BGP Multiple Origin AS MOAS Conflict Analysis

About This Presentation

Title:

BGP Multiple Origin AS MOAS Conflict Analysis

Description:

BGP Multiple Origin AS (MOAS) Conflict Analysis. Xiaoliang Zhao, NCSU. S. Felix Wu, UC Davis. Allison Mankin, Dan Massey, USC/ISI. Dan Pei, Lan Wang, Lixia Zhang, UCLA ... – PowerPoint PPT presentation

Number of Views:64

Avg rating:3.0/5.0

Slides: 18

Provided by: xzh81

Category:

more less

Transcript and Presenter's Notes

Title: BGP Multiple Origin AS MOAS Conflict Analysis

1
BGP Multiple Origin AS (MOAS) Conflict Analysis

Xiaoliang Zhao, NCSU
S. Felix Wu, UC Davis
Allison Mankin, Dan Massey, USC/ISI
Dan Pei, Lan Wang, Lixia Zhang, UCLA
NANOG-23, October 23, 2001

2
Definition of MOAS

BGP routes include a prefix and AS path
Example 131.179.0.0/16, Path 4513, 11422,
11422, 52
Origin AS the last AS in the path
In the above example AS 52 originated the path
advertisement for prefix 131.179/16
Multiple Origin AS (MOAS) the same prefix
announced by more than one origin AS

3
Example MOAS Conflicts
128.9.0.0/16 nets
AS 4
AS 226
MOAS conflict !
AS X
AS Z
AS Y
Valid MOAS case 128.9/16 reachable either way
Invalid MOAS case 128.9/16 reachable one way but
not the other
4
Talk Outline

Measurement data shows that MOAS exists
Some MOAS cases caused by faults
Some MOAS cases due to operational need
Important to distinguish the two
proposed solutions

5
Measurement Data Collection

Data collected from the Oregon Route Views
Peers with gt50 routers from gt40 different ASes.
Our analysis uses data 11/08/97?07/18/01
(1279 days total)
More than 38000 MOAS conflicts observed during
this time period
At a given moment,
The Route Views server observed 1364 MOAS
conflicts
The views from 3 individual ISPs showed 30, 12
and 228 MOAS conflicts

6
MOAS Conflicts Do Exist
Max 10226 (9177 from a single AS)
Max 11842 (11357 from a single AS)
7
Histogram of MOAS Conflict Lifetime
of MOAS conflicts
Total of days a prefix experienced MOAS conflict
8
Distribution of MOAS Conflicts over Prefix Lengths
ratio of MOAS entries over total routing
entries for the same prefix length
9
Valid Causes of MOAS Conflicts
Multi-homing without BGP
Private AS number Substitution
128.9/16 Path 226
128.9/16 Path 11422,4
131.179/16 Path X
131.179/16 PathY
AS 226
AS Y
AS X
AS 11422
131.179/16 Path 64512
Static route or IGP route
128.9/16 Path 4
AS 64512
AS 4
128.9/16
131.179/16
10
Invalid Causes of MOAS Conflicts

Operational faults led to large spikes of MOAS
conflicts
04/07/1998 one AS originated 12593 prefixes, out
of which 11357 were MOAS conflicts
04/10/2001 another AS originated 9180 prefixes,
out of which 9177 were MOAS conflicts
Falsely originated routes
Errors
Intentional traffic hijacking

11
Handling MOAS Conflicts

RFC 1930 recommends each prefix be originated
from a single AS
Todays routing practice leads to MOAS in normal
operations
We must tell valid MOAS cases from invalid ones
Proposal 1 using BGP community attribute
Proposal 2 DNS-based solution

12
BGP-Based Solution

Define a new community attribute
Listing all the ASes allowed to originate a
prefix
Attach this MOAS community-attribute to BGP route
announcement
Enable BGP routers to detect faults and attacks
At least in most cases, we hope!

13
Comm. Attribute Implementation Example
AS58
18.0.0.0/8
AS52
AS59
Example configuration
router bgp 59 neighbor 1.2.3.4 remote-as 52
neighbor 1.2.3.4 send-community neighbor
1.2.3.4 route-map setcommunity out route-map
setcommunity match ip address 18.0.0.0/8 set
community 59MOAS 58MOAS additive
14
Implementation Considerations

Quickly and incrementally deployable
Generating MOAS community attribute
configuration changes only
Detecting un-validated MOAS or a MOAS-CA
conflict
Short term observable from monitoring platforms
Longer term adding into BGP update processing
But community attributes may be dropped by a
transit AS due to local configurations or
policies
time to fix the handling of community attributes?

15
Another Proposal DNS-based Solution