The number of IPv4 prefixes in the global BGP table is approaching the limit of many Cisco products, such as 7600/6500 RSP720/Sup720 and some ASR1000, which may hold a maximum of ~500K routes in their FIB (the Forwarding Information Base, where only best paths are stored).
These routers can usually handle a bigger load of prefixes, they can also be used to receive the full BGP table from many upstream providers concurrently, but they can’t manage more than 500/512K entries in their RIB or FIB.
I just want to share here a note-to-myself about route-maps and IPv4/IPv6 BGP prefixes matching.
R1 and R2 were BGP speakers, R1 was announcing both IPv4 and IPv6 prefixes to R2 and I wanted to set, let’s say, different weights on those prefixes: weight = 4 to the IPv4 prefix and weight = 6 to the IPv6 prefix. It’s stupid, of course, but it’s just to simplify the real task I had to face. 🙂
In the recent past I have been tasked to block traffic from a LAN segment toward some public websites by blackholing their subnets.
While this approach may be not fully convincing, it is easy to implement and with few impacts on the infrastructure. The real problem is the management overhead it introduces, since websites may change the IP subnet they are run on.
In order to ease this task I wrote a little script which, given a hosts list, resolves IP addresses and gets the most specific subnet they fall on. Public whois databases are used to acquire subnet information: RIPE RIS, TeamCymru IP to ASN Mapping, RIRs databases. Some of them (RIPE RIS and TeamCymru IP-to-ASN) are based on BGP feeds collected around the world, others (RIRs databases) are based on LIRs allocations and assignments; the configuration section of the script allows to set which databases have to be used and how.
The script is written in Linux Bash and uses some basic programs and an optional (but really recommended) Perl addition (implemented in the hsm-utils.pl file).
The programs used by the script are dig (to resolve hostnames in IP addresses), whois (the improved Whois client by Marco D’Itri, to get data from whois databases) and sendmail, alias of exim4 (to send email notifications when subnets change).
The hsm-utils.pl script needs the NetAddr::IP::Lite module, which can be installed using the CPAN installer:
LINUX:~#perl -MCPAN -e shell cpan>install NetAddr::IP::Lite
To be used it just needs the “hosts” file in the working directory (/var/local/hsm by default) containing a list of hosts to be monitored:
LINUX:/var/local/hsm#cat hosts www.facebook.com www.blogspot.com www.youtube.com www.twitter.com
In order to receive email notifications the EMAIL_TO parameter has to be set with a working email address.
Following is an excerpt from the script, I suggest you to read it since it contains some (I think) useful notes and configuration options; in the bottom of this post you may find the link to download it.
##################################################################################
# HOW DOES IT WORK?
# --------------------------------------------------------------------------------
#
# Everything is done in the DATA_DIR directory (default to /var/local/hsm); HSM
# reads a list of hosts to monitor from the 'hosts' file and, for each of them, it
# resolves the IP address and gets its subnet.
#
# In order to identify the subnet, it queries public databases using the whois
# client: it may be configured to use the following sources (see CONFIGURATION):
#
# - RIPE RIS database: http://www.ripe.net/ris/
# - TeamCymru IP to ASN Mapping: http://www.team-cymru.org/Services/ip-to-asn.html
# - general RIRs databases
#
# Subnets are stored in the 'subnets' file; at the end of the execution, if there
# are new subnets HSM notifies them in the output. It also notifies expired
# subnets, that is subnets appeared in the past which seem to be not binded to
# hosts anymore.
#
# Output is written to the 'output' file; you may let HSM to send the output by
# email too.
#
# The script may be scheduled to be run periodically through the crontab file.
##################################################################################
# REQUIREMENTS AND DEPENDENCIES
# --------------------------------------------------------------------------------
#
# dig Used to resolve hostnames
#
# whois I used the improved Whois client by Marco D'Itri:
# http://www.linux.it/~md/software/
#
# sendmail Used as alias of exim4; optional, only if EMAIL_TO is set
#
# awk, grep, Some basic utilities
# tail, sed
#
# Highly Recommended:
#
# Perl with NetAddr::IP::Lite module, in order to execute the hsm-utils.pl script.
# Please see CHANGE LOG & KNOWN ISSUES and USEHSMUTILS in the CONFIGURATION
# section for more details about it.
#
# Developed and tested under Debian GNU/Linux 4.0 (Etch).
##################################################################################
# CHANGE LOG & KNOWN ISSUES
# --------------------------------------------------------------------------------
#
# Date Ver. Note
# 2010-11-15 0.1 First release
#
# If you configure HSM to not use the hsm-utils.pl script (see CONFIGURATION for
# more details) you have to consider the following issues:
#
# - subnets are stored as they appear on the whois output; that is
# "192.168.0.0/24" is different from "192.168.0.0 - 192.168.0.255". This may lead
# to a wrong behaviour when the same IP address is queried against a whois
# database which returns information in a format different from the previous one.
#
# - when GENERAL whois is used, or when GETLONGESTMATCH = 1, there are no
# guarantees that the more specific subnet is choosen among those returned.
##################################################################################
# CONFIGURATION
# --------------------------------------------------------------------------------
# USEHSMUTILS
# ------------------------------------
# If USEHSMUTILS = 1 then HSM uses the hsm-utils.pl file.
# It is a Perl script which implements some functions
# performing subnets normalization and selection. It is
# needed to solve some issues reported in the CHANGE LOG
# & KNOWN ISSUES section. If you can't run a Perl script
# or you prefer to avoid it you may set USEHSMUTILS to 0.
USEHSMUTILS=1
HSMUTILSPATH=`dirname $0`/hsm-utils.pl
# DATA_DIR
# ------------------------------------
# Where files are stored:
# - the file containing the input hosts list ('hosts')
# - one file for each IP address resolved by hostnames
# - the subnets file ('subnets'), where subnets information are stored
# - the output file ('output')
# - temporary files
# No trailing slash.
DATA_DIR=/var/local/hsm
# USECACHE and CACHE_TIME
# ------------------------------------
# If USECACHE = 1 then IP addresses resolved by hostnames
# are checked against whois databases only if they were
# checked before CACHE_TIME days ago.
USECACHE=1
CACHE_TIME=3
# DNS_QUERIES
# ------------------------------------
# HSM sends this number of DNS queries in order to resolve
# hostnames IP addresses. It may be useful to discover IP
# address of hostnames with round-robin records.
DNS_QUERIES=3
# SUBNET_EXPIRY
# ------------------------------------
# When a subnet is not seen for more than SUBNET_EXPIRY days
# it is removed from the subnets file and a notification
# is written in the output.
SUBNET_EXPIRY=15
# WHOIS_LIST and GETLONGESTMATCH
# ------------------------------------
# WHOIS_LIST contains a list of sources to be used to get
# subnets information from IP addresses.
# The following sources are allowed:
# TEAMCYMRU, RIPERIS, GENERAL.
# Sources are used in the order they appear in the list.
# If GETLONGESTMATCH = 0, as soon as HSM succeds to obtain
# the subnet it stops searching.
# If a source is not working properly it uses the next one.
# If GETLONGESTMATCH = 1 HSM grabs results from all the
# listed sources, then uses the most specific one.
WHOIS_LIST="RIPERIS TEAMCYMRU GENERAL"
GETLONGESTMATCH=1
# EMAIL
# ------------------------------------
# Set EMAIL_TO with your email address if you want the output
# to be sent by email. The other parameters are optional.
EMAIL_TO=
EMAIL_FROM=
EMAIL_SUBJECT=
Here you can download the script – Licensed under the terms of the GNU General Public License.
To run it:
LINUX:/usr/local/bin#tar -xf hsm.tar # extract it LINUX:/usr/local/bin#nano hsm # do your configuration LINUX:/usr/local/bin#nano /var/local/hsm/hosts # edit hosts you want to monitor LINUX:/usr/local/bin#./hsm # run it
You may also schedule it using crontab:
LINUX:/usr/local/bin#cat /etc/crontab # /etc/crontab: system-wide crontab SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 53 22 * * * root /usr/local/bin/hsm #
Any feedback, comment or suggestion is appreciated! 🙂
Such as IPv4 addresses, 2-byte pool of Autonomous System (AS) Numbers is going to be exhausted soon. By the time I’m writing, it seems Internet will run out of 16-bit AS Number on 26-Sep-2012. To prevent this situation, IANA extended the AS Number field to 32 bits and, on 2007, RIRs started assigning them… or, at least, to offer them!
Of course, in order to let 4-byte ASN to work properly, a little adjustement was needed in the BGP protocol. Enter RFC 4893, BGP Support for Four-octet AS Number Space.
In this post I don’t want to cover the mechanisms of this protocol extension, if you want to understand them I please you to follow some links in the References section; I prefer to show some interactions between OLD 2-byte ASN and NEW 4-byte ASN BGP speakers. I built a little GNS3/Dynamips lab using a couple of 7200s with IOS 12.2(33)SRE as NEW speakers, and a couple of 3640s as OLD peers.
In the topology every router announces any subnet to the others; BGP peering sessions follow the physical topology. Green ASs support 4-byte AS, while gray do not.
For the sake of readibility I’ll use asdot notation in this post, with the exception of some configuration blocks where I’ll use asplain just to show both notation usage.
I also uploaded two packet captures on PacketLife.net: they show BGP UPDATES with and without the NEW_AS_PATH attributes. They are 4-byte_AS_numbers_Full_Support.cap and 4-byte_AS_numbers_Mixed_Scenario.cap.
Router A is on AS 10.1 / 655361 (asdot / asplain notation):
A#sh run | sec bgp router bgp 655361 no synchronization bgp log-neighbor-changes network 10.0.0.0 neighbor 172.16.3.2 remote-as 2 no auto-summary B#sh run | sec bgp router bgp 2 no synchronization bgp log-neighbor-changes network 20.0.0.0 neighbor 172.16.3.1 remote-as 23456 no auto-summary
As you can see, on router B neighbor statement we can’t use the real ASN to peer with A, so we have to use the AS_TRANS (23456). Let’s wait until our sessions come up, then show BGP neighbors and tables:
A#sh ip bgp neighbors 172.16.3.2
BGP neighbor is 172.16.3.2, remote AS 2, external link
BGP version 4, remote router ID 20.0.0.1
BGP state = Established, up for 00:00:27
Last read 00:00:27, last write 00:00:27, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised
Address family IPv4 Unicast: advertised and received
Multisession Capability: advertised
...
Please note the Four-octets ASN Capability: advertised line: A advertised this capability but did not receive it back from B.
A#sh ip bgp | beg Network Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 0.0.0.0 0 32768 i *> 20.0.0.0 172.16.3.2 0 0 2 i
As expected, A receives the B‘s route but…
B#sh ip bgp | beg Network Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 172.16.3.1 0 0 23456 i *> 20.0.0.0 0.0.0.0 0 32768 i
… B only sees A‘s subnet as from AS_TRANS (23456).
This is because B does not support 4-byte ASN, and router A knows this (capabilities exchange during session setup), so it just sends AS_PATH attributes containing the 16-bit AS_TRANS in place of the real 32-bit AS number.
You can find a similar UPDATE on the first capture I sent on PacketLife.net (4-byte_AS_numbers_Mixed_Scenario.cap), packet number 2.
Let’s setup the BGP session between routers A and D; they both support 4-byte ASN.
A#sh run | sec bgp router bgp 655361 no synchronization bgp log-neighbor-changes network 10.0.0.0 neighbor 172.16.1.2 remote-as 2621441 neighbor 172.16.3.2 remote-as 2 no auto-summary D#sh run | sec bgp router bgp 2621441 no synchronization bgp log-neighbor-changes network 40.0.0.0 neighbor 172.16.1.1 remote-as 655361 no auto-summary
When sessions come up…
A#sh ip bgp neighbors 172.16.1.2
BGP neighbor is 172.16.1.2, remote AS 40.1, external link
BGP version 4, remote router ID 40.0.0.1
BGP state = Established, up for 00:04:04
Last read 00:00:46, last write 00:00:53, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is multisession capable
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Multisession Capability: advertised and received
...
Here A both sent and received the 4-byte ASN capability to/by B, because it supports this feature.
A#sh ip bgp | beg Network Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 0.0.0.0 0 32768 i *> 20.0.0.0 172.16.3.2 0 0 2 i *> 40.0.0.0 172.16.1.2 0 0 2621441 i D#sh ip bgp | beg Network Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 172.16.1.1 0 0 655361 i *> 20.0.0.0 172.16.1.1 0 655361 2 i *> 40.0.0.0 0.0.0.0 0 32768 i
Both A and D have subnets with the full 32-bit AS number.
You can see the capture on the file 4-byte_AS_numbers_Full_Support.cap on PacketLife.net.
As I already said, let’s switch to asdot notation now, just to improve readibility:
D#conf t Enter configuration commands, one per line. End with CNTL/Z. D(config)#router bgp 40.1 D(config-router)#bgp asnotation dot D(config-router)#do show ip bgp | beg Network Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 172.16.1.1 0 0 10.1 i *> 20.0.0.0 172.16.1.1 0 10.1 2 i *> 40.0.0.0 0.0.0.0 0 32768 i A#conf t Enter configuration commands, one per line. End with CNTL/Z. A(config)#router bgp 10.1 A(config-router)#bgp asnotation dot
Ok, 10.1 is better than 655361, and 40.1 than 2621441!! 🙂
Let’s have more fun now and bring D-B session up!
D(config-router)#neighbor 172.16.2.1 remote-as 2 B(config-router)#neighbor 172.16.2.2 remote-as 23456
As we already saw, B doesn’t support 4-byte ASN, so we have to use AS_TRANS to peer with D.
D#show ip bgp | beg Network Network Next Hop Metric LocPrf Weight Path * 10.0.0.0 172.16.2.1 0 2 10.1 i *> 172.16.1.1 0 0 10.1 i *> 20.0.0.0 172.16.2.1 0 0 2 i * 172.16.1.1 0 10.1 2 i *> 40.0.0.0 0.0.0.0 0 32768 i
The interesting thing we can see now on D is the presence of A‘s subnet (10.0.0.0) advertised by B: even if B does not support 4-octect ASN, D receives it with the real 32-bit path. When A advertises the subnet to B it makes the AS_PATH attribute up using AS_TRANS, but it also adds the transitive attribute NEW_AS_PATH, containing the full 32-bit AS numbers; when B advertises the subnet to D it adds this attribute and so D can rebuild the real 32-bit path.
As before, you can find a similar UPDATE on the capture I sent on PacketLife.net; the file is 4-byte_AS_numbers_Mixed_Scenario.cap, packet number 3.
Another interesting aspect of 4-byte AS lack of support can be seen in the following table:
B#sh ip bgp | beg Network Network Next Hop Metric LocPrf Weight Path * 10.0.0.0 172.16.2.2 0 23456 23456 i *> 172.16.3.1 0 0 23456 i *> 20.0.0.0 0.0.0.0 0 32768 i *> 40.0.0.0 172.16.2.2 0 0 23456 i * 172.16.3.1 0 23456 23456 i
Here B has two entries for the 10.0.0.0 subnet: they both seem to be originated from the same AS, but that’s not true: the first comes from D (AS 40.1), while the second (the selected one) comes directly from A.
Similar behaviour is for the 40.0.0.0 subnet. Of course, this is not a really big problem, but may lead to false assumptions and compromise traffic patterns analysis.
Just to complete all the possible scenarios, here is C configuration:
B#conf t Enter configuration commands, one per line. End with CNTL/Z. B(config)#router bgp 2 B(config-router)#neighbor 172.16.4.2 remote-as 3 C#sh run | sec bgp router bgp 3 no synchronization bgp log-neighbor-changes network 30.0.0.0 neighbor 172.16.4.1 remote-as 2 no auto-summary C#sh ip bgp | beg Network Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 172.16.4.1 0 2 23456 i *> 20.0.0.0 172.16.4.1 0 0 2 i *> 30.0.0.0 0.0.0.0 0 32768 i *> 40.0.0.0 172.16.4.1 0 2 23456 i
It has no idea of what 4-byte ASN are, so it sees both 10.0.0.0 and 40.0.0.0 subnets as originated from the same AS.
I have to say thanks to Marco Rizzi for his kind support on helping me to build this lab! 😉 And, of course, I suggest you to visit his blog: Marco Rizzi Blog – networking with passion!!!
To download the lab and configuration files click here.
Report on consumption of AS Numbers: http://www.potaroo.net/tools/asns/
BGP Support for Four-octet AS Number Space: RFC 4893
APRICOT 2007: 4-Byte AS Numbers (PDF)
Cisco.com: Migration Guide for Explaining 4-Byte Autonomous System
Cisco.com: Cisco IOS BGP 4-Byte ASN Support
Cisco.com: Explaining 4-Byte Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS
What do you do if someone knocks at your door, you see him through the peephole, and you notice he has a black cowl, a crowbar and a big bag? I’m quite sure: you do not open that door! Why? Because, sometimes, the gown does make the friar! And, actually, he’s really not a friar!
Same thing should happen in a network! If you know a packet is a bad packet, why should you let it go through?
In this (stupid) example bad packets are those coming from or going toward bogon IP addresses, that is, addresses picked up from unallocated or private (so, not routable) address spaces. As you know, there are many subnets used only for private addressing (RFC 1918), other are reserved (RFC 3330), and few subnets are still not allocated by IANA… so, if your router is sending or receiving a packet to/from one of these addresses, there is something you should be concerned about (of course, some restrictions may apply!)