Network Working Group G. Huston Request for Comments: 3765 Telstra Category: Informational April 2004
Network Working Group G. Huston Request for Comments: 3765 Telstra Category: Informational April 2004
NOPEER Community for Border Gateway Protocol (BGP) Route Scope Control
用于边界网关协议(BGP)路由范围控制的NOPEER社区
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004). All Rights Reserved.
版权所有(C)互联网协会(2004年)。版权所有。
Abstract
摘要
This document describes the use of a scope control Border Gateway Protocol (BGP) community. This well-known advisory transitive community allows an origin AS to specify the extent to which a specific route should be externally propagated. In particular this community, NOPEER, allows an origin AS to specify that a route with this attribute need not be advertised across bilateral peer connections.
本文档介绍作用域控制边界网关协议(BGP)社区的使用。这个著名的咨询传递社区允许一个来源AS来指定特定路线应在外部传播的程度。特别是,此社区NOPEER允许源AS指定不需要在双边对等连接上通告具有此属性的路由。
BGP today has a limited number of commonly defined mechanisms that allow a route to be propagated across some subset of the routing system. The NOEXPORT community allows a BGP speaker to specify that redistribution should extend only to the neighbouring AS. Providers commonly define a number of communities that allow their neighbours to specify how advertised routes should be re-advertised. Current operational practice is that such communities are defined on as AS by AS basis, and while they allow an AS to influence the re-advertisement behaviour of routes passed from a neighbouring AS, they do not allow this scope definition ability to be passed in a transitive fashion to a remote AS.
如今,BGP有数量有限的常用机制,允许路由在路由系统的某个子集上传播。NOEXPORT社区允许BGP演讲者指定重新分发应仅扩展到相邻AS。提供商通常定义一些社区,允许其邻居指定如何重新发布广告路线。目前的运营实践是,此类社区是在as的基础上定义的,虽然它们允许as影响从相邻as通过的路线的再广告行为,但不允许以过渡方式将此范围定义能力传递给远程as。
Advertisement scope specification is of most use in specifying the boundary conditions of route propagation. The specification can take on a number of forms, including as AS transit hop count, a set of target ASs, the presence of a particular route object, or a particular characteristic of the inter-AS connection.
广告范围规范在指定路由传播的边界条件时最为有用。该规范可以采取多种形式,包括中转跳数、一组目标ASs、特定路由对象的存在或as间连接的特定特征。
There are a number of motivations for controlling the scope of advertisement of route prefixes, including support of limited transit services where advertisements are restricted to certain transit providers, and various forms of selective transit in a multi-homed environment.
控制路线前缀广告范围的动机有很多,包括支持有限的公交服务,其中广告仅限于某些公交供应商,以及在多家环境中的各种形式的选择性公交。
This memo does not attempt to address all such motivations of scope control, and addresses in particular the situation of both multi-homing and traffic engineering. The commonly adopted operational technique is that the originating AS advertises an encompassing aggregate route to all multi-home neighbours, and also selectively advertises a collection of more specific routes. This implements a form of destination-based traffic engineering with some level of fail over protection. The more specific routes typically cease to lever any useful traffic engineering outcome beyond a certain radius of redistribution, and a means of advising that such routes need not to be distributed beyond such a point is of some value in moderating one of the factors of continued route table growth.
本备忘录并不试图解决范围控制的所有此类动机,特别是解决多主和流量工程的情况。通常采用的操作技术是,始发AS向所有多个家庭邻居广播一个包含的聚合路由,并且还选择性地广播一组更具体的路由。这实现了一种基于目的地的流量工程,具有某种级别的故障转移保护。更具体的路由通常不再在某个再分配半径之外操纵任何有用的流量工程结果,并且建议此类路由不需要在该点之外分布的方法对于缓和路由表持续增长的因素之一具有一定的价值。
Analysis of the BGP routing tables reveals a significant use of the technique of advertising more specific prefixes in addition to advertising a covering aggregate. In an effort to ameliorate some of the effects of this practice, in terms of overall growth of the BGP routing tables in the Internet and the associated burden of global propagation of dynamic changes in the reachability of such more specific address prefixes, this memo describes the use of a transitive BGP route attribute that allows more specific route tables entries to be discarded from the BGP tables under appropriate conditions. Specifically, this attribute, NOPEER, allows a remote AS not to advertise a route object to a neighbour AS when the two AS's are interconnected under the conditions of some form of sender keep all arrangement, as distinct from some form of provider / customer arrangement.
对BGP路由表的分析表明,除了广告覆盖聚合外,还显著使用了广告更具体前缀的技术。为了改善这种做法的一些影响,就互联网中BGP路由表的总体增长和这种更具体地址前缀的可达性的动态变化的全球传播的相关负担而言,本备忘录描述了可传递BGP路由属性的使用,该属性允许在适当条件下从BGP表中丢弃更多特定路由表条目。具体地说,当两个AS在某种形式的发送方保留所有协议的条件下互连时,此属性NOPEER允许远程AS不向邻居通告路由对象,这与某种形式的提供商/客户协议不同。
This memo defines the use a new well-known bgp transitive community, NOPEER.
本备忘录定义了一个新的知名bgp传递社区NOPEER的使用。
The semantics of this attribute is to allow an AS to interpret the presence of this community as an advisory qualification to readvertisement of a route prefix, permitting an AS not to readvertise the route prefix to all external bilateral peer neighbour AS's. It is consistent with these semantics that an AS may filter received prefixes that are received across a peering session that the receiver regards as a bilateral peer sessions.
此属性的语义是允许AS将此社区的存在解释为重新指定路由前缀的咨询资格,允许AS不将路由前缀重新指定给所有外部双边对等邻居AS。与这些语义一致的是,AS可以过滤接收到的前缀,这些前缀是在接收方视为双边对等会话的对等会话中接收到的。
The size of the BGP routing table has been increasing at an accelerating rate since late 1998. At the time of publication of this memo the BGP forwarding table contains over 118,000 entries, and the three year growth rate of this table shows a trend rate which can be correlated to a compound growth rate of no less than 10% per year [2].
自1998年底以来,BGP路由表的大小一直在加速增长。在本备忘录发布时,BGP转发表包含超过118000个条目,该表的三年增长率显示了一个趋势率,该趋势率与每年不低于10%的复合增长率相关[2]。
One of the aspects of the current BGP routing table is the widespread use of the technique of advertising both an aggregate and a number of more specific address prefixes. For example, the table may contain a routing entry for the prefix 10.0.0.0/23 and also contain entries for the prefixes 10.0.0.0/24 and 10.0.1.0/24. In this example the specific routes fully cover the aggregate announcement. Sparse coverage of aggregates with more specifics is also observed, where, for example, routing entries for 10.0.0.0/8 and 10.0.1.0/24 both exist in the routing table. In total, these more specific route entries occupy some 51% of the routing table, so that more than one half of the routing table does not add additional address reachability information into the routing system, but instead is used to impose a finer level of detail on existing reachability information.
当前BGP路由表的一个方面是广泛使用了一种技术,即公布聚合地址前缀和一些更具体的地址前缀。例如,该表可能包含前缀10.0.0.0/23的路由条目,也可能包含前缀10.0.0.0/24和10.0.1.0/24的条目。在本例中,特定路由完全覆盖聚合公告。还观察到具有更多细节的聚合的稀疏覆盖,例如,10.0.0.0/8和10.0.1.0/24的路由条目都存在于路由表中。总的来说,这些更具体的路由条目占据了路由表的51%,因此超过一半的路由表不会向路由系统中添加额外的地址可达性信息,而是用于对现有可达性信息施加更精细的细节。
There are a number of motivations for having both an aggregate route and a number of more specific routes in the routing table, including various forms of multi-homed configurations, where there is a requirement to specify a different reachability policy for a part of the advertised address space.
在路由表中同时具有聚合路由和更多特定路由的动机有很多,包括各种形式的多宿配置,其中需要为公布的地址空间的一部分指定不同的可达性策略。
One of the observed common requirements in the multi-homed network configuration is that of undertaking some form of load balancing of incoming traffic across a number of external connections to a number of different neighbouring ASs. If, for example, an AS wishes to use a multi-homed configuration for routing-based load balancing and some form of mutual fail over between the multiple access connections for incoming traffic, then one approach is for the AS to advertise the same aggregate address prefix to a number of its upstream transit providers, and then advertise a number of more specifics to individual upstream providers. In such a case all of the traffic destined to the more specific address prefixes will be received only over those connections where the more specific has been advertised. If the neighbour BGP peering session of the more specific advertisement fails, the more specific will cease to be announced and incoming traffic will then be passed to the originating network based on the path associated with the advertisement of the encompassing aggregate. In this situation the more specific routes are not automatically subsumed by the presence of the aggregate at any remote
在多宿网络配置中观察到的常见要求之一是,在多个外部连接与多个不同的相邻ASs之间对传入流量进行某种形式的负载平衡。例如,AS希望使用多宿配置进行基于路由的负载平衡,并在多址连接之间进行某种形式的相互故障转移,以用于传入流量,那么AS的一种方法是将相同的聚合地址前缀通告给其多个上游传输提供商,然后向各个上游供应商宣传更多细节。在这种情况下,目的地为更特定地址前缀的所有通信量将仅通过已通告更特定地址前缀的那些连接接收。如果更具体的播发的相邻BGP对等会话失败,则将停止宣布更具体的播发,然后将基于与包含聚合的播发相关联的路径将传入流量传递到发起网络。在这种情况下,更具体的路由不会自动包含在任何远程位置的聚合中
AS. Both the aggregate and the associated more specific routes are redistributed across the entire external BGP routing domain. In many cases, particularly those associated with desire to undertake traffic engineering and service resilience, the more specific routes are redistributed well beyond the scope where there is any outcomes in terms of traffic differentiation.
像聚合路由和关联的更具体路由都在整个外部BGP路由域中重新分配。在许多情况下,尤其是与交通工程和服务弹性相关的情况下,更具体的路线被重新分配,远远超出了交通差异化的范围。
To the extent that remote analysis of BGP tables can observe this form of configuration, the number of entries in the BGP forwarding table where more specific entries share a common origin AS with their immediately enclosing aggregates comprise some 20% of the total number of FIB entries. Using a slightly stricter criteria where the AS path of the more specific route matches the immediately enclosing aggregate, the number of more specific routes comprises some 14% of the number of FIB entries.
在远程分析BGP表可以观察到这种配置形式的情况下,BGP转发表中的条目数量占FIB条目的总数的20%左右,其中更多特定条目共享一个共同的来源。如果更具体路由的AS路径与直接封闭聚合匹配,则使用更严格的标准,更具体路由的数量约占FIB条目数量的14%。
One protocol mechanism that could be useful in this context is to allow the originator of an advertisement to state some additional qualification on the redistribution of the advertisement, allowing a remote AS to suppress further redistribution under some originator-specified criteria.
在这种情况下可能有用的一种协议机制是允许广告的发起人对广告的重新分发声明一些附加限定,允许远程AS根据一些发起人指定的标准抑制进一步的重新分发。
The redistribution qualification condition can be specified either by enumeration or by classification. Enumeration would encompass the use of a well-known transitive extended community to specify a list of remote AS's where further redistribution is not advised. The weakness of this approach is that the originating AS would need to constantly revise this enumerated AS list to reflect the changes in inter-AS topology, as, otherwise, the more specific routes would leak beyond the intended redistribution scope. An approach of classification allows an originating AS to specify the conditions where further redistribution is not advised without having to refer to the particular AS's where a match to such conditions are anticipated.
重新分配限定条件可以通过枚举或分类来指定。枚举将包括使用著名的可传递扩展社区来指定远程AS的列表,其中不建议进一步重新分配。这种方法的缺点是,始发AS需要不断修改此枚举AS列表,以反映AS间拓扑的变化,否则,更具体的路由将泄漏到预期的重新分配范围之外。分类方法允许原始AS指定不建议进一步再分配的条件,而无需参考预期与此类条件匹配的特定AS。
The approach described here to specifying the redistribution boundary condition is one based on the type of bilateral inter-AS peering. Where one AS can be considered as a customer, and the other AS can be considered as a contracted agent of the customer, or provider, then the relationship is one where the provider, as an agent of the customer, carries the routes and associated policy associated with the routes. Where neither AS can be considered as a customer of the other, then the relationship is one of bilateral peering, and neither AS can be considered as an agent of the other in redistributing policies associated with routes. This latter arrangement is commonly referred to as a "sender keep all peer" relationship, or "peering".
这里描述的指定再分配边界条件的方法是基于双边inter-AS对等类型的方法。如果一个AS可以被视为客户,而另一个AS可以被视为客户或提供商的签约代理,则关系是提供商作为客户的代理,持有与路线相关的路线和相关政策。如果两个AS都不能被视为另一方的客户,则该关系是双边对等关系,并且在重新分配与路由相关的策略时,两个AS都不能被视为另一方的代理。后一种安排通常被称为“发送方保持所有对等”关系,或“对等”。
This peer boundary can be regarded as a logical point where the redistribution of additional reachability policy imposed by the origin AS on a route is no longer an imposed requirement.
这个对等边界可以被视为一个逻辑点,在这个逻辑点上,由源节点施加的额外可达性策略的重新分配不再是一个强加的要求。
This approach allows an originator of a prefix to attach a commonly defined policy to a route prefix, indicate that a route should be re-advertised conditionally, based on the characteristics of the inter-AS connection.
这种方法允许前缀的发起人将一个通用定义的策略附加到路由前缀上,并根据AS间连接的特性,指示路由应该有条件地重新公布。
The IANA has registered NOPEER as a well-known community, as defined in [1], as having global significance.
IANA已将NOPEER注册为具有全球意义的知名社区,如[1]中所定义。
NOPEER (0xFFFFFF04)
NOPEER(0xFFFF04)
This is an advisory qualification to readvertisement of a route prefix, permitting an AS not to readvertise the route prefix to all external bilateral peer neighbour AS's. It is consistent with these semantics that an AS may filter received prefixes that are received across a peering session that the receiver regards as a bilateral peer sessions
这是一项重新指定路由前缀的建议资格,允许AS不将路由前缀重新指定给所有外部双边对等AS。与这些语义一致的是,AS可以过滤接收到的前缀,这些前缀是在接收方视为双边对等会话的对等会话中接收到的
BGP is an instance of a relaying protocol, where route information is received, processed and forwarded. BGP contains no specific mechanisms to prevent the unauthorized modification of the information by a forwarding agent, allowing routing information to be modified, deleted or false information to be inserted without the knowledge of the originator of the routing information or any of the recipients.
BGP是中继协议的一个实例,在该协议中接收、处理和转发路由信息。BGP不包含防止转发代理未经授权修改信息的特定机制,允许在路由信息的发起人或任何收件人不知情的情况下修改、删除路由信息或插入虚假信息。
The NOPEER community does not alter this overall situation concerning the integrity of BGP as a routing system.
NOPEER社区不会改变有关BGP作为路由系统完整性的总体情况。
Use of the NOPEER community has the capability to introduce additional attack mechanisms into BGP by allowing the potential for man-in-the-middle, session-hijacking, or denial of service attacks for an address prefix range being launched by a remote AS.
使用NOPEER社区可以通过允许远程AS发起的地址前缀范围内的中间人攻击、会话劫持或拒绝服务攻击,将额外的攻击机制引入BGP。
Unauthorized addition of this community to a route prefix by a transit provider where there is no covering aggregate route prefix may cause a denial of service attack based on denial of reachability to the prefix. Even in the case that there is a covering aggregate, if the more specific route has a different origin AS than the
在没有覆盖聚合路由前缀的情况下,公交提供商未经授权将此社区添加到路由前缀中,可能会导致基于拒绝前缀可达性的拒绝服务攻击。即使在有覆盖骨料的情况下,如果更具体的路线与
aggregate, the addition of this community by a transit AS may cause a denial of service attack on the origin AS of the more specific prefix.
总的来说,通过传输AS添加此社区可能会对源AS的更特定前缀造成拒绝服务攻击。
BGP is already vulnerable to a denial of service attack based on the injection of false routing information. It is possible to use this community to limit the redistribution of a false route entry such that its visibility can be limited and detection and rectification of the problem can be more difficult under the circumstances of limited redistribution.
BGP已经容易受到基于虚假路由信息注入的拒绝服务攻击。利用该社区可以限制错误进路入口的再分配,从而限制其可见性,并且在再分配受限的情况下,问题的发现和纠正可能会更加困难。
[1] Chandrasekeran, R., Traina, P. and T. Li, "BGP Communities Attribute", RFC 1997, August 1996.
[1] Chandrasekeran,R.,Traina,P.和T.Li,“BGP社区属性”,RFC 1997,1996年8月。
[2] Huston, G., "Commentary on Inter-Domain Routing in the Internet", RFC 3221, December 2001.
[2] Huston,G.“因特网域间路由评论”,RFC 3221,2001年12月。
Geoff Huston Telstra
杰夫休斯顿电信
EMail: gih@telstra.net
EMail: gih@telstra.net
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78 and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。