Securing Internet Routing infrastructure has been a hot topic for a long time as hijack events occurs again and again either mistakenly or on purpose. Operators use different techniques to validate BGP announcements. I will try to explain creating an ip/as prefix-list by pulling information from a RIR database, in our case RIPE, using python. But first, lets take a look at other methods in Part1:
RPKI
Probabily the best way to prevent BGP/IP hijacks is to use RPKI infrastructure, , which is a PKI framework (trust anchor mechanism). Unfortunately the method needs legitamate AS/IP owners to register their sources. needless to say that no one is registering their sources, as a result the method is still not applicable. By 21.01.2015 the current validation states for all IPv4 prefixes is only %5.59, You can check validation states from http://rpki.surfnet.nl/ipcomp.html.
RPSL
For RPKI is not applicable, we need another way to validate the BGP announcements, where IRR RPSL database entries comes into play. RPSL is a language commonly used by ISPs to describe their routing policies. ISP's could store their routing policies either on their own server or on open public whois databases including RIPE, RADB, APNIC etc. RIPE (RIR for Europe) transformed its database to RPSL format in 2001. Example entries in RIPE database are:
as-set: AS-FUNET
descr: Macro with all ASes exported by
FUNET
members: AS1741
members: AS1739
members: AS565
members: AS15496
members: AS30754
members: AS39098
members: AS39857
members: AS39662
tech-c: FH437-RIPE
admin-c: FA1183-RIPE
mnt-by: AS1741-MNT
source: RIPE # Filtered
|
As-set object
which was created by FUNET, and includes their members
|
aut-num: AS5400
as-name: BT
descr: British Telecommunications plc
org: ORG-CNS3-RIPE
import: from AS1741 action pref=20; accept
AS-FUNET
|
British
Telecoms RPSL entry which accepts the informations in AS-FUNET as-set entry.
|
Route−set:
AS4763:RS−ROUTES:AS681
descr: prefix filter for AS681
members: 130.216.0.0/16, 130.217.0.0/16,
132.181.0.0/16,
138.75.0.0/16, 139.80.0.0/16,
140.200.0.0/16,
156.62.0.0/16, 192.73.21.0/24
tech−c: JA39
mnt−by: MAINT−TELSTRA−NZ
changed: jabley@patho.gen.nz 19991118
source: RADB
|
Route-set
sample
|
Using these databases it is possible to get infos for AS-SETs, AS entries, route objects etc. We know that RPKI validation states are really low, so what about the RPSL entries? Unfortunately Inter Route Registries are not that accurate also. BGPmon analysis which is done at 2010, shows that only %46 of the global routing table entries has a matching route-object.
If you wanted to update a BGP import policy automatically then you should force the facing AS owner to update their IRR entries (route-objects, as-sets…). Some providers area also very strict in the IRR usage , so why shouldn’t you ?
Getting Info From RIR Databases
Tools
There are many great tools that are ready for use which does the whois queries behind, which some of are:
- IRR Toolset
- IRR Power Tools
- NETİ:IRR
- Bgpq3
- Md
- P2BGPTool
Lets take a loot at one of these tools, namely Bgpq3, before writing our own python script:
Bgpq3 Installation and Usage
Download compressed bgpq3 file from http://snar.spb.ru/prog/bgpq3/ , extract and install it (below steps for Ubuntu):
admin@ubuntu:~# wget http://snar.spb.ru/prog/bgpq3/bgpq3-0.1.21.tgz admin@ubuntu:~# tar -xvzf bgpq3-0.1.21.tgz admin@ubuntu:~# cd bgpq3-0.1.21/ admin@ubuntu:~/bgpq3-0.1.21# ./configure admin@ubuntu:~/bgpq3-0.1.21# sudo make && sudo make install
After installing we could create a prefix-list from command line using the tool. Below is a sample for creating Junos prefix list for as-set: AS-FUNET
Definitely command line tools are useful but if you wanted get data from command line output in python script it means that you need to parse the data. There are better ways which you may continue reading in Part 2.
Posts
0 comments:
Post a Comment