chapters 12, 13 - villanova computer sciencemdamian/past/cybersecurityfa… · ·...

10/2/14

1

Chapters 12, 13

Outline

❀  Routing overview ❀  Open Shortest Path First (OSPF)

" The OSPF routing algorithm

❀  Routing Information Protocol (RIP) " The distance vector algorithm " Count to infinity problem " Split horizon with poison reverse " A three-node loop problem

❀  OSPF vs. RIP ❀  Border Gateway Protocol (BGP)

10/2/14

2

Generating Routing Tables ❀  Routing tables can be generated in either static or dynamic manner ❀  Static:

" Configured by administrator

❀  Dynamic: " Routing protocols

µ Genera,ng rou,ng tables µ Periodic update µ Triggered updates in response to link changes

" Network IP address information is provided by administrator

Knowledge Base for Routing Algorithms ❀  Global topology:

" All routers have complete topology, and link cost info " Link state (LS) algorithm

❀  Local topology: " Router knows

µ The link costs to physically-‐connected neighbors µ The rou,ng tables of its physically-‐connected neighbors

" Distance vector (DV) algorithm

10/2/14

3

Autonomous Systems

Autonomous System Numbers ❀  AS Numbers were 16 bit values before 2007 ❀  After 2007, 32-bit values were assigned (RFC 4893) ❀  Examples:

" Level 3: 1 " MIT: 3 " Harvard: 11 " Yale: 29 " Princeton: 88 " Auburn: 6112 " AT&T: 7018, 6341, 5074, … " UUNET: 701, 702, 284, 12199, … " Sprint: 1239, 1240, 6211, 6242, … " Quest: 209, …

10/2/14

4

Intra-AS Routing and Inter-AS Routing ❀  Interior Gateway Protocols (IGP)

" Most common Intra-AS routing protocols: µ RIP: Rou,ng Informa,on Protocol µ OSPF: Open Shortest Path First µ  IGRP: Interior Gateway Rou,ng Protocol (Cisco proprietary)

" Minimum cost is the sole goal

❀  Exterior Gateway Protocols (EGP) " BGP: Border Gateway Protocol " Needs to consider economical and political reasons in addition to performance

µ An ISP only wants to serve its own customers, not other ISPs’ customers µ Sensi,ve informa,on is not routed through an enemy’s domains

❀  Separate IGP and EGP routing tables (hierarchical routing) make the routing table size acceptable and search time reasonable

Popular IGP routing protocols and BGP summary Type Name Protocol Port/

protocol number

Intra-‐AS routing interior gateway protocols (IGP)

Routing Information Protocol (RIP)

UDP port number 520

Open Shortest Path First (OSPF)

Protocol number 89

Interior Gateway Routing Protocol (IGRP)

Protocol number 9

Inter-‐AS routing Exterior Gateway Protocol (EGP)

Border Gateway Protocol (BGP)

TCP port number 179

10/2/14

5

Outline





OSPF (Open Shortest Path First) ❀  RFC 2328: OSPFv2; RFC 5340: OSPF for IPv6 ❀  “Open”: publicly available in RFCs ❀  Link State (LS) algorithm

" LS packet dissemination " Complete topology map at each node " Shortest Path First (SPF) computation using Dijkstra’s algorithm

❀  Link-state advertisements (LSA) disseminated to entire area (via flooding) " Carried in OSPF messages directly over IP (rather than TCP or UDP) " OSPF uses both unicast and multicast to send "hello packets" and link state

updates " Multicast addresses

µ 224.0.0.5 (all SPF/link state routers, also known as AllSPFRouters)

10/2/14

6

OSPF Concept

Link State Knowledge ❀  A link refers to an interface on the router

❀  Routing metric can be assigned by administrator to indicate any combination of network characteristics " Delay " Bandwidth " Dollar cost

10/2/14

7

Link-State Advertisement ❀  A link refers to an interface on the router ❀  OSPF advertisement carries one entry per interface

" Link-state advertisement (LSA)

(router ID, list of links, sequence number, TTL) first two items used to calculate the route sequence number used to identify the most recent LSP copy TTL used to prevent infinite flooding loops

" Router lists the links to other routers or networks in the same area, together with the metric, representing cost

❀  Flood the LSA to every other router

❀  The LSA of router A is as follows:

Advertising Router: 10.10.10.1 Number of links: 4 (3 links plus router itself)

Description of Link 1: Link ID = 10.1.1.1, Metric = 5




❀  Our notation: LSA(A) = {(B, 5), (C, 2), (D, 3)}

LSA 10.10.10.1 10.1.1.1

10.1.3.1

10.1.2.1

10/2/14

8

LSA Flooding ❀  Node sends link-state information out its links ❀  And then the next node sends out all of its links ❀  … except the one where the information arrived

LSA

LSA

LSA

LSA

LSA

LSA

LSA

When to Initiate Flooding LSA (router ID, list of links, sequence number, TTL)

❀  Topology change " Link or node failure / recovery " Link cost change

❀  Periodically " Refresh the link-state information " No actual need for this type of flooding (30 mins / 2 hours)

10/2/14

9

OSPF Routing Table Construction

Y

X

Z LSA

LSDB LSDB

SPF

Routing Table

SPF tree

Routing Table SPF

tree

SPF Y Z

LSDB: link-‐state databases

DR

❀  Each router calculates a shortest-path tree, with itself as root

Dijkstra’s Algorithm

10/2/14

10

A Real Routing Table

Destination Link for next hop

X (W, X)

Y (W, Y)

Z (W, X)

Routing Table in W

Subnets attached in X, Y and Z Router Subnets

X

1.1.3.0/24 1.1.1.0/30 1.1.1.12/30 1.1.1.16/30

Y 1.1.1.4/30 1.1.1.8/30 1.1.1.16/30

Z 1.1.4.0/24 1.1.8.0/30 1.1.1.12/30

Obtained by routers during the OSPF

conViguration

Destination next hop 1.1.3.0/24 1.1.1.2 ≡ (W, X)

1.1.1.12/30 1.1.1.2

1.1.1.16/30 1.1.1.2

1.1.1.8/30 1.1.1.6

1.1.4.0/24 1.1.1.2

Subnets directly

connected to W will not be in its table

W

Y

X

Z

3

4

5

6 7

1.1.2.0/24 1.1.3.0/24

1.1.4.0/24

1.1.1.1 1.1.1.2

1.1.1.17

1.1.1.10

1.1.1.5

1.1.1.6

1.1.1.13

1.1.1.14 1.1.1.12/30 1.1.1.4/30

1.1.1.0/30

1.1.1.8/30

1.1.1.18

1.1.1.9

1.1.1.16/30

Backbone

Internet

Hierarchical OSPF

AS border router backbone router

Area router

Area border router

Area 3

Area 2

Area 1

Area 0

10/2/14

11

Hierarchical OSPF ❀  Two-level hierarchy

" Backbone: transit area, area 0 " Regular areas: for routers connected to hosts

µ Recommended < 50 routers/area " Link-state advertisements only inside one area

µ To overcome the drawbacks of flooding and heavy computa,on " Each node has detailed area topology " Each node only knows direction (shortest path) to nodes in other areas " Smaller routing table to minimize cost and improve performance

❀  Area border routers: " Learns its attached areas " Summarizes its own area (but not by default) " Sends the summary out to other areas connected to this ABR

❀  Backbone routers: run OSPF routing in backbone area ❀  AS border routers: connect to other AS’s

Load-Sharing Multipath in OSPF ❀  The routing table for router W indicates two equal-cost paths to reach router U and

its directly connected subnets ❀  This multipath can improve the latency and better use available bandwidth ❀  However, packets may not be received in the order sent due to multipath

Destination Next hop X X Y Y Z X U X or Y

10/2/14

12

Outline





Distance Vector Routing Tables

10/2/14

13

RIP Information ❀  During initialization, only the node’s distance vector to a physically connected

neighbor is known ❀  Distance vectors are exchanged among neighbors every 30 sec via RIP

advertisements ❀  After each exchange between neighbors, each node in the network has a better idea

of the distances between them due to: " New distance vectors being shared with the neighboring nodes in the network " Distance (routing) tables being updated " Distance vectors being re-calculated

❀  Exchanges continue until there are no new distance vectors being generated and the network is in equilibrium " Each node contains the minimum cost paths to each of the other nodes that

comprise the network " Routing tables for each node

RIP: Initialization ❀  Initialize the distance tables for each of the nodes in the network :

" Each node knows the distances to its IMMEDIATE neighbors " Initialize all other distances in the table to infinity ( ∞ ) " All nodes have a cost of zero to themselves

10/2/14

14

Distance Vector Algorithm ❀  Each node periodically sends its own distance vector (DV) estimate

to its connected neighbors (No direction info!) ❀  When a node x receives new DV estimate from neighbor v, it

updates its own DV using the Belman-Ford equation: D(x,y) ←minz{cost(x,z) + D(v,y)} for each node y ∊ N " D(x,y) is the cost of minimum-cost path from x to y

❀  Note that a node maintains its own and its directly connected neighbors’ distance vectors, not everyone’s!

❀  Each node notifies neighbors only when its DV changes

Propagation ❀  Each of the nodes propagates its distance

table to each of its directly connected neighbors. " A sends its distance vector to B, C and D " B sends its distance vector to A, C, and E " C sends its distance vector to A, B, and E " D sends its distance vector to A " E sends its distance vector to B and C

❀  Each neighbor then recalculates its distance vectors and updates its distance table based upon the values received.

10/2/14

15

Propagation – Update

Table Re-Evaluation ❀  Each node re-calculates its distance vectors using the Bellman-Ford algorithm ❀  These distances, if different, will be sent to the node’s immediate neighbors so that

they can update their own distance vectors ❀  If a distance vector has been updated, the distance table will also be sent to the

node’s neighbors " Triggers another round of updates in its connected neighbors

❀  This process continues until equilibrium within the network has been obtained

10/2/14

16

Outline





RIP: Link Failure and Recovery ❀  If no advertisement is heard after 180 sec, then the neighbor/link is declared dead

" Routes via neighbor invalidated " New advertisements sent to neighbors " Neighbors in turn send out new advertisements (if tables changed) " Link failure info slowly propagates to entire net " Poison reverse used to prevent ping-pong loops (infinite distance = 16 hops)

❀  This is not a real problem for a stable network ❀  It may be a problem when a network is deployed in a battlefield

10/2/14

17

Count to Infinity Problem ❀  Node A detects link failure

(absence of periodic update) ❀  “Count to infinity” problem ❀  Most implementations

define 16 as infinity X 6

Outline



❀  Routing Information Protocol (RIP) " The distance vector algorithm " Count to Infinity Problem " Split horizon with poison reverse " A three-node loop problem


10/2/14

18

Split Horizon ❀  A uses the path via B to reach C

" A will not advertise its route to B for reaching C through B " Split horizon is a rule that specifies that a router can never

send information about a route back to the router that originally supplied the information

" With split horizon, this particular loop scenario cannot happen

❀  Split horizon with poison reverse: a variation on split horizon that does advertise the route back to the router used to reach the destination, but marks the advertisement as unreachable

A

B

C

Split Horizon ❀  A:

❀  B:

❀  B advertises to A and then A becomes:

❀  A advertises to B: since A learns path to C from B, C is unknown

A

B

C

A B C 0 1 ∞

A B C 1 0 1

A B C 0 1 2

A B C

0 1

10/2/14

19

Split Horizon with Poisoned Reverse ❀  A:

❀  B:

❀  B advertises to A and then A becomes:

❀  A advertises to B: since A learns path to C from B, C is unknown

A

B

C

A B C 0 1 ∞

A B C 1 0 1

A B C 0 1 2

A B C 0 1 ∞

Outline





10/2/14

20

Split Horizon Fails in a Three Node Loop

Update loop until inVinity

Infinity and TTL in IP header ❀  Why "infinity" is chosen to be as small as possible:

" If a network becomes completely inaccessible, we want the count to infinity to cease as soon as possible

❀  Infinity must be large enough that no real route is that big " A diameter no larger than 15 (16 = infinity)

❀  The TTL in an IP header can save bandwidth by retiring expired packets traveling in a loop

10/2/14

21

Outline





Comparison of OSPF and RIP Protocol RIP OSPF

Algorithm Distance vector Link state

Message complexity Each update is a routing table broadcast from a directly connected neighbor

O(N*E) On initial LSDB exchange; updates only contain link state changes

Speed of convergence

RIP converges slower than OSPF. In large networks convergence gets to be in the order of minutes. RIP routers go through a period of a hold-‐down and garbage collection in order to remove a route.

Better convergence than RIP: this is because routing changes are propagated instantaneously and not periodically

Storage Directly connected neighbors’ routing tables: O(N)

O(N*E) in all routers

Network delays and link costs

Only the number of hops Yes

Hop count limit 15 No Maintenance of routing tables

Periodic broadcasts of full routing tables consume a large amount of bandwidth

Updates are only sent in case routing changes occur instead of periodically.

Authentication Yes Yes Load balancing No Yes Type-‐of-‐service (TOS) support

No Yes

Hierarchical networks

Flat Areas

10/2/14

22

Comparison of OSPF and RIP ❀  Maintenance of routing tables

" Dijkstra’s calculation is run very infrequently in operational deployments µ Dijkstra runs on average only every 13 to 50 minutes

" Since the algorithm is run so infrequently, overall OSPF consumes less CPU than RIP (because of RIP's frequent updates, requiring routing table lookups) µ source: RFC 1245

❀  Total memory/storage for n nodes " OSPF: O(N*E), if no hierarchical areas " RIP: O(N), directly connected neighbors’ routing tables

µ N is the number of routers and E is the total number of edges (links)

❀  OSPF can also handle large internal network routing better than RIP due to the hierarchical areas as well as a no hop count limit.

Outline

❀  Routing protocol overview ❀  Open Shortest Path First (OSPF)




10/2/14

23

Cust2

Internet Structure ❀ Hierarchical AS-level topology

" Large, tier-1 providers form nationwide backbone " Edges represent business relationships

Regional ISP1

Regional ISP2

Regional ISP3

Cust1 Cust3

National ISP1

National ISP2

$

$

Customer

Provider Customer

Provider

Cust2

Internet Structure

Regional ISP1

Regional ISP2

Regional ISP3

Cust1 Cust3

National ISP1

National ISP2

$

$

Customer

Provider Customer

Provider

peers peers

peers

❀ Hierarchical AS-level topology " Large, tier-1 providers form nationwide backbone " Edges represent business relationships

10/2/14

24

Internet Inter-AS Routing: BGP ❀  BGP (Border Gateway Protocol): the de facto standard ❀  BGP provides each AS a means to:

" Obtain subnet route advertisements from neighboring ASs " Propagate route advertisement to all AS-internal routers " Determine optimal routes to subnets based on route advertisement and policy " Allow a subnet to advertise its existence to remainder of Internet

Full AS Path

AS 22

AS 55

AS 77

AS 33 AS 88

128.112.0.0/16 Prefix Originated

AS 11

AS 44

10/2/14

25

Full AS Path

AS 22 128.112.0.0/16 AS Path = 88

AS 55

AS 77

AS 33 128.112.0.0/16 AS Path = 22 88

128.112.0.0/16 AS Path = 33 22 88

AS 88

128.112.0.0/16 Prefix Originated

AS 11

AS 44

128.112.0.0/16 AS Path = 22 88

128.112.0.0/16 AS Path = 55 22 88

128.112.0.0/16 AS Path = 44 77 55 22 88

128.112.0.0/16 AS Path = 77 55 22 88

BGP Path Selection ❀  Simplest case

" Shortest AS path " Arbitrary tie break

❀  Example " Three-hop AS path may be preferred over

a five-hop AS path " Or a path through AS 44 may be preferred

over a path through AS 33

❀  Policy-based routing

AS 33

AS 11

AS 44

128.112.0.0/16 AS Path = 33 22 88

128.112.0.0/16 AS Path = 44 77 55 22 88

10/2/14

26

Policy Based vs. Distance Routing?

ISP1

ISP2

ISP3

Cust1

Cust2 Cust3

Host 1

Host 2

Minimizing “hop count” can violate commercial relationships that constrain inter- domain routing.

YES

NO

BGP Operations Establish session on TCP port 179

Exchange all active routes

Exchange incremental updates While connection

is ALIVE exchange route UPDATE messages

AS1

AS2

BGP session

•  BGP is executed between two border routers –  BGP peers or BGP speakers –  Router establishes a TCP

connection (TCP port 179) –  Routers exchange BGP routes –  Periodically send updates

Advertise network REACHABILITY

10/2/14

27

Reachability Example

Stabilized Routing Table

Aggregate 14

10/2/14

28

Exterior (External) BGP (E-BGP)

§  The BGP discussed so far is E-BGP

§  E-BGP can be used by R3 and R4 to learn routes. §  How do R1 and R2 learn routes? §  Option 1: Inject routes in IGP (such as OSPF)

§  works for small routing tables only §  Option 2: Use I-BGP

Interior (Internal) BGP (I-BGP)

❀  Advertising rules " R3 can tell R1 and R2 prefixes from R4 " R3 can tell R4 prefixes from R1 and R2 " R3 cannot tell R2 prefixes from R1

µ Main reason is to prevent loops ❀  R2 can only find these prefixes through a direct connection to R1 ❀  Result: I-BGP routers must be fully connected (via TCP)!

" contrast with E-BGP sessions that map to physical links

10/2/14

29

BGP Example

•  R1 -‐ •  R2 -‐ •  R6 -‐ •  R4 -‐ •  R2 – •  R4 –

Advertises routes inside AS1 to R2 (E-‐BGP) Advertises routes inside AS1 to R3, R4, R5 (I-‐BGP) Advertises routes inside AS3 to R4 (E-‐BGP) Advertises routes inside AS3 to R2, R3, R5 (I-‐BGP) Advertises routes within AS2 and AS3 to R1 (E-‐BGP) Advertises routes within AS2 and AS1 to R6 (E-‐BGP)

10/2/14 60

Join I-‐BGP + IGP to Create Forwarding Table

chapters 12, 13 - villanova computer sciencemdamian/past/cybersecurityfa… · ·...

Documents