AS-path based filter of customer BGP routes

Any serious (or at least security-aware) ISP should not blindly accept BGP routes from its customers but at the very minimum do some sanity checks on them. For example, if a multi-homed customer is clumsy enough to advertise BGP routes between service providers, it’s nice if you still stop him from turning into a transit AS. The required filter is conceptually quite simple: all the BGP routes from the customer should contain only his AS number in the AS-path.

If you're looking for more in-depth BGP knowledge, try our Configuring BGP on Cisco Routers e-learning solution. If you just need to enhance your hands-on skill, the BGP Remote Lab Bundle is the perfect choice.

The initial non-scalable approach is obvious: accept only the AS paths that have exactly the customer’s AS number in the AS path. For example, if your customer’s AS number is 65001, you could use this filter: ip as-path access-list 100 permit ^65001$.

Note: the caret sign at the beginning of the string and the dollar sign at its end are mandatory; otherwise the as-path access-list will match any AS-path with the string 65001 in it.

A more generic approach might recognize that the AS path received from the customer shall contain a single AS number, so the filter can be rewritten as ip as-path access-list 100 permit ^[0-9]+$, where the expression [0-9]+ matches one or more digits (also known as a number).

Both filters described above have a common problem: they fail if the customer is using AS-path prepending. In those cases, you should accept all AS-paths that contain a single number (potentially repeating multiple times). The explicit filter is simple: ip as-path access-list 100 permit ^65001(_65001)*$. This filter matches all AS paths that start with 65001 and contain zero or more occurrences of a delimiter (whitespace) followed by 65001.

Writing an implicit AS-path filter that recognizes AS-path prepending is trickier and requires the use of pattern recall – part of regular expression could match a pattern recognized earlier in the regular expression. In our case, the first AS number recognized could be repeated many times over as expressed with this cryptic filter: ip as-path access-list 100 permit ^([0-9]+)(_\1)*$. The \1 part of the filter is pattern recall and matches whatever was matched within the first parenthesis (the first AS number in the AS path).

Cisco partners and employees can access the Employing AS-Path Filters remote lab free-of-charge on the Partner Education Connection.

4 comments:

  1. what symbols are used in the as-path display to indicate AS_SEQ, AS_SET, AS_CONFED_SEQ and AS_CONFED_SET? <nothing>, {}, (), and []?</nothing>

    ReplyDelete
  2. Ivan Pepelnjak19 March, 2012 20:55

    I don't know the internal details, but it appears from the outside like the BGP process would convert AS path into a string that you can see in the "show ip bgp" printout, and match that string with the regular expression. Helps?

    ReplyDelete
  3. How can the customer itself can avoiding itself being used as a transit path in a multihomed netowork with 2 ISPs ?

    neigh filter-list 1 out
    ip as-path acces-list 1 permit ^$

    Would this be fine ?

    ReplyDelete
    Replies
    1. That would stop the route leaking - you'd advertise your own routes and nothing else (which is the right thing to do).

      To make sure someone is not misusing you for transit and sending you traffic regardless of what you announce, you'd have to deploy packet filters on the ISP-facing interfaces. Probably not worth the effort from the traffic flow perspective these days (but might be worth it from security perspective).

      Delete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.