Thursday, May 30, 2013

Understanding BGP TTL Security

Understanding BGP TTL Security

By stretch | Monday, November 23, 2009 at 8:08 a.m. UTC
By default, IOS sends BGP messages to EBGP neighbors with an IP time-to-live (TTL) of 1. (This can be adjusted with ebgp-multihop attached to the desired neighbor or peer group under BGP configuration.) Sending BGP messages with a TTL of one requires that the peer be directly connected, or the packets will expire in transit. Likewise, a BGP router will only accept incoming BGP messages with a TTL of 1 (or whatever value is specified by ebgp-multihop), which can help mitigate spoofing attacks.
However, there is an inherent vulnerability to this approach: it is trivial for a remote attacker to adjust the TTL of sent packets so that they appear to originating from a directly-connected peer.
ttl-security1.png
By spoofing legitimate-looking packets toward a BGP router at high volume, a denial of service (DoS) attack may be accomplished.
A very simple solution to this, as discussed in RFC 5082, is to invert the direction in which the TTL is counted. The maximum value of the 8-bit TTL field in an IP packet is 255; instead of accepting only packets with a TTL set to 1, we can accept only packets with a TTL of 255 to ensure the originator really is exactly one hop away. This is accomplished on IOS with the TTL security feature, by appending ttl-security hops <count> to the BGP peer statement.
ttl-security2.png
Only BGP messages with an IP TTL greater than or equal to 255 minus the specified hop count will be accepted. TTL security and EBGP multihop are mutually exclusive; ebgp-multihop is no longer needed when TTL security is in use.
Posted by TOF at 12:53 AM
Labels:

Wednesday, May 29, 2013

Sample Configuration for Removing Private AS Numbers in BGP

Introduction

This document shows sample configurations for the removal of private Autonomous System (AS) numbers from outgoing eBGP updates. AS numbers fall under two categories named private and public. Just like private and public IP addresses, you cannot leak the private AS numbers into the internet. Public AS numbers range between 1 and 64511 and the private AS numbers between 64512 and 65535. You can use private AS numbers to divide large ASs into multiple small ASs connected via eBGP. In addition, if you are connected to a single ISP, the ISP can assign private AS numbers in order to conserve public AS numbers. However, you must remove these private AS numbers before you send the updates to the global BGP mesh (Internet).
Note: The assignment of private AS numbers is not recommended if you connect to multiple ISPs. Private AS numbers can be used if the customer network connects to a single ISP (either single homed or dual homed).
Refer to Removing Private Autonomous System Numbers in BGP for more information on private AS numbers.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document applies to these software and hardware versions:
  • Cisco IOS® Software Release 12.2(27)
  • Cisco 2501 and Cisco 2503 routers
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to find more information on the commands used in this document.

Network Diagram

This document uses a network setup in which Router 3 uses private AS number 65000, and Router 1 and Router 2 use Public AS numbers AS 1 and AS 5 respectively.
Router 2 is in the Service Provider Cloud with Router 1 (running AS 1) and Router 3 (running AS 65000) as its clients.
36-1.gif

Send and Receive Updates

This procedure explains the sequence of events that occur when Router 3 advertises a network (10.0.0.0/24 in this case).
  1. Router 3 advertises the network 10.0.0.0/24 with the AS path attribute 65000 to Router 2.
  2. Router 2 receives the update from Router 3 and makes an entry for the network 10.0.0.0 /24 in its routing table with the next hop as 172.16.0.1 (serial interface S0 on Router 3).
  3. Router 2 (Service Provider Device), when configured with the neighbor 192.168.0.2 remove-private-AS command, strips off the private AS number and constructs a new update packet with its own AS number as the AS path attribute for the 10.0.0.0/24 network and sends the same to Router 1 which is in AS1.
  4. Router 1 receives the eBGP update for the network 10.0.0.0/24 and makes an entry in its routing table with the next hop as 192.168.0.1 (serial interface S1 on Router 2). The AS path attribute for this network as seen on Router 1 is AS 5 (Router 2). Thus, the private AS numbers are prevented from entering the BGP tables of the Internet.

Configurations

This document uses these configurations:
Router 3
Current configuration :
!
interface Ethernet0
 ip address 10.0.0.1 255.255.255.0
!
interface Serial0
 ip address 172.16.0.1 255.255.255.0
!
router bgp 65000
 network 10.0.0.0 mask 255.255.255.0
 neighbor 172.16.0.2 remote-as 5
!--- Configures Router 2 as an eBGP neighbor in public AS 5. 
!
end

Router 2
Current configuration :
!
!
interface Ethernet0
 ip address 172.30.1.1 255.255.0.0
!
interface Serial0
 ip address 172.16.0.2 255.255.255.0
!
interface Serial1
 ip address 192.168.0.1 255.255.255.0
!
router bgp 5
 network 172.30.0.0
 network 192.168.0.0
 neighbor 172.16.0.1 remote-as 65000
!--- Configures Router 3 as an eBGP neighbor in private AS 65000.
 neighbor 192.168.0.2 remote-as 1
!--- Configures Router 1 as an eBGP neighbor in public AS 1. 
 neighbor 192.168.0.2 remove-private-AS
!--- Removes the private AS numbers from outgoing eBGP updates.
!
!
end

Router 1
Current configuration :
!
version 12.2
!
!
interface Serial0
 ip address 192.168.0.2 255.255.255.0
 !
router bgp 1
 neighbor 192.168.0.1 remote-as 5
!--- Configures Router 2 as an eBGP neighbor in public AS 5.
!
end

Autonomous System DOT Format

This example explains how to convert the AS number greater than 65535 to 4-Byte Autonomous System (ASDOT format).
Before ASDOT configuration
Router#show run | beg router 
router bgp 131280
no synchronization 
bgp log-neighbor-changes 
no auto-summary
ASDOT Configuration
Router(config-router)#bgp asnotation dot 
Router(config-router)#end
After configuration
Router#show run | beg router bgp 
router bgp 2.208  <== 
no synchronization 
bgp asnotation dot 
bgp log-neighbor-changes 
no auto-summary !

Verify

This section provides information you can use to confirm your configuration properly works.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
The debug messages taken with the debug ip bgp updates command on Router 1 show that the update for the network 10.0.0.0/24 received from Router 2 (192.68.0.1) has an AS path attribute 5 which is the AS number of Router 2. The show ip bgpcommand on Router 2 and Router 1 also illustrate the same.
Router1#
1w1d: %BGP-5-ADJCHANGE: neighbor 192.168.0.1 Up
1w1d: BGP(0): 192.168.0.1 computing updates, afi 0, 
       neighbor version 0, table version 1, starting at 0.0.0.0
1w1d: BGP(0): 192.168.0.1 update run completed, afi 0, 
       ran for 0ms, neighbor version 0, start version 1, throttled to 1
1w1d: BGP: 192.168.0.1 initial update completed
1w1d: BGP(0): 192.168.0.1 rcvd UPDATE w/ attr: nexthop 
       192.168.0.1, origin i, path 5
1w1d: BGP(0): 192.168.0.1 rcvd 10.0.0.0/24
1w1d: BGP(0): Revise route installing 10.0.0.0/24 -> 192.168.0.1 
      to main IP table
1w1d: BGP(0): 192.168.0.1 computing updates, afi 0, neighbor 
      version 1, table version 2, starting at 0.0.0.0
1w1d: BGP(0): 192.168.0.1 update run completed, afi 0, ran for 0ms,
      neighbor version 1, start version 2, throttled to 2

Router2#show ip bgp
BGP table version is 3, local router ID is 192.168.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
    Network         Next Hop      Metric  LocPrf Weight   Path
 *> 10.0.0.0/24     172.16.0.2         0              0   65000 i
 *> 172.30.0.0      0.0.0.0            0         32768    i
 

Router1#show ip bgp
BGP table version is 19, local router ID is 192.168.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
    Network          Next Hop      Metric  LocPrf  Weight  Path
 *> 10.0.0.0/24      192.168.0.1                        0  5 i
 *> 172.30.0.0       192.168.0.1        0               0  5 i
The BGP table of Router 2 shows that network 10.0.0.0 originates from AS 65000. The BGP table of Router 1 shows the same network originates from AS 5. This is because of the neighbor 192.168.0.2 remove-private-as command on Router 2, which strips off the private AS number and prevents private AS numbers from reaching the Internet. For this reason, AS 1 (Router 1) has a consistent view of AS 5 as being the originator of network 10.0.0.0/24.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Posted by TOF at 11:25 PM
Labels:

Configuring the BGP Local-AS Feature

Introduction

This document explains the Border Gateway Protocol (BGP) local-AS feature, which was first available in Cisco IOS® Software Release 12.0(5)S.
The local-AS feature allows a router to appear to be a member of a second autonomous system (AS), in addition to its real AS. This feature can only be used for true eBGP peers. You cannot use this feature for two peers that are members of different confederation sub-ASs.

Prerequisites

Requirements

This document requires an understanding of the BGP routing protocol and its operations. Refer to the BGP Case Studies.

Components Used

The information in this document applies to these software and hardware versions.
  • Cisco IOS Software Release 12.2(28)
  • Cisco 2500 Series Routers
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Command Syntax

This list shows the syntax of the commands that the configurations in this document use.
Local-AS cannot be customized for individual peers in a peer group.
Local-AS cannot have the local BGP protocol AS number or the AS number of the remote peer.
The local-as command is valid only if the peer is a true eBGP peer. It does not work for two peers in different sub-ASs in a confederation.
Refer to the BGP Command Reference Guide for additional information on BGP commands.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Background Information

The local-AS feature is useful if ISP-A purchases ISP-B, but ISP-B's customers do not want to modify any peering arrangements or configurations. The local-AS feature allows routers in ISP-B to become members of ISP-A's AS. At the same time, these routers appear to their customers to retain their ISP-B AS number.
In Figure 1, ISP-A has not yet purchased ISP-B. In Figure 2, ISP-A has purchased ISP-B, and ISP-B uses the local-AS feature.
In Figure 2, ISP-B belongs to AS 100, and ISP-C to AS 300. When peering with ISP-C, ISP-B uses AS 200 as its AS number with the use of the neighbor ISP-C local-as 200 command. In updates sent from ISP-B to ISP-C, the AS_SEQUENCE in the AS_PATH attribute contains "200 100". The "200" is prepended by ISP-B due to the local-as 200 command configured for ISP-C.
Normally a combined ISP-A/B renumbers the routers in ISP-B to be part of AS 100. What if ISP-C is unable to change its eBGP configurations with ISP-B? Prior to the local-AS feature, the combined ISP-A/B has to maintain two AS numbers. The local-ascommand allows ISP-A/B to physically be one AS while it appears to be two ASs to ISP-C.

Configure

This section presents you with the information to configure the features this document describes.
Note: In order to find additional information on the commands this document uses, use the Command Lookup Tool (registeredcustomers only) .

Network Diagrams

This document uses these network setups.
Figure 1
39a.gif
Figure 2
39b.gif

Configurations

This document uses these configurations.
ISP-B (AS 100, local-as 200)
hostname ISP-B
! 
interface serial 0 
ip address 192.168.1.1 255.255.255.252 
! 
interface ethernet 0 
ip address 192.168.4.1 255.255.255.0 
! 
router bgp 100 
!--- Note the AS number 100. This is the AS number of ISP-A, which is now
!--- used by all routers in ISP-B after its acquisition by ISP-A.
 neighbor 192.168.1.2 remote-as 300 
!--- Defines the e-BGP connection to ISP-C.
 neighbor 192.168.1.2 local-as 200 
!--- This command makes the remote router in ISP-C to see this
!--- router as belonging to AS 200 instead of AS 100. 
!--- This also make this router to prepend AS 200 in 
!--- all updates to ISP-C.
network 192.168.4.0
! 
!

ISP-C (AS 300)
hostname ISP-C
! 
interface serial 1 
ip address 192.168.1.2 255.255.255.252 
! 
interface ethernet 0 
ip address 192.168.9.1 255.255.255.0 
! 
router bgp 300 
 neighbor 192.168.1.1 remote-as 200
!--- Defines the e-BGP connection to ISP-B.!--- Note AS is 200 and not AS 100. 
 network 192.168.9.0 
! 
!

Verify

This section provides information you can use to confirm your configuration properly works.
Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.
Refer to the BGP Command Reference Guide in order to learn more about the show commands used in this section.
View the BGP routing table to see how the local-as command changed the AS_PATH. What you observe is that ISP-B prepends AS 200 to updates that are sent to and received from ISP-C. In addition, note that ISP-B is in AS number 100.
ISP-B# show ip bgp summary
  BGP router identifier 192.168.4.1, local AS number 100 
  BGP table version is 3, main routing table version 3 
  2 network entries and 2 paths using 266 bytes of memory 
  2 BGP path attribute entries using 104 bytes of memory 
  1 BGP AS-PATH entries using 24 bytes of memory 
  0 BGP route-map cache entries using 0 bytes of memory 
  0 BGP filter-list cache entries using 0 bytes of memory 
  BGP activity 2/6 prefixes, 2/0 paths, scan interval 15  secs 

  Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd 
  192.168.1.2     4   300      29      29        3    0    0 00:25:19       1
In this output, note that ISP-C sees ISP-B as part of AS 200.
ISP-C# show ip bgp summary 
  BGP table version is 3, main routing table version 3 
  2 network entries (2/6 paths) using 480 bytes of memory 
  2 BGP path attribute entries using 192 bytes of memory 
  0 BGP route-map cache entries using 0 bytes of memory 
  0 BGP filter-list cache entries using 0 bytes of memory 

  Neighbor        V    AS MsgRcvd MsgSent  TblVer InQ OutQ   Up/Down  State/PfxRcd 
  192.168.1.1     4   200      34      34       3   0    0  00:30:19   1
Note in this output that ISP-B prepends "200" to the routes learned from ISP-C.
ISP-B# show ip bgp
  BGP table version is 3, local router ID is 192.168.4.1 
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal 
  Origin codes: i - IGP, e - EGP, ? - incomplete 

  Network          Next Hop            Metric LocPrf  Weight   Path 
  *> 192.168.4.0      0.0.0.0               0          32768   i 
  *> 192.168.9.0      192.168.1.2           0              0   200 300 i
Note that ISP-C sees routes from ISP-B with an AS_PATH of "200 100".
ISP-C# show ip bgp 
  BGP table version is 3, local router ID is 192.168.1.2 
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal 
  Origin codes: i - IGP, e - EGP, ? - incomplete 

  Network          Next Hop          Metric LocPrf  Weight Path 
  *> 192.168.4.0      192.168.1.1         0              0 200 100 i 
  *> 192.168.9.0      0.0.0.0             0          32768 i
These commands show the configured local-as values in their output:
ISP-B# show ip bgp neighbors 192.168.1.2
BGP neighbor is 192.168.1.2,  remote AS 300,  local AS 200, external link
  BGP version 4, remote router ID 192.168.9.1
  BGP state = Established, up for 00:22:42
  Last read 00:00:42, hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received(old & new)
    Address family IPv4 Unicast: advertised and received
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:                2          1
    Keepalives:            25         25
    Route Refresh:          0          1
    Total:                 28         28
  Default minimum time between advertisement runs is 30 seconds

! Output Suppressed

Troubleshoot

The debug ip bgp updates command displays the received prefixes with its attributes from the neighbor. This output shows that the prefix 192.168.4.0/24 is received with AS PATH 200, 100.
ISP-C#
*May 10 12:45:14.947: BGP(0): 192.168.1.1 computing updates, afi 0, neighbor ver
sion 0, table version 5, starting at 0.0.0.0
*May 10 12:45:14.947: BGP(0): 192.168.1.1 send UPDATE (format) 192.168.9.0/24, n
ext 192.168.1.2, metric 0, path
*May 10 12:45:14.947: BGP(0): 192.168.1.1 1 updates enqueued (average=52, maximu
m=52)
*May 10 12:45:14.947: BGP(0): 192.168.1.1 update run completed, afi 0, ran for 0
ms, neighbor version 0, start version 5, throttled to 5
*May 10 12:45:14.947: BGP: 192.168.1.1 initial update completed
*May 10 12:45:15.259: BGP(0): 192.168.1.1 rcvd UPDATE w/ attr: nexthop 192.168.1
.1, origin i, metric 0, path 200 100
ISP-C#
*May 10 12:45:15.259: BGP(0): 192.168.1.1 rcvd 192.168.4.0/24
*May 10 12:45:15.279: BGP(0): Revise route installing 192.168.4.0/24 -> 192.168.
1.1 to main IP table
ISP-C#
Posted by TOF at 9:26 PM
Labels:

Sunday, May 26, 2013

OSPF – Understanding the Forwarding Address (FA)

Here I come with the solution for quiz-12, that I consider to be one of the most difficult quiz published on this blog, until now.
The difficultly is given by fact that some LSAs will contain a non-zero FA (Forwarding Address) while others have it set to 0.0.0.0

In the beginning, let’s see why FA (Forwarding Address) exists in the first place. We all know that packets destined to external destinations are routed through the advertising ASBR. According to RFC 2328 (see page 141), there might be situations when this behaviour is not desirable and they introduced the concept of FA in order to avoid extra hops in the path.
Consider the diagram below, where both RT-A and RT-B are connected to RT-X (a partner company), but only RT-A speaks eBGP with partner company (let’s say that RT-B does not have enough memory to run BGP). RT-A redistributes the BGP routes (ex:172.16.10.0/24) into the OSPF domain, thus becoming an ASBR.

Common_problem_without_FA
Without the concept of FA, traffic from RT-B towards those external destinations will go via the ASBR (RT-A), as shown in the traceroute output.
If RT-A set FA = 192.168.1.3, then RT-B would route directly to FA instead of ASBR, as you can see below:

traceroutes_with_and_without_FA

Now, let’s see what are the conditions required to have a non-zero FA. According to Cisco documentation, all of these conditions need to be true:
  • 1. OSPF is enabled on the ASBR’s next hop interface AND
  • 2. ASBR’s next hop interface is non-passive under OSPF AND
  • 3. ASBR’s next hop interface is not point-to-point AND
  • 4. ASBR’s next hop interface is not point-to-multipoint AND
  • 5. ASBR’s next hop interface address falls under the network range specified in the router ospf command
Note the AND logical operator between each condition. An easier way to remember this: next-hop interface must be a broadcast interface that is natively advertised in OSPF. 


Going back to the quiz, we see that both R1 and R2 are ASBR for external destinations (static routes for 172.16.10.0/24 and 172.16.11.0/24). Each of them injects Type-5 LSAs but with different information:
- R1 sets the FA address to R5′s address (192.168.1.5) because all of the above conditions are true !
- R2 sets the FA address to zero (0.0.0.0) because the connection to R6 is a point-to-point interface !

quiz-12
R3 (and all other OSPF routers) receives two external LSAs for same destinations and it choose the best path based on theforwarding metric with the following comparison:
  • for the Type-5 LSA generated by ASBR R1 – with FA = 192.168.1.5 – it looks for the metric to reach the FA (in this case: 3)
  • for the Type-5 LSA generated by ASBR R2 – with FA = 0.0.0.0 – it looks for the metric to reach the ASBR (in this case: 2)
thus, it considers that best path is via ASBR R2. 

Solutions

There are several solutions to this quiz, each with different result, and you may have to consider what do you want to achieve: load balancing on both exit links (R1 and R2) or use only Fast Ethernet exit on R1.
Basically, the idea is to have same behavior on both ASBRs: either both will set a non-zero FA or both set it to 0.0.0.0 

  • on R1, replace the “network 0.0.0.0” under the ospf process with more specific statements (only for internal interfaces)
    This may or may not be useful in certain scenarios when you want to passively advertise connected interfaces. 
    This will break the 1st condition of setting a non-zero FA as mentioned above, so both ASBRs will set 0.0.0.0 as Forwarding Address.
    FA-specific-networkWith this solution you achieve load-balancing over both exit points from router equally far to both R1 and R2 (for example, R3 is equally far from exit points R1 and R2).

  • on R1, make the interface connected to partner router as passive under the ospf process
    This will break the 2nd condition of setting a non-zero FA, so both ASBRs will set 0.0.0.0 as Forwarding Address.
    FA-passive-interfaceYou get the same load-balancing effect from R3.

  • on R2, configure the interface connected to partner router as broadcast OSPF type
    This will make all conditions TRUE, on R2, for setting a non-zero FA.
    FA-serial-as-broadcast
    In this solution, both Type-5 LSAs have a non-zero FA so the best path is chosen based on the forward metric:
    - LSA Type-5 from R1 (FA = 192.168.1.5) has a forward metric of 3
    - LSA Type-5 from R2 (FA = 192.168.2.6) has a forward metric of 66

In case the primary link between R1 and R5 fails, the external destinations are reachable via serial between R2 and R6 – notice the forward metric:
FA-primary-link-down

Of course, there is much more to discuss about Forwarding Address, but this is one of the first article on this subject – more quizzes to follow :-) 

Thank you for your comments and interest in the quiz!
Posted by TOF at 10:53 PM
Labels:
Subscribe to: Posts (Atom)
Related Posts Plugin for WordPress, Blogger...