AS-path Based Filter of Customer BGP Routes

Any serious (or at least security-aware) ISP should not blindly accept BGP routes from its customers but at the very minimum do some sanity checks on them. For example, if a multi-homed customer is clumsy enough to advertise BGP routes between service providers, it’s nice if you still stop him from turning into a transit AS. The required filter is conceptually quite simple: all the BGP routes from the customer should contain only his AS number in the AS-path.

The initial non-scalable approach is obvious: accept only the AS paths that have exactly the customer’s AS number in the AS path. For example, if your customer’s AS number is 65001, you could use this filter: ip as-path access-list 100 permit ^65001$.

The caret sign at the beginning of the string and the dollar sign at its end are mandatory; otherwise the as-path access-list will match any AS-path with the string 65001 in it.

A more generic approach might recognize that the AS path received from the customer shall contain a single AS number, so the filter can be rewritten as ip as-path access-list 100 permit ^[0-9]+$, where the expression [0-9]+ matches one or more digits (also known as a number).

Both filters described above have a common problem: they fail if the customer is using AS-path prepending. In those cases, you should accept all AS-paths that contain a single number (potentially repeating multiple times). The explicit filter is simple: ip as-path access-list 100 permit ^65001(_65001)*$. This filter matches all AS paths that start with 65001 and contain zero or more occurrences of a delimiter (whitespace) followed by 65001.

Writing an implicit AS-path filter that recognizes AS-path prepending is trickier and requires the use of pattern recall – part of regular expression could match a pattern recognized earlier in the regular expression. In our case, the first AS number recognized could be repeated many times over as expressed with this cryptic filter: ip as-path access-list 100 permit ^([0-9]+)(_\1)*$. The \1 part of the filter is pattern recall and matches whatever was matched within the first parenthesis (the first AS number in the AS path).

5 comments:

  1. what symbols are used in the as-path display to indicate AS_SEQ, AS_SET, AS_CONFED_SEQ and AS_CONFED_SET? <nothing>, {}, (), and []?</nothing>
  2. I don't know the internal details, but it appears from the outside like the BGP process would convert AS path into a string that you can see in the "show ip bgp" printout, and match that string with the regular expression. Helps?
  3. How can the customer itself can avoiding itself being used as a transit path in a multihomed netowork with 2 ISPs ?

    neigh filter-list 1 out
    ip as-path acces-list 1 permit ^$

    Would this be fine ?
    Replies
    1. That would stop the route leaking - you'd advertise your own routes and nothing else (which is the right thing to do).

      To make sure someone is not misusing you for transit and sending you traffic regardless of what you announce, you'd have to deploy packet filters on the ISP-facing interfaces. Probably not worth the effort from the traffic flow perspective these days (but might be worth it from security perspective).
  4. How we can learn 2000-5000 customer routes from ISP using BGP regular expression?

    Replies
    1. Oh, it's simple (conceptually):

      • Analyze your traffic to figure out which prefixes and autonomous systems you're interested in (example: https://blog.ipspace.net/2015/01/sdn-router-spotify-on-software-gone-wild.html)
      • If you insist on using AS-path regexp filters, figure out the AS paths used to advertise prefixes from those autonomous systems to you.
      • Create your AS-path filter.

      Alternatively, you could use RIB-to-FIB IP prefix filters if your router supports something along those lines.

    2. You mean, first i need to figure out around 2000 prefixes which i want to learn from ISP ...right?

      Note:- As of now we are allowing default route (0.0.0.0/0) from ISP and lets assume using 100 AS on ISP side.

  5. HI, Could you please confirm my below doubt which i have replied above in your comment? You mean, first i need to figure out around 2000 prefixes which i want to learn from ISP ...right?

    Note:- As of now we are allowing default route (0.0.0.0/0) from ISP and lets assume using 100 AS on ISP side.

Add comment
Sidebar