resolution 2 aut-num: import AS 5 AS 1 from AS 2 action pref = 2; accept AS 4 from AS 2 action pref = 1; accept AS 4 OR AS 2 accepts AS 4’s routes with pref = 2 AS 2 accepts AS 5’s routes with pref = 1 Tuesday, 28 August, 2001 ESI/Network Services Solutions 117

Set Objects Tuesday, 28 August, 2001 ESI/Network Services Solutions 119

Set Objects • Sets of routes, autonomous systems, etc. – – – route-set as-set filter-set peering-set rtr-set • Specify members – directly – indirectly Tuesday, 28 August, 2001 ESI/Network Services Solutions 120

Set Names • Example: as-customers • Example: rs-partner Tuesday, 28 August, 2001 ESI/Network Services Solutions 121

Hierarchical Set Names • Sequence of set names and AS numbers, separated by “: ” • At least one component must be an actual set name. • All set name components must be of the same type. • Authorization • Mntner of AS 1 controls AS 1: AS-Customers • AS 1: RS-EXPORT controls AS 1: RS-EXPORT: AS 2 Tuesday, 28 August, 2001 ESI/Network Services Solutions 122

Filter-Set Objects Tuesday, 28 August, 2001 ESI/Network Services Solutions 123

“filter” attribute • “filter” attribute defines a policy filter • A policy filter matches routes • Any BGP path attribute can be in the filter – – – – ANY Address-Prefix Set Route Set Name AS Path Regular Expressions Composite Policy Filters Routing Policy Attributes Filter Set Name Tuesday, 28 August, 2001 ESI/Network Services Solutions 124

Peering Set Object • Defines a set of peerings • Peering Set Name: prng • The peering attribute defines a peering – used to import or export routes • No “members” attribute Tuesday, 28 August, 2001 ESI/Network Services Solutions 125

Peering-Set Objects 2 Tuesday, 28 August, 2001 ESI/Network Services Solutions 126

Rtr-Set Objects Tuesday, 28 August, 2001 ESI/Network Services Solutions 127

rtr-set Object Template Attribute rtr-set members mbrs-by-ref Tuesday, 28 August, 2001 Value <object-name> list of <inet-rtr-names> or <rtr-set-names> or <ipv 4 -addresses> list of <mntner-names> or ANY Type mandatory, single, class key optional, multi-valued ESI/Network Services Solutions 128

Inet-rtr Object Tuesday, 28 August, 2001 ESI/Network Services Solutions 130

Inet-rtr Object Tuesday, 28 August, 2001 ESI/Network Services Solutions 131

Inet-Rtr Object Template Attribute inet-rtr alias local-as ifaddr peer member-of Tuesday, 28 August, 2001 Value <dns-name> <as-number> interface address peering information list of <rtr-set-names> Type mandatory, single, class key optional, multi-valued mandatory, single mandatory, multi-valued optional, multi-valued ESI/Network Services Solutions 132

Inet-rtr Object 2 ifaddr: <ipv 4 -address> masklen <integer> [action <action>] The peer attribute: <protocol><ipv 4 -address> <options> |<protocol><inet-rtr-name> <options> |<protocol><rtr-set-name> <options> |<protocol><peering-set-name> <options> <protocol> is usually BGP. Tuesday, 28 August, 2001 ESI/Network Services Solutions 133

Routing Policy System Security Tuesday, 28 August, 2001 ESI/Network Services Solutions 135

Routing Policy System Security (RPSS) • • • Background as-block mnt-lower mnt-routes referral-by auth-override Tuesday, 28 August, 2001 ESI/Network Services Solutions 136

Routing Policy System Security (RPS-Auth) • RFC-2725 • Data integrity and security in the Internet Routing Registry • One new object – as-block • Four new attributes – – mnt-lower mnt-routes referral-by auth-override Tuesday, 28 August, 2001 ESI/Network Services Solutions 137

New object in RPS-Auth; as-block Tuesday, 28 August, 2001 ESI/Network Services Solutions 138

As-block Object • Used by Regional Internet Registries • Shows the delegation of a range of AS numbers • Controls the creation of aut-num objects – mnt-lower attribute • Also controls creation of more specific as-block objects Tuesday, 28 August, 2001 ESI/Network Services Solutions 139

New attributes in RPS-Auth • • • New attributes increase security mnt-lower mnt-routes referral-by auth-override Tuesday, 28 August, 2001 ESI/Network Services Solutions 140

Mnt-lower Attribute • • Used in as-block, aut-num, inetnum, route objects Points to a mntner object Controls creation of objects underneath root object as-block object: – more specific as-block objects – aut-num objects • aut-num object – hierarchical name objects Tuesday, 28 August, 2001 ESI/Network Services Solutions 141

Mnt-lower Attribute 2 • inetnum object – inetnum objects with more specific address prefixes • route object – route objects with more specific address prefixes Tuesday, 28 August, 2001 ESI/Network Services Solutions 142

As-block Object again Tuesday, 28 August, 2001 ESI/Network Services Solutions 143

RPS-Auth; as-block & mnt-lower Tuesday, 28 August, 2001 ESI/Network Services Solutions 144

Aut-num Object & mnt-lower Tuesday, 28 August, 2001 ESI/Network Services Solutions 145

Inetnum Object & mnt-lower Tuesday, 28 August, 2001 ESI/Network Services Solutions 146

Route Object & mnt-lower Tuesday, 28 August, 2001 ESI/Network Services Solutions 147

Mnt-routes Attribute • • • Used in aut-num, inetnum, route objects Points to a mntner object Does not allow changes to the object where it appears Controls creation of route objects <mnt-name> [ {list of <address-prefix-range>} | ANY Default is ANY == all more specific routes Tuesday, 28 August, 2001 ESI/Network Services Solutions 148

Mnt-routes; Summary • Aut-num object – origin attribute of the route object – mnt-routes – mnt-by • Route object – – exact or less specific match mnt-routes mnt-lower mnt-by Tuesday, 28 August, 2001 ESI/Network Services Solutions 149

Mnt-routes; Summary 2 • Inetnum object – – exact or less specific match mnt-routes mnt-lower mnt-by Tuesday, 28 August, 2001 ESI/Network Services Solutions 150

Aut-num Object & mnt-routes Tuesday, 28 August, 2001 ESI/Network Services Solutions 151

Inetnum Object & mnt-routes This object exists already. Tuesday, 28 August, 2001 ESI/Network Services Solutions 152

Route Object & mnt-routes Tuesday, 28 August, 2001 ESI/Network Services Solutions 153

Mnt-routes; Summary 2 • Inetnum object – – exact or less specific match mnt-routes mnt-lower mnt-by Tuesday, 28 August, 2001 ESI/Network Services Solutions 155

Referral-by • Refers to the mntner that created a mntner object • Is never changed after the mntner object is created • Usually points to database administrator Tuesday, 28 August, 2001 ESI/Network Services Solutions 156

Auth-override • • • Date after which a mntner can be modified Only the mntner in “referral-by” can do this Only the mntner in “referral-by” can modify the mntner auth-override attribute only added if inactive for 60 days Value must be >= 60 days from current date Tuesday, 28 August, 2001 ESI/Network Services Solutions 157

Extra Object Types in RIPE Database Version 3 Tuesday, 28 August, 2001 ESI/Network Services Solutions 158

Extra Object Types in RIPE DB Version 3 • Domain – Top Level Domain (TLD) and Reverse Delegations – referral mechanism • inet 6 num – IPv 6 address space object • key-cert object – database public key certificate • limerick – humorous poem, five lines, with rhyming scheme “aabba” Tuesday, 28 August, 2001 ESI/Network Services Solutions 159

Advanced Features Tuesday, 28 August, 2001 ESI/Network Services Solutions 160

Advanced Features • • Aggregation Static Routes Structured Policy RATool. Set – RTConfig Tuesday, 28 August, 2001 ESI/Network Services Solutions 161

Aggregation Tuesday, 28 August, 2001 ESI/Network Services Solutions 162

Static Routes Tuesday, 28 August, 2001 ESI/Network Services Solutions 163

Structured Policy • Example: autonomous system, AS 1 • AS 1 prefers routes with – no community – community 1: 20 – community 1: 10 • AS 1 only accepts – AS 2 routes from AS 2 – AS 3 and AS 4 routes from AS 3 – the routes of AS 5’s customers from AS 5 Tuesday, 28 August, 2001 ESI/Network Services Solutions 164

Structured Policy for AS 1 Tuesday, 28 August, 2001 ESI/Network Services Solutions 165

Structured Policy for AS 3561 Tuesday, 28 August, 2001 ESI/Network Services Solutions 166

AS 3561’s Policies Tuesday, 28 August, 2001 ESI/Network Services Solutions 167

RATool. Set & Rt. Config Tuesday, 28 August, 2001 ESI/Network Services Solutions 168

RATool. Set & Rt. Config • RATool. Set – http: //www. isi. edu/ra/RATool. Set/ – a set of policy analysis tools – RIPE DB Version 3 supports the query types • Rt. Config – a tool that generates vendor specific router configurations – use the policy data stored in the Internet Routing Registry – supports several formats Tuesday, 28 August, 2001 ESI/Network Services Solutions 169

Using Rt. Config • Register routing policy in the Internet Routing Regsitry • Create an Rt. Config source file – router configuration file – replace vendor-specific policy configuration commands with Rt. Config commands • Run Rt. Config – source file – Internet Routing Registry – % Rt. Config < template > config-file • Commands beginning with “@Rt. Config” are instructions Tuesday, 28 August, 2001 ESI/Network Services Solutions 170

RATool. Set 2 • Route Object Editor • Autonomous system Object Editor • Other tools – prtraceroute Tuesday, 28 August, 2001 ESI/Network Services Solutions 171

Route Object Editor • • Lists routes registered by a provider Shows discrepancies Shows holes Can be used to correct these discrepancies Tuesday, 28 August, 2001 ESI/Network Services Solutions 172

Route Object Editor (roe) Example Tuesday, 28 August, 2001 ESI/Network Services Solutions 173

Autonomous system Object Editor (aoe) Tuesday, 28 August, 2001 ESI/Network Services Solutions 174

Useful Links • RPSL http: //www. isi. edu/ra/rps/training/ • IRR http: //www. irr. net/ • RIPE http: //www. ripe. net/ – http: //www. ripe. net/rpsl/ – http: //www. ripe. net/ripe/docs/databaseref-manual. html • RATool. Set – http: //www. isi. edu/ra/RATool. Set Tuesday, 28 August, 2001 ESI/Network Services Solutions 175

Acknowledgements • Cengiz Alaettinoglu – Packet Design Inc. – Provided the slides from which many of these slides are derived – But any errors are the responsibility of Ambrose Magee • RIPE NCC – – Joao Luis Silva Damas Andrei Robachevsky Engin Guenduez, Shane Kerr, Vesna Manojlovic Engineering Group Tuesday, 28 August, 2001 ESI/Network Services Solutions 176