1 / 63

RPSL: Police’ing’ the Net

RPSL: Police’ing’ the Net. Anwar M. Haneef Electrical and Computer Engineering University of Massachusetts, Amherst. RFC-2622: Not the most fun thing to read on a Friday night. Aim of my talk. Not to make you expert network managers.

carys
Download Presentation

RPSL: Police’ing’ the Net

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RPSL: Police’ing’ the Net Anwar M. Haneef Electrical and Computer Engineering University of Massachusetts, Amherst

  2. RFC-2622: Not the most fun thing to read on a Friday night

  3. Aim of my talk • Not to make you expert network managers • I want all of you to go back home, knowing that you have learnt the BASICS of a new language • Prepare you all for the next talk on the practical applications of RPSL

  4. Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next

  5. Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next

  6. What is Routing Policy ? • Public description of the relationships between external BGP peers • Can describe internal BGP peer relationships

  7. Routing Policy Unfortunately, Chun gets to do all the really COOL stuff…..  Routing Policy • Who are the peers • What routes are • Originated by a peer • Imported from each peer • Exported to each peer • Preferred when multiple routes exist • What to do if no route exists

  8. Routing Policy Example • AS1 originates route “d” • AS1 exports “d” to AS2, AS2 imports • AS2 exports “d” to AS3, AS3 imports • AS3 exports “d” to AS5, AS5 imports

  9. Routing Policy Example • AS5 also imports “d” from AS4 • Which route does it prefer?

  10. Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next

  11. Why define a Routing Policy ? • Documentation • Allows automatic generation of router configurations • Provides routing security • Can peer originate the route? • Can peer act as transit for the route? • Provides a debugging aid • Compare policy versus reality No one ever does anything for documentation, but its good to have it 

  12. Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next

  13. BGP Configuration • Too many routers • Too detailed, large & tedious • Consistency • Heavy consequences of mistakes ?!?!?!

  14. Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • The Internet Routing Registry • RPSL – Introduction • RPSL – Objects • What’s next

  15. IRR – What is it ? • Database of • IP networks, • DNS domains, • DNS domain Contact Persons and • IP routing policies • Data from the IRR may be used by anyone worldwide to help debug, configure, and engineer Internet routing and addressing. • Currently, the IRR provides the only mechanism for validating the contents of a BGP session or mapping an AS number to a list of networks.

  16. Internet Routing Registry • APNIC, ALTDB, BELLCA, TELSTRA etc. • Policy and contact information

  17. Internet Routing Registry Route: 128.9.0.0/ 16 descr: ISI-NET origin: AS226 notify: Prue@isi.edu mnt-by: LN-MAINT-MCI changed: Prue@isi.edu 990420 source: CW

  18. Internet Routing Registry Internet Routing Registry person: Walt Prue address: USC/ Information Sciences Institute 4676 Admiralty Way Suite 1000 Marina del Rey, California USA phone: +1 310 822 1511 x89191 fax-no: +1 310 823 6714 e-mail: Prue@isi.edu nic-hdl: WP8 notify: Prue@isi.edu mnt-by: LN-MAINT-MCI changed: Prue@isi.edu 20000222 source: CW

  19. BGP Configuration from IRR IRR RPSL RtConfig • RPSL: Abstract, high level, per-as policies • IRR: Benefit from others’ data & delegation • RtConfig: Details/ tedious aspects automated

  20. Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next

  21. Meet Mr. RPSL – An Introduction • RPSL allows a network operator to be able to specify routing policies at various levels in the Internet hierarchy; for example at the Autonomous System (AS) level • At the same time, policies can be specified with sufficient detail in RPSL so that low level router configurations can be generated from them. • RPSL is extensible; new routing protocols and new protocol features can be introduced at any time

  22. Meet Mr. RPSL – An Introduction • Object oriented language • RPSL is based on RIPE-181, a language used to register routing policies and configurations in the IRR • Operational use of RIPE-181 has shown that it is sometimes difficult (or impossible) to express a routing policy which is used in practice • RPSL has been developed to address these shortcomings and to provide a language which can be further extended as the need arises • RPSL obsoletes RIPE-181

  23. Meet Mr. RPSL – An Introduction • RPSL was designed so that a view of the global routing policy can be contained in a single cooperatively maintained distributed database to improve the integrity of Internet's routing • RPSL is not designed to be a router configuration language • RPSL is designed so that router configurations can be generated from the description of the policy for one autonomous system (aut-num class) combined with the description of a router (inet-rtr class), mainly providing router ID, autonomous system number of the router, interfaces and peers of the router, and combined with a global database mappings from AS sets to ASes (as-set class), and from origin ASes and route sets to route prefixes (route and route-set classes) • The accurate population of the RPSL database can help contribute toward such goals as router configurations that protect against accidental (or malicious) distribution of inaccurate routing information, verification of Internet's routing, and aggregation boundaries beyond a single AS

  24. RPSL: Getting to know it • RPSL constructs are expressed in one or more database "objects" which are registered in one of the registries • Each database object contains some routing policy information and some necessary administrative data • When objects are registered in the IRR, they become available for others to query using a whois service • Uses RIPE database style (whois) objects

  25. RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 NE Sasquatch Bainbridge Island, WE 98110 USA phone: +1 206 780 0431 # day time fax-no: +1 206 780 0653 e-mail: randy@psg.com nic-hdl: RB366 remarks: This object is automatically converted from RIPE181 mnt-by: RGNET-MAINT-MCI changed: randy@psg.com 19970614 source: MCI

  26. Attribute name Attribute value Comment Continuation RPSL: Object Representation person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 NE Sasquatch Bainbridge Island, WE 98110 USA phone: +1 206 780 0431 # day time fax-no: +1 206 780 0653 e-mail: randy@psg.com nic-hdl: RB366 remarks: This object is automatically converted from RIPE181 mnt-by: RGNET-MAINT-MCI changed: randy@psg.com 19970614 source: MCI

  27. Common Attributes for all classes descr: Short free text description of the object remarks: Free text comment attribute tech-c: Technical contact nic handles admin-c: Administrative contact nic handles notify: Emails to send notification of changes mnt-by: Maintainer authorized to do changes changed: <email><date> source: Registry

  28. Agenda Agenda • What is Routing Policy ? • Why define Routing Policy ? • BGP Configuration • IRR Configuration • RPSL – Introduction • RPSL – Objects • What’s next

  29. RPSL Classes • Person, Role, Maintainer • Route • Set classes: as-set, route-set • Autonomous System

  30. RPSL Classes • Person, Role, Maintainer • Person and Role objects are for contact information • Maintainer objects are for authentication • Route • Set classes: as-set, route-set • Autonomous System

  31. Person Class Person class attributes person: Randy Bush address: RGnet NOC 5147 Crystal Springs Drive NE 10361 NE Sasquatch Bainbridge Island, WE 98110 USA phone: +1 206 780 0431 # day time fax-no: +1 206 780 0653 e-mail: randy@psg.com nic-hdl: RB366 remarks: This object is automatically converted from RIPE181 mnt-by: RGNET-MAINT-MCI changed: randy@psg.com 19970614 source: MCI Common attributes Maintenance

  32. The nic-hdl attributes of the person and role classes share the same name space. Role Class role: RIPE NCC Operations address: Singel 258 1016 AB Amsterdam The Netherlands phone: +31 20 535 4444 fax-no: +31 20 545 4445 e-mail: ops@ripe.net admin-c: CO19-RIPE tech-c: RW488-RIPE tech-c: JLSD1-RIPE nic-hdl: OPS4-RIPE notify: ops@ripe.net changed: roderik@ripe.net 19970926 source: RIPE

  33. Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB

  34. Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB

  35. Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB

  36. Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB

  37. It defines access control for other objects in the database Maintainer Class mntner: MAINT-RGNET descr: RGnet RADB maintainer admin-c: RB366 tech-c: RB366 upd-to: rw@rg.net mnt-nfy: randy@psg.com auth: PGPKEY-23F5CE3 mnt-by: MAINT-RGNET changed: randy@psg.com 19970804 source: RADB

  38. Auth Attribute auth: PGPKEY-23F5CE3 auth: CRYPT-PW lz1A7/JnfkTI auth: MAIL-FROM cengiz@isi.edu auth: MAIL-FROM .*@canet.ca auth: NONE

  39. RPSL Classes • Person, Role, Maintainer • Route • Specifies origin AS for a route • Can indicate membership of a route set • Set classes: as-set, route-set • Autonomous System

  40. Route Class route: 156.36.0.0/16 origin: AS2914 descr: my routes mnt-by: MAINT-RGNET tech-c: RB366 changed: randy@psg.com 19960829 source: RADB Policy Information Route 156.36.0.0/16 is originated by AS2914

  41. Hmm… looks familiar, doesn’t it ?  Inter-AS Routing • AS1 originates route “d” • AS1 exports “d” to AS2, AS2 imports • AS2 exports “d” to AS3, AS3 imports • AS3 exports “d” to AS5, AS5 imports

  42. Route Class route: 156.36.0.0/16 origin: AS2914 descr: my routes mnt-by: MAINT-RGNET tech-c: RB366 changed: randy@psg.com 19960829 source: RADB Policy Information Route 156.36.0.0/16 is originated by AS2914

  43. Some Notations AS Numbers AS2914 Address Prefixes 156.36.0.0/16 Route-set Names RS-VERIO AS-set Names AS-VERIO

  44. Rules for Words • Words can have - or _ in the middle • RGNET-MAINT-MCI • Can have digits • RGNET-MAINT-MCI_ 1 • Case insensitive • rgnet-MaInT-MCI

  45. RPSL Classes • Person, Role, Maintainer • Route • Set classes: route-set, as-set • Autonomous System

  46. RPSL Classes • Person, Role, Maintainer • Route • Set classes: Route-set • Collects routes together with similar properties • Autonomous System

  47. Route-Set route-set: rs-foo members: 128.9.0.0/16, 128.9.0.0/24, 128.8.0.0/16 descr: some address prefixes mnt-by: MAINT-RGNET tech-c: RB366 changed: randy@psg.com 19960829 source: RADB route-set: rs-bar members: 128.7.0.0/16,rs-foo

  48. Route Set route-set: RS-BCMI2 descr: routes via BCM to be announced to I2 members: 128.249.0.0/16, 192.31.88.0/24,192.147.26.0/24 admin-c: JCY tech-c: SM346 mnt-by: MAINT-AS302 changed: smace@intt.org 20000213 source: demo

  49. Indirect Members route-set: RS-ANS-IGP_ ONLY descr: ANS IGP aggregates mbrs-by-ref: ANY route: 207.25.17.0/24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS route: 192.157.69.0/24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS

  50. Restricted Indirect Members route-set: RS-ANS-IGP_ ONLY descr: ANS IGP aggregates mbrs-by-ref: MNT-ANS, MNT-CENGIZ route: 207.25.17.0/24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS route: 192.157.69.0/24 origin: AS1675 member-of: RS-ANS-IGP_ ONLY mnt-by: MNT-ANS

More Related