BGP路由策略之经典文章(2)
2008-02-26 20:26
225 查看
[align=left]《BGP routing policies in ISP networks》IEEE Network Magazine 2005[/align]
[align=left][/align]
[align=left]1 ways to configure local policy[/align]
[align=left]There are three classes of “knobs” that can be used to control[/align]
[align=left]import and export policies:[/align]
[align=left]1) Preference(decision process)[/align]
[align=left]2) Filter(eliminate certain route)[/align]
[align=left]3) Tag(community)[/align]
[align=left] [/align]
[align=left]2 BGP policy common practice and design pattern[/align]
[align=left]1) Business relationship[/align]
[align=left](1)inbound: assign local-preference to influence the BGP decision process.[/align]
[align=left]Often an ISP will achieve this by[/align]
[align=left]assigning a non-overlapping range of LocalPref values to each[/align]
[align=left]type of peering relationship; for example LocalPref values in[/align]
[align=left]the range 90-99 might be used for customers, 80-89 for peers,[/align]
[align=left]70-79 for providers, and 60-69 for backup links. LocalPref can[/align]
[align=left]then be varied within each range to do traffic engineering without[/align]
[align=left]violating the constraints associated with the business relationship.[/align]
[align=left]那么如果我站在一个自治系统或者ISP的角度能够通过SNMP等方式获得该自治系统的边界路由器的路由表,那么就可以针对同一个prefix的多个路由的local-preference值来推测出与邻居自治系统的商业关系。[/align]
[align=left](2)outbound: Controlling route export[/align]
[align=left]导出策略好像很难通过单个自治系统的方式来进行推导,不过也不是说要和策略配置的方式一一验证和对应起来,其实只要能够把商业关系推断正确就可以了。[/align]
[align=left] [/align]
[align=left]2) Traffic engineering[/align]
[align=left](1)outbound traffic control(by changing local-preference and IGP costs)[/align]
[align=left] Outbound traffic的控制其实就是inbound策略的控制,我觉得在单个自治系统的角度也是可以做到的,比如你从不同的边界路由器的路由表中发现到达相同的prefix的local-preferce不同,可能就是做了负载均衡;不同的metric来发现不同的hot-potato区域,不同的AS-Path长度啦等等。[/align]
[align=left](2) Inbound traffic control (by AS prepending and MED):[/align]
[align=left] Inbound traffic的控制其实就是outbound的策略,即如何到达自己自治系统的前缀。主要包括对于相邻自治系统在多连接(multiple link)下所使用的MED值,以及远端AS控制的自治系统号添加两种方式。但是这些我觉得从其邻居自治系统那里来采集数据进行分析可能会更加直接些。[/align]
[align=left](3)Remote control (by changing community attributes):[/align]
[align=left]Remote control[/align]
[align=left]provides more flexibility than MED because it allows control[/align]
[align=left]of inputs to earlier steps of the decision process like Local-[/align]
[align=left]Pref, as shown in the example above.Moreover,MED can only[/align]
[align=left]change the relative preference of routes, while remote control[/align]
[align=left]can be configured to filter routes, or perform AS prepending.[/align]
[align=left]However, ISP’s neighbors must[/align]
[align=left]agree in advance to accept community attributes from the other[/align]
[align=left]peer.Also, the highly expressive nature of community attributes[/align]
[align=left]introduces potential for misconfiguration.[/align]
[align=left] [/align]
[align=left]3)Scalability[/align]
[align=left]Limiting routing table size (by filtering and using the community attribute):[/align]
[align=left]Limit the number of routing changes (by suppressing routes that flap)[/align]
[align=left]4)Security[/align]
[align=left]Discarding invalid routes (by import filtering)[/align]
[align=left]Protect integrity of routing policies (by rewriting attributes)[/align]
[align=left]Securing the network infrastructure (by export filtering)[/align]
[align=left]Blocking denial-of-service attacks (by filtering and damping)[/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
[align=left]《Practical Verification Techniques for Wide-Area Routing》 sigcomm CCR 2004[/align]
[align=left]1 verify five aspect of correcteness:[/align]
[align=left]validity (the existence of a route implies[/align]
[align=left]the existence of a corresponding path), visibility (the existence of[/align]
[align=left]a path implies the existence of a corresponding route), safety (the[/align]
[align=left]existence of a stable, unique path assignment), determinism (best[/align]
[align=left]route selection is independent of message ordering and the presence[/align]
[align=left]of sub-optimal routes), and information-flow control (the protocol[/align]
[align=left]conforms to a specified information flow policy; that is, it does not[/align]
[align=left]“leak” information).[/align]
[align=left]2 verification methodology:[/align]
[align=left]Static analysis[/align]
[align=left]parses configuration statements to detect errors that are evident[/align]
[align=left]from the configuration commands themselves. A sandbox can determine[/align]
[align=left]whether (and under what circumstances) a seemingly correct[/align]
configuration can produce incorrect behavior
[align=left][/align]
[align=left]1 ways to configure local policy[/align]
[align=left]There are three classes of “knobs” that can be used to control[/align]
[align=left]import and export policies:[/align]
[align=left]1) Preference(decision process)[/align]
[align=left]2) Filter(eliminate certain route)[/align]
[align=left]3) Tag(community)[/align]
[align=left] [/align]
[align=left]2 BGP policy common practice and design pattern[/align]
[align=left]1) Business relationship[/align]
[align=left](1)inbound: assign local-preference to influence the BGP decision process.[/align]
[align=left]Often an ISP will achieve this by[/align]
[align=left]assigning a non-overlapping range of LocalPref values to each[/align]
[align=left]type of peering relationship; for example LocalPref values in[/align]
[align=left]the range 90-99 might be used for customers, 80-89 for peers,[/align]
[align=left]70-79 for providers, and 60-69 for backup links. LocalPref can[/align]
[align=left]then be varied within each range to do traffic engineering without[/align]
[align=left]violating the constraints associated with the business relationship.[/align]
[align=left]那么如果我站在一个自治系统或者ISP的角度能够通过SNMP等方式获得该自治系统的边界路由器的路由表,那么就可以针对同一个prefix的多个路由的local-preference值来推测出与邻居自治系统的商业关系。[/align]
[align=left](2)outbound: Controlling route export[/align]
[align=left]导出策略好像很难通过单个自治系统的方式来进行推导,不过也不是说要和策略配置的方式一一验证和对应起来,其实只要能够把商业关系推断正确就可以了。[/align]
[align=left] [/align]
[align=left]2) Traffic engineering[/align]
[align=left](1)outbound traffic control(by changing local-preference and IGP costs)[/align]
[align=left] Outbound traffic的控制其实就是inbound策略的控制,我觉得在单个自治系统的角度也是可以做到的,比如你从不同的边界路由器的路由表中发现到达相同的prefix的local-preferce不同,可能就是做了负载均衡;不同的metric来发现不同的hot-potato区域,不同的AS-Path长度啦等等。[/align]
[align=left](2) Inbound traffic control (by AS prepending and MED):[/align]
[align=left] Inbound traffic的控制其实就是outbound的策略,即如何到达自己自治系统的前缀。主要包括对于相邻自治系统在多连接(multiple link)下所使用的MED值,以及远端AS控制的自治系统号添加两种方式。但是这些我觉得从其邻居自治系统那里来采集数据进行分析可能会更加直接些。[/align]
[align=left](3)Remote control (by changing community attributes):[/align]
[align=left]Remote control[/align]
[align=left]provides more flexibility than MED because it allows control[/align]
[align=left]of inputs to earlier steps of the decision process like Local-[/align]
[align=left]Pref, as shown in the example above.Moreover,MED can only[/align]
[align=left]change the relative preference of routes, while remote control[/align]
[align=left]can be configured to filter routes, or perform AS prepending.[/align]
[align=left]However, ISP’s neighbors must[/align]
[align=left]agree in advance to accept community attributes from the other[/align]
[align=left]peer.Also, the highly expressive nature of community attributes[/align]
[align=left]introduces potential for misconfiguration.[/align]
[align=left] [/align]
[align=left]3)Scalability[/align]
[align=left]Limiting routing table size (by filtering and using the community attribute):[/align]
[align=left]Limit the number of routing changes (by suppressing routes that flap)[/align]
[align=left]4)Security[/align]
[align=left]Discarding invalid routes (by import filtering)[/align]
[align=left]Protect integrity of routing policies (by rewriting attributes)[/align]
[align=left]Securing the network infrastructure (by export filtering)[/align]
[align=left]Blocking denial-of-service attacks (by filtering and damping)[/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
[align=left] [/align]
[align=left]《Practical Verification Techniques for Wide-Area Routing》 sigcomm CCR 2004[/align]
[align=left]1 verify five aspect of correcteness:[/align]
[align=left]validity (the existence of a route implies[/align]
[align=left]the existence of a corresponding path), visibility (the existence of[/align]
[align=left]a path implies the existence of a corresponding route), safety (the[/align]
[align=left]existence of a stable, unique path assignment), determinism (best[/align]
[align=left]route selection is independent of message ordering and the presence[/align]
[align=left]of sub-optimal routes), and information-flow control (the protocol[/align]
[align=left]conforms to a specified information flow policy; that is, it does not[/align]
[align=left]“leak” information).[/align]
[align=left]2 verification methodology:[/align]
[align=left]Static analysis[/align]
[align=left]parses configuration statements to detect errors that are evident[/align]
[align=left]from the configuration commands themselves. A sandbox can determine[/align]
[align=left]whether (and under what circumstances) a seemingly correct[/align]
configuration can produce incorrect behavior
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- BGP策略的几篇经典文章(1)
- CCNP精粹系列之十九--策略路由实战,博主推荐文章
- BGP route-map 策略路由通告测试报告 推荐
- 策略路由的实用经典案例一
- 路由总结之静态、RIP、OSPF、IS-IS、BGP和策略路由
- 两台路由器的BGP实战策略路由分发需求实战方案设计
- BGP策略路由的实现
- CCNP精粹系列之二十--策略路由实战二,博主推荐文章
- 绝猛书籍:Internet 路由结构[Routing Architectures]BGP经典书籍
- BGP选择路由的策略
- 经典 bgp 路由黑洞
- 使用GNS3学习路由重分布,策略路由
- 超经典的JBOSS入门文章
- (转)经典的一些博客文章
- 策略路由学习
- 【微信小程序开发•系列文章六】生命周期和路由
- 记录几篇介绍mysql数据库分表策略的文章
- NetScreen下“区域”与“路由”、“策略”基本概念
- 详细介绍策略路由和路由策略的区别
- 溢出的经典文章:Smashing The Stack For Fun And Profit[译文]