1 / 89

Sofía Silva Berenguer sofia @ lacnic.net

Sofía Silva Berenguer sofia @ lacnic.net. Internet Exchange Points Workshop. Paramaribo - Surinam. AGENDA. How the Internet Works Intro to BGP IPv4 Exhaustion and IPv6 Deployment Internet Exchange Points How to request Internet Resources Advanced topics Route Hijacking Leaks

borka
Download Presentation

Sofía Silva Berenguer sofia @ lacnic.net

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sofía Silva Berenguersofia@ lacnic.net Internet Exchange Points Workshop Paramaribo - Surinam

  2. AGENDA • How the Internet Works • IntrotoBGP • IPv4ExhaustionandIPv6Deployment • Internet Exchange Points • How torequest Internet Resources • Advancedtopics • RouteHijacking • Leaks • Attacksagainstthepath • Wellknownincidents • SecuringtheRoutingSystem

  3. How the Internet Works

  4. Interconnection of Networks http://prezi.com/agzxt0exlfpk/network-interconnection/

  5. Internet Routing ASN 6057 announces 200.40.0.0/16 The prefix 200.40.0.0/16 is propagated with BGP to the Internet ASN 8158 receives 200.40.0.0/16 Atributos: 200.40.0.0/16 AS_PATH ASN1 ASN3 ASN6057

  6. Transit and Peering • Transit • Traffic and prefixes originating from one AS are carried across an intermediate AS to reach their destination AS • Usually for a fee • Peering • Private interconnect between two ASNs • Usually for no fee

  7. Transit and Peering ASN 65538 ASN 64511 Transit ASN 65536 ASN 65537 Peering

  8. Peering in an Internet Exchange Point (IXP) • Internet Exchange Point • Common interconnect location where several ASNs exchange routing information and traffic ASN 65538 ASN 65536 ASN 65537 ASN 65539

  9. IP address, where they come from? End user Standards Central Registry Distribution * Regional Internet Registries (RIRs) distribute IPv4, IPv6 and Autonomous System Numbers Distribution * Sometimesthedistributionis done throughNational Internet Registries (NIRs) Allocations and Assignments

  10. Regional Internet Registries

  11. Intro to BGP

  12. Border Gateway Protocol • A Routing Protocol used to exchange routing information between different networks • Exterior gateway protocol • Described in RFC4271 • RFC4276 gives an implementation report on BGP • RFC4277 describes operational experiences using BGP • Works on TCP port 179

  13. More about BGP • Learns multiple paths via internal and external BGP speakers – Initial exchange of entire table • Incremental Updates • Picks THE bestpathand installs it in the IP forwarding table – Policies applied by influencing the bestpathselection • Keepalive messages exchanged • Many options for policy enforcement • Classless Inter Domain Routing (CIDR) • Widely used for Internet backbone

  14. Neighbors • BGP speakers • Internal (iBGP) if they are in the same ASN • External (eBGP) if they are in different ASN eBGP iBGP ASN 65538 ASN 65536

  15. Where to use BGP: Stub Network ASN 65536, Transit Provider • Only one exit for customer • Not really need to add BGP ASN 65538, Customer

  16. Multihomed Network Transit Providers ASN 65538 ASN 65539 • Different situations possible • Multiple links to same ISP • Secondary for only backup • Load share between primary and secondary • Selectively use different ISPs • Peering at IXP ASN 65536 ASN 65537 Peering in IXP

  17. Internet Exchange Points

  18. Why peer? • Consider a region with one ISP • It provides internet connectivity to it’s customers • It has one or two international connections • Internet grows, another ISP sets up in competition • They provide internet connectivity to their customers • They have one or two international connections • How does traffic from customer of one ISP get to customer of the other ISP? • Via the international connections

  19. Why peer? (Cont.) Internet ASN 65538 ASN 65536

  20. Why peer? (Cont.) • Yes, international connections… • If satellite, RTT is around 550ms per hop • So local traffic takes over 1s round trip • International bandwidth… • Is much more expensive than domestic bandwidth • Becomes congested with local traffic • Wastes money, harms performance

  21. Why peer? (Cont.) • Solution: • Two competing ISPs peer with each other • Result: • Both save money • Local traffic stays local • Better network performance • More international bandwidth for international traffic

  22. Why peer? (Cont.) Internet ASN 65538 ASN 65536

  23. Why peer? (Cont.) • A third ISP enters the equation • Becomes a significant player in the region • Local and international traffic goes over their international connections • They agree to peer with the two other ISPs • To save money • To keep local traffic local • To improve network performance

  24. Why peer? (Cont.) • Peering means that the three ISPs have to buy circuits between each other • Works for three ISPs, but adding a fourth or a fifth means this does not scale • Solution: • Internet Exchange Point

  25. Why peer? – Non-financial Motivations • Low latency • Control over routing • Redundancy • Aggregation benefits w/peering and Transit at IXP • ISP relationships – be one of the cool kids • Marketing benefits • Network reliability

  26. Internet Exchange Point • Every participant has to buy just one whole circuit • From their premises to the IXP • Rather than N-1 half circuits to connect to the N-1 other ISPs • 5 ISPs have to buy 4 half circuits = 2 whole circuits -> already twice the cost of the IXP connection

  27. Simple Topology • Layer 2 fabric • N^N BGP relations

  28. IXP Design • Each ISP participating in the IXP brings a router to the IXP location • Router needs: • One Ethernet port to connect to IXP switch • One WAN port to connect to the WAN media leading back to the ISP backbone • To be able to run BGP

  29. IXP Design (Cont.) • IXP switch located in one equipment rack dedicated to IXP • Also includes other IXP operational equipment (Management network, TLD DNS, Routing Registry, Looking Glass, etc.) • Optional: Second switch for redundancy • Routers from participant ISPs located in neighbouring/adjacent rack(s) • Copper (UTP) connections made for 10Mbps, 100Mbps or 1Gbps connections • Fibre used for 10Gbs and higher speeds

  30. Peering at an IXP • Each participant need to run BGP • They need their own AS number • Public ASN, NOT private ASN • Each participant configures external BGP with the other participants in the IXP • Peering with all participants Or • Peering with a subset of participants

  31. IXP - Routing • ISP border routers at the IXP generally should NOT be configured with a default route or carry the full Internet routing table • Carrying default or full table means that this router and the ISP network is open to abuse by non-peering IXP members • ISP border routers at the IXP should not be configured to carry the IXP LAN network within the IGP or iBGP • Set BGP next-hop to local router (Cisco IOS next-hop-self)

  32. IP Address Space • Some IXPs use private addresses for the IXP LAN • Public address space means the IXP network can be leaked to the Internet, which could be undesirable • Filtering RFC1918 address space by ISPs is Best Practice; this avoids leakage • Some IXPs use public addresses for the IXP LAN • Address space is available from LACNIC • IXP terms of participation usually forbid carrying the IXP LAN addressing in the ISP backbone

  33. Hardware • The IXP Core is an Ethernet Switch (Mandatory) • Therefore invest in the best and most expandable equipment that its financial circumstances allow • Having 2 switches is good for redundancy if the funds can allow • Route Server (Optional) • Provides ease of configuration for new members • Direct peering between the IXP members can be implemented in the absence of the Route Server

  34. Hardware (Cont.) • Other optional equipment • Web Server (website, monitoring, etc.) • Mail Server (email, mailing list, etc.) • Transit Router (to provide Internet access to the IXP website, email and staff Internet access) • Route Collector (Looking glass which assists IXP members with troubleshooting. It can also be used to collect routes for statistics measurements)

  35. Hardware - Suggestions • Try not to mix port speeds • If 10Mbps and 100Mbps connections available, terminate on different switches • Insist that IXP participants bring their own router • Moves buffering problem off the IXP • Ensures integrity of the IXP • Security is responsibility of the ISP, not the IXP

  36. Location • The location of the IXP is very important. • The IXP location should be neutral and low cost. • In considering the IXP location the following factors should be considered: • Space • Environment Control • Security • Power • Access to terrestrial Infrastructure • Cabling • Support

  37. Recommendations and Best Practices • Only announce your aggregates and your customer aggregates at IXPs • Only accept the aggregates which your peer is entitled to originate • Never carry a default route on an IXP (or private) peering router • Failing to do so leads to route-hijacks and leaks

  38. General Info about IXPs Source:https://prefix.pch.net/applications/ixpdir/summary/ . . . . . .

  39. General Info about IXPs Source: https://prefix.pch.net/applications/ixpdir/?show_active_only=0&sort=traffic&order=desc . . .

  40. General Info about IXPs Source: https://prefix.pch.net/applications/ixpdir/summary/ipv6/

  41. How to request internet resources

  42. Go to https://solicitudes.lacnic.net/ • Or fill out a form and send it in the body of a message to hostmaster@lacnic.net • You can find templates at: http://lacnic.net/templates/ • Once the online request or the form has been processed by the system, the requestor will receive a confirmation email with a ticket number. • After that the hostmasters will analyze the request. • If the request is approved, it may be necessary to pay a fee and to sign the Registration Service Agreement.

  43. Who can request resources? • The person allowed to request resources for an organization is the Administrative POC. • To request resources through the new Requests System you will have to log in using the Administrative POC handle.

  44. Requesting an ASN • In ordertoqualifyforan ASN allocationtheorganizationshouldhave: • A uniqueroutingpolicy, meaning a policythatdiffersfromthatapplied by theupstreamprovider. • Or, a networkwith more thanoneindependentconnectiontothe Internet. (Multi-homedsite) • FromJanuary 1, 2007 toDecember 31, 2010 Lacnicassigned ASN of 16 and 32bits uponrequest. However, sinceJanuary 1, 2011 Lacnicstoppedmakingdistinctionsbetweentheassignmentof 16- and 32-bitAutonomous Systems Numbers (ASNs) andwillonlyassignASNsfrom a general 32-bit pool. Thischangewill be introducedtocomplywiththe Global Policy "Internet AssignedNumbersAuthority (IANA) PolicyforAllocationof ASN Blocksto Regional Internet Registries" adopted in September 2010.

  45. Micro-assignments to Critical Infrastructure • Micro-assignment -> prefixesbetween /24 and /20. • Forprojectsandnetworkinfrastructurethat are keyorcriticalfortheregion, such as IXPs (Internet Exchange Points), NAPs (Network Access Points), RIRs, ccTLDs, amongothers. • IXPsorNAPsmustmeetthefollowingrequirements: • Dulydocumentthefollowingaspects: • Prove by meansoftheirbylawstheir IXP or NAP capacity. Theorganizationshallhave at leastthreemembersandan open policyfortheassociationofnewmembers. • Submit a diagramoftheorganization'snetworkstructure. • Documentthenumbering plan to be implemented. • Provide a utilization plan forthefollowingthreeandsixmonths. • IftheapplicantdoesnotalreadyhaveanIPv6blockassigned by LACNIC, simultaneouslyrequestanIPv6block in accordancewiththecorrespondingapplicablepolicy. • Therestoftheapplicationsshall be studiedbasedontheanalysisofthedocumentationjustifyingthecriticaland/orkeyaspectsoftheproject. • Organizationsreceiving micro-assignmentsshallnotsub-assigntheseIPv4addresses.

  46. Requesting an IPv4 block for ISPs • Toqualifyfortheallocationof a /22 blocktheorgmust: • Proveusageorimmediatenecessityof a /24 • Submit a detailedone-yearusage plan for a /23 • Agreetorenumberfrompreviouslyallocatedspaceandreturnthose IP addressestotheirISPswithin 12 months • IftheapplicantdoesnotalreadyhaveanIPv6blockassigned by LACNIC, simultaneouslyrequestanIPv6block in accordancewiththecorrespondingapplicablepolicy. • For a largerblockadditionalrequirementsapply

  47. Requesting an IPv6 block for ISPs • Toqualifyforaninitialallocationof a /32 blocktheorganizationshould: • Be a LIR (Local Internet Registry), whichmeansbeinganorganizationthatassignsaddressspacesforitsnetworkservicescustomers • Not be anendsite (enduser) • Document a detailed plan fortheservicesandIPv6connectivityto be offeredtootherorganizations (clients) • Announcetheallocatedblock in the Internet inter-domainroutingsystem, withtheminimumpossiblelevelofdisaggregationtotheonethatispublishingthe IP blocks, within a period no longerthan 12 months. • OfferIPv6servicestoclientsphysicallylocatedwithintheregioncovered by LACNIC within a periodnotlongerthan 24 months

  48. More info • Policy Manual • http://www.lacnic.net/web/lacnic/manual • Registration Services • http://www.lacnic.net/web/lacnic/servicios-registro

  49. Advanced topics

  50. Route Hijacking • This occurs when a participant in the Internet Routing announces a prefix for which it has no authority • Malicious or by operational errors • More know cases: • Pakistan Telecom vs. You Tube (2008) • China Telecom (2010) • Google in Eastern Europe (various AS, 2010) • Latin American cases (beginning 2011)

More Related