Chapters 12, 13 - Villanova Computer Sciencemdamian/Past/cybersecurityfa… · ·...
Transcript of Chapters 12, 13 - Villanova Computer Sciencemdamian/Past/cybersecurityfa… · ·...
10/2/14
1
Chapters 12, 13
Outline
❀ Routing overview ❀ Open Shortest Path First (OSPF)
" The OSPF routing algorithm
❀ Routing Information Protocol (RIP) " The distance vector algorithm " Count to infinity problem " Split horizon with poison reverse " A three-node loop problem
❀ OSPF vs. RIP ❀ Border Gateway Protocol (BGP)
10/2/14
2
Generating Routing Tables ❀ Routing tables can be generated in either static or dynamic manner ❀ Static:
" Configured by administrator
❀ Dynamic: " Routing protocols
µ Genera,ng rou,ng tables µ Periodic update µ Triggered updates in response to link changes
" Network IP address information is provided by administrator
Knowledge Base for Routing Algorithms ❀ Global topology:
" All routers have complete topology, and link cost info " Link state (LS) algorithm
❀ Local topology: " Router knows
µ The link costs to physically-‐connected neighbors µ The rou,ng tables of its physically-‐connected neighbors
" Distance vector (DV) algorithm
10/2/14
3
Autonomous Systems
Autonomous System Numbers ❀ AS Numbers were 16 bit values before 2007 ❀ After 2007, 32-bit values were assigned (RFC 4893) ❀ Examples:
" Level 3: 1 " MIT: 3 " Harvard: 11 " Yale: 29 " Princeton: 88 " Auburn: 6112 " AT&T: 7018, 6341, 5074, … " UUNET: 701, 702, 284, 12199, … " Sprint: 1239, 1240, 6211, 6242, … " Quest: 209, …
10/2/14
4
Intra-AS Routing and Inter-AS Routing ❀ Interior Gateway Protocols (IGP)
" Most common Intra-AS routing protocols: µ RIP: Rou,ng Informa,on Protocol µ OSPF: Open Shortest Path First µ IGRP: Interior Gateway Rou,ng Protocol (Cisco proprietary)
" Minimum cost is the sole goal
❀ Exterior Gateway Protocols (EGP) " BGP: Border Gateway Protocol " Needs to consider economical and political reasons in addition to performance
µ An ISP only wants to serve its own customers, not other ISPs’ customers µ Sensi,ve informa,on is not routed through an enemy’s domains
❀ Separate IGP and EGP routing tables (hierarchical routing) make the routing table size acceptable and search time reasonable
Popular IGP routing protocols and BGP summary Type Name Protocol Port/
protocol number
Intra-‐AS routing interior gateway protocols (IGP)
Routing Information Protocol (RIP)
UDP port number 520
Open Shortest Path First (OSPF)
Protocol number 89
Interior Gateway Routing Protocol (IGRP)
Protocol number 9
Inter-‐AS routing Exterior Gateway Protocol (EGP)
Border Gateway Protocol (BGP)
TCP port number 179
10/2/14
5
Outline
❀ Routing overview ❀ Open Shortest Path First (OSPF)
" The OSPF routing algorithm
❀ Routing Information Protocol (RIP) " The distance vector algorithm " Count to infinity problem " Split horizon with poison reverse " A three-node loop problem
❀ OSPF vs. RIP ❀ Border Gateway Protocol (BGP)
OSPF (Open Shortest Path First) ❀ RFC 2328: OSPFv2; RFC 5340: OSPF for IPv6 ❀ “Open”: publicly available in RFCs ❀ Link State (LS) algorithm
" LS packet dissemination " Complete topology map at each node " Shortest Path First (SPF) computation using Dijkstra’s algorithm
❀ Link-state advertisements (LSA) disseminated to entire area (via flooding) " Carried in OSPF messages directly over IP (rather than TCP or UDP) " OSPF uses both unicast and multicast to send "hello packets" and link state
updates " Multicast addresses
µ 224.0.0.5 (all SPF/link state routers, also known as AllSPFRouters)
10/2/14
6
OSPF Concept
Link State Knowledge ❀ A link refers to an interface on the router
❀ Routing metric can be assigned by administrator to indicate any combination of network characteristics " Delay " Bandwidth " Dollar cost
10/2/14
7
Link-State Advertisement ❀ A link refers to an interface on the router ❀ OSPF advertisement carries one entry per interface
" Link-state advertisement (LSA)
(router ID, list of links, sequence number, TTL) first two items used to calculate the route sequence number used to identify the most recent LSP copy TTL used to prevent infinite flooding loops
" Router lists the links to other routers or networks in the same area, together with the metric, representing cost
❀ Flood the LSA to every other router
❀ The LSA of router A is as follows:
Advertising Router: 10.10.10.1 Number of links: 4 (3 links plus router itself)
Description of Link 1: Link ID = 10.1.1.1, Metric = 5
Description of Link 2: Link ID = 10.1.2.1, Metric = 2
Description of Link 3: Link ID = 10.1.3.1, Metric = 3
Description of Link 4: Link ID = 10.10.10.1, Metric = 0
❀ Our notation: LSA(A) = {(B, 5), (C, 2), (D, 3)}
LSA 10.10.10.1 10.1.1.1
10.1.3.1
10.1.2.1
10/2/14
8
LSA Flooding ❀ Node sends link-state information out its links ❀ And then the next node sends out all of its links ❀ … except the one where the information arrived
LSA
LSA
LSA
LSA
LSA
LSA
LSA
When to Initiate Flooding LSA (router ID, list of links, sequence number, TTL)
❀ Topology change " Link or node failure / recovery " Link cost change
❀ Periodically " Refresh the link-state information " No actual need for this type of flooding (30 mins / 2 hours)
10/2/14
9
OSPF Routing Table Construction
Y
X
Z LSA
LSDB LSDB
SPF
Routing Table
SPF tree
Routing Table SPF
tree
SPF Y Z
LSDB: link-‐state databases
DR
❀ Each router calculates a shortest-path tree, with itself as root
Dijkstra’s Algorithm
10/2/14
10
A Real Routing Table
Destination Link for next hop
X (W, X)
Y (W, Y)
Z (W, X)
Routing Table in W
Subnets attached in X, Y and Z Router Subnets
X
1.1.3.0/24 1.1.1.0/30 1.1.1.12/30 1.1.1.16/30
Y 1.1.1.4/30 1.1.1.8/30 1.1.1.16/30
Z 1.1.4.0/24 1.1.8.0/30 1.1.1.12/30
Obtained by routers during the OSPF
conViguration
Destination next hop 1.1.3.0/24 1.1.1.2 ≡ (W, X)
1.1.1.12/30 1.1.1.2
1.1.1.16/30 1.1.1.2
1.1.1.8/30 1.1.1.6
1.1.4.0/24 1.1.1.2
Subnets directly
connected to W will not be in its table
W
Y
X
Z
3
4
5
6 7
1.1.2.0/24 1.1.3.0/24
1.1.4.0/24
1.1.1.1 1.1.1.2
1.1.1.17
1.1.1.10
1.1.1.5
1.1.1.6
1.1.1.13
1.1.1.14 1.1.1.12/30 1.1.1.4/30
1.1.1.0/30
1.1.1.8/30
1.1.1.18
1.1.1.9
1.1.1.16/30
Backbone
Internet
Hierarchical OSPF
AS border router backbone router
Area router
Area border router
Area 3
Area 2
Area 1
Area 0
10/2/14
11
Hierarchical OSPF ❀ Two-level hierarchy
" Backbone: transit area, area 0 " Regular areas: for routers connected to hosts
µ Recommended < 50 routers/area " Link-state advertisements only inside one area
µ To overcome the drawbacks of flooding and heavy computa,on " Each node has detailed area topology " Each node only knows direction (shortest path) to nodes in other areas " Smaller routing table to minimize cost and improve performance
❀ Area border routers: " Learns its attached areas " Summarizes its own area (but not by default) " Sends the summary out to other areas connected to this ABR
❀ Backbone routers: run OSPF routing in backbone area ❀ AS border routers: connect to other AS’s
Load-Sharing Multipath in OSPF ❀ The routing table for router W indicates two equal-cost paths to reach router U and
its directly connected subnets ❀ This multipath can improve the latency and better use available bandwidth ❀ However, packets may not be received in the order sent due to multipath
Destination Next hop X X Y Y Z X U X or Y
10/2/14
12
Outline
❀ Routing overview ❀ Open Shortest Path First (OSPF)
" The OSPF routing algorithm
❀ Routing Information Protocol (RIP) " The distance vector algorithm " Count to infinity problem " Split horizon with poison reverse " A three-node loop problem
❀ OSPF vs. RIP ❀ Border Gateway Protocol (BGP)
Distance Vector Routing Tables
10/2/14
13
RIP Information ❀ During initialization, only the node’s distance vector to a physically connected
neighbor is known ❀ Distance vectors are exchanged among neighbors every 30 sec via RIP
advertisements ❀ After each exchange between neighbors, each node in the network has a better idea
of the distances between them due to: " New distance vectors being shared with the neighboring nodes in the network " Distance (routing) tables being updated " Distance vectors being re-calculated
❀ Exchanges continue until there are no new distance vectors being generated and the network is in equilibrium " Each node contains the minimum cost paths to each of the other nodes that
comprise the network " Routing tables for each node
RIP: Initialization ❀ Initialize the distance tables for each of the nodes in the network :
" Each node knows the distances to its IMMEDIATE neighbors " Initialize all other distances in the table to infinity ( ∞ ) " All nodes have a cost of zero to themselves
10/2/14
14
Distance Vector Algorithm ❀ Each node periodically sends its own distance vector (DV) estimate
to its connected neighbors (No direction info!) ❀ When a node x receives new DV estimate from neighbor v, it
updates its own DV using the Belman-Ford equation: D(x,y) ←minz{cost(x,z) + D(v,y)} for each node y ∊ N " D(x,y) is the cost of minimum-cost path from x to y
❀ Note that a node maintains its own and its directly connected neighbors’ distance vectors, not everyone’s!
❀ Each node notifies neighbors only when its DV changes
Propagation ❀ Each of the nodes propagates its distance
table to each of its directly connected neighbors. " A sends its distance vector to B, C and D " B sends its distance vector to A, C, and E " C sends its distance vector to A, B, and E " D sends its distance vector to A " E sends its distance vector to B and C
❀ Each neighbor then recalculates its distance vectors and updates its distance table based upon the values received.
10/2/14
15
Propagation – Update
Table Re-Evaluation ❀ Each node re-calculates its distance vectors using the Bellman-Ford algorithm ❀ These distances, if different, will be sent to the node’s immediate neighbors so that
they can update their own distance vectors ❀ If a distance vector has been updated, the distance table will also be sent to the
node’s neighbors " Triggers another round of updates in its connected neighbors
❀ This process continues until equilibrium within the network has been obtained
10/2/14
16
Outline
❀ Routing overview ❀ Open Shortest Path First (OSPF)
" The OSPF routing algorithm
❀ Routing Information Protocol (RIP) " The distance vector algorithm " Count to infinity problem " Split horizon with poison reverse " A three-node loop problem
❀ OSPF vs. RIP ❀ Border Gateway Protocol (BGP)
RIP: Link Failure and Recovery ❀ If no advertisement is heard after 180 sec, then the neighbor/link is declared dead
" Routes via neighbor invalidated " New advertisements sent to neighbors " Neighbors in turn send out new advertisements (if tables changed) " Link failure info slowly propagates to entire net " Poison reverse used to prevent ping-pong loops (infinite distance = 16 hops)
❀ This is not a real problem for a stable network ❀ It may be a problem when a network is deployed in a battlefield
10/2/14
17
Count to Infinity Problem ❀ Node A detects link failure
(absence of periodic update) ❀ “Count to infinity” problem ❀ Most implementations
define 16 as infinity X 6
Outline
❀ Routing overview ❀ Open Shortest Path First (OSPF)
" The OSPF routing algorithm
❀ Routing Information Protocol (RIP) " The distance vector algorithm " Count to Infinity Problem " Split horizon with poison reverse " A three-node loop problem
❀ OSPF vs. RIP ❀ Border Gateway Protocol (BGP)
10/2/14
18
Split Horizon ❀ A uses the path via B to reach C
" A will not advertise its route to B for reaching C through B " Split horizon is a rule that specifies that a router can never
send information about a route back to the router that originally supplied the information
" With split horizon, this particular loop scenario cannot happen
❀ Split horizon with poison reverse: a variation on split horizon that does advertise the route back to the router used to reach the destination, but marks the advertisement as unreachable
A
B
C
Split Horizon ❀ A:
❀ B:
❀ B advertises to A and then A becomes:
❀ A advertises to B: since A learns path to C from B, C is unknown
A
B
C
A B C 0 1 ∞
A B C 1 0 1
A B C 0 1 2
A B C
0 1
10/2/14
19
Split Horizon with Poisoned Reverse ❀ A:
❀ B:
❀ B advertises to A and then A becomes:
❀ A advertises to B: since A learns path to C from B, C is unknown
A
B
C
A B C 0 1 ∞
A B C 1 0 1
A B C 0 1 2
A B C 0 1 ∞
Outline
❀ Routing overview ❀ Open Shortest Path First (OSPF)
" The OSPF routing algorithm
❀ Routing Information Protocol (RIP) " The distance vector algorithm " Count to infinity problem " Split horizon with poison reverse " A three-node loop problem
❀ OSPF vs. RIP ❀ Border Gateway Protocol (BGP)
10/2/14
20
Split Horizon Fails in a Three Node Loop
Update loop until inVinity
Infinity and TTL in IP header ❀ Why "infinity" is chosen to be as small as possible:
" If a network becomes completely inaccessible, we want the count to infinity to cease as soon as possible
❀ Infinity must be large enough that no real route is that big " A diameter no larger than 15 (16 = infinity)
❀ The TTL in an IP header can save bandwidth by retiring expired packets traveling in a loop
10/2/14
21
Outline
❀ Routing overview ❀ Open Shortest Path First (OSPF)
" The OSPF routing algorithm
❀ Routing Information Protocol (RIP) " The distance vector algorithm " Count to infinity problem " Split horizon with poison reverse " A three-node loop problem
❀ OSPF vs. RIP ❀ Border Gateway Protocol (BGP)
Comparison of OSPF and RIP Protocol RIP OSPF
Algorithm Distance vector Link state
Message complexity Each update is a routing table broadcast from a directly connected neighbor
O(N*E) On initial LSDB exchange; updates only contain link state changes
Speed of convergence
RIP converges slower than OSPF. In large networks convergence gets to be in the order of minutes. RIP routers go through a period of a hold-‐down and garbage collection in order to remove a route.
Better convergence than RIP: this is because routing changes are propagated instantaneously and not periodically
Storage Directly connected neighbors’ routing tables: O(N)
O(N*E) in all routers
Network delays and link costs
Only the number of hops Yes
Hop count limit 15 No Maintenance of routing tables
Periodic broadcasts of full routing tables consume a large amount of bandwidth
Updates are only sent in case routing changes occur instead of periodically.
Authentication Yes Yes Load balancing No Yes Type-‐of-‐service (TOS) support
No Yes
Hierarchical networks
Flat Areas
10/2/14
22
Comparison of OSPF and RIP ❀ Maintenance of routing tables
" Dijkstra’s calculation is run very infrequently in operational deployments µ Dijkstra runs on average only every 13 to 50 minutes
" Since the algorithm is run so infrequently, overall OSPF consumes less CPU than RIP (because of RIP's frequent updates, requiring routing table lookups) µ source: RFC 1245
❀ Total memory/storage for n nodes " OSPF: O(N*E), if no hierarchical areas " RIP: O(N), directly connected neighbors’ routing tables
µ N is the number of routers and E is the total number of edges (links)
❀ OSPF can also handle large internal network routing better than RIP due to the hierarchical areas as well as a no hop count limit.
Outline
❀ Routing protocol overview ❀ Open Shortest Path First (OSPF)
" The OSPF routing algorithm
❀ Routing Information Protocol (RIP) " The distance vector algorithm " Count to infinity problem " Split horizon with poison reverse " A three-node loop problem
❀ OSPF vs. RIP ❀ Border Gateway Protocol (BGP)
10/2/14
23
Cust2
Internet Structure ❀ Hierarchical AS-level topology
" Large, tier-1 providers form nationwide backbone " Edges represent business relationships
Regional ISP1
Regional ISP2
Regional ISP3
Cust1 Cust3
National ISP1
National ISP2
$
$
Customer
Provider Customer
Provider
Cust2
Internet Structure
Regional ISP1
Regional ISP2
Regional ISP3
Cust1 Cust3
National ISP1
National ISP2
$
$
Customer
Provider Customer
Provider
peers peers
peers
❀ Hierarchical AS-level topology " Large, tier-1 providers form nationwide backbone " Edges represent business relationships
10/2/14
24
Internet Inter-AS Routing: BGP ❀ BGP (Border Gateway Protocol): the de facto standard ❀ BGP provides each AS a means to:
" Obtain subnet route advertisements from neighboring ASs " Propagate route advertisement to all AS-internal routers " Determine optimal routes to subnets based on route advertisement and policy " Allow a subnet to advertise its existence to remainder of Internet
Full AS Path
AS 22
AS 55
AS 77
AS 33 AS 88
128.112.0.0/16 Prefix Originated
AS 11
AS 44
10/2/14
25
Full AS Path
AS 22 128.112.0.0/16 AS Path = 88
AS 55
AS 77
AS 33 128.112.0.0/16 AS Path = 22 88
128.112.0.0/16 AS Path = 33 22 88
AS 88
128.112.0.0/16 Prefix Originated
AS 11
AS 44
128.112.0.0/16 AS Path = 22 88
128.112.0.0/16 AS Path = 55 22 88
128.112.0.0/16 AS Path = 44 77 55 22 88
128.112.0.0/16 AS Path = 77 55 22 88
BGP Path Selection ❀ Simplest case
" Shortest AS path " Arbitrary tie break
❀ Example " Three-hop AS path may be preferred over
a five-hop AS path " Or a path through AS 44 may be preferred
over a path through AS 33
❀ Policy-based routing
AS 33
AS 11
AS 44
128.112.0.0/16 AS Path = 33 22 88
128.112.0.0/16 AS Path = 44 77 55 22 88
10/2/14
26
Policy Based vs. Distance Routing?
ISP1
ISP2
ISP3
Cust1
Cust2 Cust3
Host 1
Host 2
Minimizing “hop count” can violate commercial relationships that constrain inter- domain routing.
YES
NO
BGP Operations Establish session on TCP port 179
Exchange all active routes
Exchange incremental updates While connection
is ALIVE exchange route UPDATE messages
AS1
AS2
BGP session
• BGP is executed between two border routers – BGP peers or BGP speakers – Router establishes a TCP
connection (TCP port 179) – Routers exchange BGP routes – Periodically send updates
Advertise network REACHABILITY
10/2/14
28
Exterior (External) BGP (E-BGP)
§ The BGP discussed so far is E-BGP
§ E-BGP can be used by R3 and R4 to learn routes. § How do R1 and R2 learn routes? § Option 1: Inject routes in IGP (such as OSPF)
§ works for small routing tables only § Option 2: Use I-BGP
Interior (Internal) BGP (I-BGP)
❀ Advertising rules " R3 can tell R1 and R2 prefixes from R4 " R3 can tell R4 prefixes from R1 and R2 " R3 cannot tell R2 prefixes from R1
µ Main reason is to prevent loops ❀ R2 can only find these prefixes through a direct connection to R1 ❀ Result: I-BGP routers must be fully connected (via TCP)!
" contrast with E-BGP sessions that map to physical links
10/2/14
29
BGP Example
• R1 -‐ • R2 -‐ • R6 -‐ • R4 -‐ • R2 – • R4 –
Advertises routes inside AS1 to R2 (E-‐BGP) Advertises routes inside AS1 to R3, R4, R5 (I-‐BGP) Advertises routes inside AS3 to R4 (E-‐BGP) Advertises routes inside AS3 to R2, R3, R5 (I-‐BGP) Advertises routes within AS2 and AS3 to R1 (E-‐BGP) Advertises routes within AS2 and AS1 to R6 (E-‐BGP)
10/2/14 60
Join I-‐BGP + IGP to Create Forwarding Table