summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7948.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc7948.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc7948.txt')
-rw-r--r--doc/rfc/rfc7948.txt843
1 files changed, 843 insertions, 0 deletions
diff --git a/doc/rfc/rfc7948.txt b/doc/rfc/rfc7948.txt
new file mode 100644
index 0000000..1c7ac20
--- /dev/null
+++ b/doc/rfc/rfc7948.txt
@@ -0,0 +1,843 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) N. Hilliard
+Request for Comments: 7948 INEX
+Category: Informational E. Jasinska
+ISSN: 2070-1721 BigWave IT
+ R. Raszuk
+ Bloomberg LP
+ N. Bakker
+ Akamai Technologies B.V.
+ September 2016
+
+
+ Internet Exchange BGP Route Server Operations
+
+Abstract
+
+ The popularity of Internet Exchange Points (IXPs) brings new
+ challenges to interconnecting networks. While bilateral External BGP
+ (EBGP) sessions between exchange participants were historically the
+ most common means of exchanging reachability information over an IXP,
+ the overhead associated with this interconnection method causes
+ serious operational and administrative scaling problems for IXP
+ participants.
+
+ Multilateral interconnection using Internet route servers can
+ dramatically reduce the administrative and operational overhead
+ associated with connecting to IXPs; in some cases, route servers are
+ used by IXP participants as their preferred means of exchanging
+ routing information.
+
+ This document describes operational considerations for multilateral
+ interconnections at IXPs.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7948.
+
+
+
+
+Hilliard, et al. Informational [Page 1]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+Copyright Notice
+
+ Copyright (c) 2016 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3
+ 2. Bilateral BGP Sessions . . . . . . . . . . . . . . . . . . . 3
+ 3. Multilateral Interconnection . . . . . . . . . . . . . . . . 4
+ 4. Operational Considerations for Route Server Installations . . 6
+ 4.1. Path Hiding . . . . . . . . . . . . . . . . . . . . . . . 6
+ 4.2. Route Server Scaling . . . . . . . . . . . . . . . . . . 6
+ 4.2.1. Tackling Scaling Issues . . . . . . . . . . . . . . . 7
+ 4.2.1.1. View Merging and Decomposition . . . . . . . . . 7
+ 4.2.1.2. Destination Splitting . . . . . . . . . . . . . . 8
+ 4.2.1.3. NEXT_HOP Resolution . . . . . . . . . . . . . . . 8
+ 4.3. Prefix Leakage Mitigation . . . . . . . . . . . . . . . . 8
+ 4.4. Route Server Redundancy . . . . . . . . . . . . . . . . . 9
+ 4.5. AS_PATH Consistency Check . . . . . . . . . . . . . . . . 9
+ 4.6. Export Routing Policies . . . . . . . . . . . . . . . . . 10
+ 4.6.1. BGP Communities . . . . . . . . . . . . . . . . . . . 10
+ 4.6.2. Internet Routing Registries . . . . . . . . . . . . . 10
+ 4.6.3. Client-Accessible Databases . . . . . . . . . . . . . 10
+ 4.7. Layer 2 Reachability Problems . . . . . . . . . . . . . . 11
+ 4.8. BGP NEXT_HOP Hijacking . . . . . . . . . . . . . . . . . 11
+ 4.9. BGP Operations and Security . . . . . . . . . . . . . . . 13
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13
+ 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 6.1. Normative References . . . . . . . . . . . . . . . . . . 13
+ 6.2. Informative References . . . . . . . . . . . . . . . . . 14
+ Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 15
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
+
+
+
+
+
+
+
+Hilliard, et al. Informational [Page 2]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+1. Introduction
+
+ Internet Exchange Points (IXPs) provide IP data interconnection
+ facilities for their participants, using data link-layer protocols
+ such as Ethernet. The Border Gateway Protocol (BGP) [RFC4271] is
+ normally used to facilitate exchange of network reachability
+ information over these media.
+
+ As bilateral interconnection between IXP participants requires
+ operational and administrative overhead, BGP route servers [RFC7947]
+ are often deployed by IXP operators to provide a simple and
+ convenient means of interconnecting IXP participants with each other.
+ A route server redistributes BGP routes received from its BGP clients
+ to other clients according to a prespecified policy, and it can be
+ viewed as similar to an EBGP equivalent of an Internal BGP (IBGP)
+ [RFC4456] route reflector.
+
+ Route servers at IXPs require careful management, and it is important
+ for route server operators to thoroughly understand both how they
+ work and what their limitations are. In this document, we discuss
+ several issues of operational relevance to route server operators and
+ provide recommendations to help route server operators provision a
+ reliable interconnection service.
+
+1.1. Notational Conventions
+
+ The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ [RFC2119].
+
+ The phrase "BGP route" in this document should be interpreted as the
+ term "Route" described in [RFC4271].
+
+2. Bilateral BGP Sessions
+
+ Bilateral interconnection is a method of interconnecting routers
+ using individual BGP sessions between each pair of participant
+ routers on an IXP, in order to exchange reachability information. If
+ an IXP participant wishes to implement an open interconnection policy
+ -- i.e., a policy of interconnecting with as many other IXP
+ participants as possible -- it is necessary for the participant to
+ liaise with each of their intended interconnection partners.
+ Interconnection can then be implemented bilaterally by configuring a
+ BGP session on both participants' routers to exchange network
+ reachability information. If each exchange participant interconnects
+ with each other participant, a full mesh of BGP sessions is needed,
+ as shown in Figure 1.
+
+
+
+Hilliard, et al. Informational [Page 3]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+ ___ ___
+ / \ / \
+ ..| AS1 |..| AS2 |..
+ : \___/____\___/ :
+ : | \ / | :
+ : | \ / | :
+ : IXP | \/ | :
+ : | /\ | :
+ : | / \ | :
+ : _|_/____\_|_ :
+ : / \ / \ :
+ ..| AS3 |..| AS4 |..
+ \___/ \___/
+
+ Figure 1: Full-Mesh Interconnection at an IXP
+
+ Figure 1 depicts an IXP platform with four connected routers,
+ administered by four separate exchange participants, each of them
+ with a locally unique Autonomous System (AS) number: AS1, AS2, AS3,
+ and AS4. The lines between the routers depict BGP sessions; the
+ dotted edge represents the IXP border. Each of these four
+ participants wishes to exchange traffic with all other participants;
+ this is accomplished by configuring a full mesh of BGP sessions on
+ each router connected to the exchange, resulting in six BGP sessions
+ across the IXP fabric.
+
+ The number of BGP sessions at an exchange has an upper bound of
+ n*(n-1)/2, where n is the number of routers at the exchange. As many
+ exchanges have large numbers of participating networks, the amount of
+ administrative and operation overhead required to implement an open
+ interconnection scales quadratically. New participants to an IXP
+ require significant initial resourcing in order to gain value from
+ their IXP connection, while existing exchange participants need to
+ commit ongoing resources in order to benefit from interconnecting
+ with these new participants.
+
+3. Multilateral Interconnection
+
+ Multilateral interconnection is implemented using a route server
+ configured to distribute BGP routes among client routers. The route
+ server preserves the BGP NEXT_HOP attribute from all received BGP
+ routes and passes them with unchanged NEXT_HOP to its route server
+ clients according to its configured routing policy, as described in
+ [RFC7947]. Using this method of exchanging BGP routes, an IXP
+ participant router can receive an aggregated list of BGP routes from
+ all other route server clients using a single BGP session to the
+ route server instead of depending on BGP sessions with each router at
+ the exchange. This reduces the overall number of BGP sessions at an
+
+
+
+Hilliard, et al. Informational [Page 4]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+ Internet exchange from n*(n-1)/2 to n, where n is the number of
+ routers at the exchange.
+
+ Although a route server uses BGP to exchange reachability information
+ with each of its clients, it does not forward traffic itself and is
+ therefore not a router.
+
+ In practical terms, this allows dense interconnection between IXP
+ participants with low administrative overhead and significantly
+ simpler and smaller router configurations. In particular, new IXP
+ participants benefit from immediate and extensive interconnection,
+ while existing route server participants receive reachability
+ information from these new participants without necessarily having to
+ modify their configurations.
+
+ ___ ___
+ / \ / \
+ ..| AS1 |..| AS2 |..
+ : \___/ \___/ :
+ : \ / :
+ : \ / :
+ : \__/ :
+ : IXP / \ :
+ : | RS | :
+ : \____/ :
+ : / \ :
+ : / \ :
+ : __/ \__ :
+ : / \ / \ :
+ ..| AS3 |..| AS4 |..
+ \___/ \___/
+
+ Figure 2: IXP-Based Interconnection with Route Server
+
+ As illustrated in Figure 2, each router on the IXP fabric requires
+ only a single BGP session to the route server, from which it can
+ receive reachability information for all other routers on the IXP
+ that also connect to the route server.
+
+ Multilateral and bilateral interconnections between different
+ autonomous systems are not exclusive to each other, and it is not
+ unusual to have both sorts of sessions configured in parallel at an
+ IXP. This configuration will lead to additional paths being
+ available to the BGP Decision Process, which will calculate a best
+ path as normal.
+
+
+
+
+
+
+Hilliard, et al. Informational [Page 5]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+4. Operational Considerations for Route Server Installations
+
+4.1. Path Hiding
+
+ "Path hiding" is a term used in [RFC7947] to describe the process
+ whereby a route server may mask individual paths by applying
+ conflicting routing policies to its Loc-RIB. When this happens,
+ route server clients receive incomplete information from the route
+ server about network reachability.
+
+ There are several approaches that may be used to mitigate against the
+ effect of path hiding; these are described in [RFC7947]. However,
+ the only method that does not require explicit support from the route
+ server client is for the route server itself to maintain an
+ individual Loc-RIB for each client that is the subject of conflicting
+ routing policies.
+
+4.2. Route Server Scaling
+
+ While deployment of multiple Loc-RIBs on the route server presents a
+ simple way to avoid the path-hiding problem noted in Section 4.1,
+ this approach requires significantly more computing resources on the
+ route server than where a single Loc-RIB is deployed for all clients.
+ As the BGP Decision Process [RFC4271] must be applied to all Loc-RIBs
+ deployed on the route server, both CPU and memory requirements on the
+ host computer scale approximately according to O(P * N), where P is
+ the total number of unique paths received by the route server, and N
+ is the number of route server clients that require a unique Loc-RIB.
+ As this is a super-linear scaling relationship, large route servers
+ may derive benefit from deploying per-client Loc-RIBs only where they
+ are required.
+
+ Regardless of whether any Loc-RIB optimization technique is
+ implemented, the route server's theoretical upper-bound network
+ bandwidth requirements will scale according to O(P_tot * N), where
+ P_tot is the total number of unique paths received by the route
+ server, and N is the total number of route server clients. In the
+ case where P_avg (the arithmetic mean number of unique paths received
+ per route server client) remains roughly constant even as the number
+ of connected clients increases, the total number of prefixes will
+ equal the average number of prefixes multiplied by the number of
+ clients. Symbolically, this can be written as P_tot = P_avg * N. If
+ we assume that in the worst case, each prefix is associated with a
+ different set of BGP path attributes, so must be transmitted
+ individually, the network bandwidth scaling function can be rewritten
+ as O((P_avg * N) * N) or O(N^2). This quadratic upper bound on the
+ network traffic requirements indicates that the route server model
+ may not scale well for larger numbers of clients.
+
+
+
+Hilliard, et al. Informational [Page 6]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+ In practice, most prefixes will be associated with a limited number
+ of BGP path attribute sets, allowing more efficient transmission of
+ BGP routes from the route server than the theoretical analysis
+ suggests. In the analysis above, P_tot will increase monotonically
+ according to the number of clients, but it will have an upper limit
+ of the size of the full default-free routing table of the network in
+ which the IXP is located. Observations from production route servers
+ have shown that most route server clients generally avoid using
+ custom routing policies, and consequently, the route server may not
+ need to deploy per-client Loc-RIBs. These practical bounds reduce
+ the theoretical worst-case scaling scenario to the point where route
+ server deployments are manageable even on larger IXPs.
+
+4.2.1. Tackling Scaling Issues
+
+ The problem of scaling route servers still presents serious practical
+ challenges and requires careful attention. Scaling analysis
+ indicates problems in three key areas: route processor CPU overhead
+ associated with BGP Decision Process calculations, the memory
+ requirements for handling many different BGP path entries, and the
+ network traffic bandwidth required to distribute these BGP routes
+ from the route server to each route server client.
+
+4.2.1.1. View Merging and Decomposition
+
+ View merging and decomposition, outlined in [RS-ARCH], describes a
+ method of optimizing memory and CPU requirements where multiple route
+ server clients are subject to exactly the same routing policies. In
+ this situation, multiple Loc-RIB views can be merged into a single
+ view.
+
+ There are several variations of this approach. If the route server
+ operator has prior knowledge of interconnection relationships between
+ route server clients, then the operator may configure separate
+ Loc-RIBs only for route server clients with unique routing policies.
+ As this approach requires prior knowledge of interconnection
+ relationships, the route server operator must depend on each client
+ sharing their interconnection policies either in an internal
+ provisioning database controlled by the operator or in an external
+ data store such as an Internet Routing Registry Database.
+
+ Conversely, the route server implementation itself may implement
+ internal view decomposition by creating virtual Loc-RIBs based on a
+ single in-memory master Loc-RIB, with delta differences for each
+ prefix subject to different routing policies. This allows a more
+ fine-grained and flexible approach to the problem of Loc-RIB scaling,
+ at the expense of requiring a more complex in-memory Loc-RIB
+ structure.
+
+
+
+Hilliard, et al. Informational [Page 7]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+ Whatever method of view merging and decomposition is chosen on a
+ route server, pathological edge cases can be created whereby they
+ will scale no better than fully non-optimized per-client Loc-RIBs.
+ However, as most route server clients connect to a route server for
+ the purposes of reducing overhead, rather than implementing complex
+ per-client routing policies, edge cases tend not to arise in
+ practice.
+
+4.2.1.2. Destination Splitting
+
+ Destination splitting, also described in [RS-ARCH], describes a
+ method for route server clients to connect to multiple route servers
+ and to send non-overlapping sets of prefixes to each route server.
+ As each route server computes the best path for its own set of
+ prefixes, the quadratic scaling requirement operates on multiple
+ smaller sets of prefixes. This reduces the overall computational and
+ memory requirements for managing multiple Loc-RIBs and performing the
+ best-path calculation on each.
+
+ In practice, the route server operator would need all route server
+ clients to send a full set of BGP routes to each route server. The
+ route server operator could then selectively filter these prefixes
+ for each route server by using either BGP Outbound Route Filtering
+ [RFC5291] or inbound prefix filters configured on client BGP
+ sessions.
+
+4.2.1.3. NEXT_HOP Resolution
+
+ As route servers are usually deployed at IXPs where all connected
+ routers are on the same Layer 2 broadcast domain, recursive
+ resolution of the NEXT_HOP attribute is generally not required and
+ can be replaced by a simple check to ensure that the NEXT_HOP value
+ for each received BGP route is a network address on the IXP LAN's IP
+ address range.
+
+4.3. Prefix Leakage Mitigation
+
+ Prefix leakage occurs when a BGP client unintentionally distributes
+ BGP routes to one or more neighboring BGP routers. Prefix leakage of
+ this form to a route server can cause serious connectivity problems
+ at an IXP if each route server client is configured to accept all BGP
+ routes from the route server. It is therefore RECOMMENDED when
+ deploying route servers that, due to the potential for collateral
+ damage caused by BGP route leakage, route server operators deploy
+ prefix leakage mitigation measures in order to prevent unintentional
+ prefix announcements or else limit the scale of any such leak.
+ Although not foolproof, per-client inbound prefix limits can restrict
+ the damage caused by prefix leakage in many cases. Per-client
+
+
+
+Hilliard, et al. Informational [Page 8]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+ inbound prefix filtering on the route server is a more deterministic
+ and usually more reliable means of preventing prefix leakage but
+ requires more administrative resources to maintain properly.
+
+ If a route server operator implements per-client inbound prefix
+ filtering, then it is RECOMMENDED that the operator also builds in
+ mechanisms to automatically compare the Adj-RIB-In received from each
+ client with the inbound prefix lists configured for those clients.
+ Naturally, it is the responsibility of the route server client to
+ ensure that their stated prefix list is compatible with what they
+ announce to an IXP route server. However, many network operators do
+ not carefully manage their published routing policies, and it is not
+ uncommon to see significant variation between the two sets of
+ prefixes. Route server operator visibility into this discrepancy can
+ provide significant advantages to both operator and client.
+
+4.4. Route Server Redundancy
+
+ As the purpose of an IXP route server implementation is to provide a
+ reliable reachability brokerage service, it is RECOMMENDED that
+ exchange operators who implement route server systems provision
+ multiple route servers on each shared Layer 2 domain. There is no
+ requirement to use the same BGP implementation or operating system
+ for each route server on the IXP fabric; however, it is RECOMMENDED
+ that where an operator provisions more than a single server on the
+ same shared Layer 2 domain, each route server implementation be
+ configured equivalently and in such a manner that the path
+ reachability information from each system is identical.
+
+4.5. AS_PATH Consistency Check
+
+ [RFC4271] requires that every BGP speaker that advertises a BGP route
+ to another external BGP speaker prepends its own AS number as the
+ last element of the AS_PATH sequence. Therefore, the leftmost AS in
+ an AS_PATH attribute should be equal to the AS number of the BGP
+ speaker that sent the BGP route.
+
+ As [RFC7947] suggests that route servers should not modify the
+ AS_PATH attribute, a consistency check on the AS_PATH of a BGP route
+ received by a route server client would normally fail. It is
+ therefore RECOMMENDED that route server clients disable the AS_PATH
+ consistency check towards the route server.
+
+
+
+
+
+
+
+
+
+Hilliard, et al. Informational [Page 9]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+4.6. Export Routing Policies
+
+ Policy filtering is commonly implemented on route servers to provide
+ prefix distribution control mechanisms for route server clients. A
+ route server "export" policy is a policy that affects prefixes sent
+ from the route server to a route server client. Several different
+ strategies are commonly used for implementing route server export
+ policies.
+
+4.6.1. BGP Communities
+
+ Prefixes sent to the route server are tagged with specific standard
+ BGP Communities [RFC1997] or Extended Communities [RFC4360]
+ attributes, based on predefined values agreed between the operator
+ and all clients. Based on these Communities values, BGP routes may
+ be propagated to all other clients, a subset of clients, or none.
+ This mechanism allows route server clients to instruct the route
+ server to implement per-client export routing policies.
+
+ As both standard BGP Communities and Extended Communities values are
+ restricted to 6 octets or fewer, it is not possible for both the
+ global and local administrator fields in the BGP Communities value to
+ fit a 4-octet AS number. Bearing this in mind, the route server
+ operator SHOULD take care to ensure that the predefined BGP
+ Communities values mechanism used on their route server is compatible
+ with 4-octet AS numbers [RFC6793].
+
+4.6.2. Internet Routing Registries
+
+ Internet Routing Registry databases (IRRDBs) may be used by route
+ server operators to construct per-client routing policies. "Routing
+ Policy Specification Language (RPSL)" [RFC2622] provides a
+ comprehensive grammar for describing interconnection relationships,
+ and several toolsets exist that can be used to translate RPSL policy
+ description into route server configurations.
+
+4.6.3. Client-Accessible Databases
+
+ Should the route server operator not wish to use either BGP
+ Communities or the public IRRDBs for implementing client export
+ policies, they may implement their own routing policy database system
+ for managing their clients' requirements. A database of this form
+ SHOULD allow a route server client operator to update their routing
+ policy and provide a mechanism for allowing the client to specify
+ whether they wish to exchange all their prefixes with any other route
+ server client. Optionally, the implementation may allow a client to
+ specify unique routing policies for individual prefixes over which
+ they have routing policy control.
+
+
+
+Hilliard, et al. Informational [Page 10]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+4.7. Layer 2 Reachability Problems
+
+ Layer 2 reachability problems on an IXP can cause serious operational
+ problems for IXP participants that depend on route servers for
+ interconnection. Ethernet switch forwarding bugs have occasionally
+ been observed to cause non-transitive reachability. For example,
+ given a route server and two IXP participants, A and B, if the two
+ participants can reach the route server but cannot reach each other,
+ then traffic between the participants may be dropped until such time
+ as the Layer 2 forwarding problem is resolved. This situation does
+ not tend to occur in bilateral interconnection arrangements, as the
+ routing control path between the two hosts is usually (but not
+ always, due to IXP inter-switch connectivity load-balancing
+ algorithms) the same as the data path between them.
+
+ Problems of this form can be partially mitigated by using
+ Bidirectional Forwarding Detection (BFD) [RFC5881]. However, as this
+ is a bilateral protocol configured between routers, and as there is
+ currently no protocol to automatically configure BFD sessions between
+ route server clients, BFD does not currently provide an optimal means
+ of handling the problem. Even if automatic BFD session configuration
+ were possible, practical problems would remain. If two IXP route
+ server clients were configured to run BFD between each other and the
+ protocol detected a non-transitive loss of reachability between them,
+ each of those routers would internally mark the other's prefixes as
+ unreachable via the BGP path announced by the route server. As the
+ route server only propagates a single best path to each client, this
+ could cause either sub-optimal routing or complete connectivity loss
+ if there were no alternative paths learned from other BGP sessions.
+
+4.8. BGP NEXT_HOP Hijacking
+
+ Item 2 in Section 5.1.3 of [RFC4271] allows EBGP speakers to change
+ the NEXT_HOP address of a received BGP route to be a different
+ Internet address on the same subnet. This is the mechanism that
+ allows route servers to operate on a shared Layer 2 IXP network.
+ However, the mechanism can be abused by route server clients to
+ redirect traffic for their prefixes to other IXP participant routers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hilliard, et al. Informational [Page 11]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+ ____
+ / \
+ | AS99 |
+ \____/
+ / \
+ / \
+ __/ \__
+ / \ / \
+ ..| AS1 |..| AS2 |..
+ : \___/ \___/ :
+ : \ / :
+ : \ / :
+ : \__/ :
+ : IXP / \ :
+ : | RS | :
+ : \____/ :
+ : :
+ ....................
+
+ Figure 3: BGP NEXT_HOP Hijacking Using a Route Server
+
+ For example, in Figure 3, if AS1 and AS2 both announce BGP routes for
+ AS99 to the route server, AS1 could set the NEXT_HOP address for
+ AS99's routes to be the address of AS2's router, thereby diverting
+ traffic for AS99 via AS2. This may override the routing policies of
+ AS99 and AS2.
+
+ Worse still, if the route server operator does not use inbound prefix
+ filtering, AS1 could announce any arbitrary prefix to the route
+ server with a NEXT_HOP address of any other IXP participant. This
+ could be used as a denial-of-service mechanism against either the
+ users of the address space being announced by illicitly diverting
+ their traffic or the other IXP participant by overloading their
+ network with traffic that would not normally be sent there.
+
+ This problem is not specific to route servers, and it can also be
+ implemented using bilateral BGP sessions. However, the potential
+ damage is amplified by route servers because a single BGP session can
+ be used to affect many networks simultaneously.
+
+ Because route server clients cannot easily implement next-hop policy
+ checks against route server BGP sessions, route server operators
+ SHOULD check that the BGP NEXT_HOP attribute for BGP routes received
+ from a route server client matches the interface address of the
+ client. If the route server receives a BGP route where these
+ addresses are different and where the announcing route server client
+ is in a different AS to the route server client that uses the next-
+ hop address, the BGP route SHOULD be dropped. Permitting next-hop
+
+
+
+Hilliard, et al. Informational [Page 12]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+ rewriting for the same AS allows an organization with multiple
+ connections into an IXP configured with different IP addresses to
+ direct traffic off the IXP infrastructure through any of their
+ connections for traffic engineering or other purposes.
+
+4.9. BGP Operations and Security
+
+ BGP route servers SHOULD be configured and operated in compliance
+ with [RFC7454] with the exception of Section 11, "BGP Community
+ Scrubbing", which may not necessarily apply on a route server,
+ depending on the route server operator policy.
+
+5. Security Considerations
+
+ On route server installations that do not employ path-hiding
+ mitigation techniques, the path-hiding problem outlined in
+ Section 4.1 could be used by an IXP participant to prevent the route
+ server from sending any BGP routes for a particular prefix to other
+ route server clients, even if there was a valid path to that
+ destination via another route server client.
+
+ If the route server operator does not implement prefix leakage
+ mitigation as described in Section 4.3, it is trivial for route
+ server clients to implement denial-of-service attacks against
+ arbitrary Internet networks by leaking BGP routes to a route server.
+
+ Route server installations SHOULD be secured against BGP NEXT_HOP
+ hijacking, as described in Section 4.8.
+
+6. References
+
+6.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC7947] Jasinska, E., Hilliard, N., Raszuk, R., and N. Bakker,
+ "Internet Exchange BGP Route Server", RFC 7947,
+ DOI 10.17487/RFC7947, September 2016,
+ <http://www.rfc-editor.org/info/rfc7947>.
+
+
+
+
+
+
+
+
+
+Hilliard, et al. Informational [Page 13]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+6.2. Informative References
+
+ [RFC1997] Chandra, R., Traina, P., and T. Li, "BGP Communities
+ Attribute", RFC 1997, DOI 10.17487/RFC1997, August 1996,
+ <http://www.rfc-editor.org/info/rfc1997>.
+
+ [RFC2622] Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D.,
+ Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra,
+ "Routing Policy Specification Language (RPSL)", RFC 2622,
+ DOI 10.17487/RFC2622, June 1999,
+ <http://www.rfc-editor.org/info/rfc2622>.
+
+ [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
+ Border Gateway Protocol 4 (BGP-4)", RFC 4271,
+ DOI 10.17487/RFC4271, January 2006,
+ <http://www.rfc-editor.org/info/rfc4271>.
+
+ [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
+ Communities Attribute", RFC 4360, DOI 10.17487/RFC4360,
+ February 2006, <http://www.rfc-editor.org/info/rfc4360>.
+
+ [RFC4456] Bates, T., Chen, E., and R. Chandra, "BGP Route
+ Reflection: An Alternative to Full Mesh Internal BGP
+ (IBGP)", RFC 4456, DOI 10.17487/RFC4456, April 2006,
+ <http://www.rfc-editor.org/info/rfc4456>.
+
+ [RFC5291] Chen, E. and Y. Rekhter, "Outbound Route Filtering
+ Capability for BGP-4", RFC 5291, DOI 10.17487/RFC5291,
+ August 2008, <http://www.rfc-editor.org/info/rfc5291>.
+
+ [RFC5881] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
+ (BFD) for IPv4 and IPv6 (Single Hop)", RFC 5881,
+ DOI 10.17487/RFC5881, June 2010,
+ <http://www.rfc-editor.org/info/rfc5881>.
+
+ [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet
+ Autonomous System (AS) Number Space", RFC 6793,
+ DOI 10.17487/RFC6793, December 2012,
+ <http://www.rfc-editor.org/info/rfc6793>.
+
+ [RFC7454] Durand, J., Pepelnjak, I., and G. Doering, "BGP Operations
+ and Security", BCP 194, RFC 7454, DOI 10.17487/RFC7454,
+ February 2015, <http://www.rfc-editor.org/info/rfc7454>.
+
+ [RS-ARCH] Govindan, R., Alaettinoglu, C., Varadhan, K., and D.
+ Estrin, "A Route Server Architecture for Inter-Domain
+ Routing", 1995,
+ <http://www.cs.usc.edu/assets/003/83191.pdf>.
+
+
+
+Hilliard, et al. Informational [Page 14]
+
+RFC 7948 IXP BGP Route Server Operations September 2016
+
+
+Acknowledgments
+
+ The authors would like to thank Chris Hall, Ryan Bickhart, Steven
+ Bakker, and Eduardo Ascenco Reis for their valuable input.
+
+Authors' Addresses
+
+ Nick Hilliard
+ INEX
+ 4027 Kingswood Road
+ Dublin 24
+ Ireland
+
+ Email: nick@inex.ie
+
+
+ Elisa Jasinska
+ BigWave IT
+ ul. Skawinska 27/7
+ Krakow, MP 31-066
+ Poland
+
+ Email: elisa@bigwaveit.org
+
+
+ Robert Raszuk
+ Bloomberg LP
+ 731 Lexington Ave.
+ New York, NY 10022
+ United States of America
+
+ Email: robert@raszuk.net
+
+
+ Niels Bakker
+ Akamai Technologies B.V.
+ Kingsfordweg 151
+ Amsterdam 1043 GR
+ Netherlands
+
+ Email: nbakker@akamai.com
+
+
+
+
+
+
+
+
+
+
+Hilliard, et al. Informational [Page 15]
+