AS-path based filter of customer BGP routes

Any serious (or at least security-aware) ISP should not blindly accept BGP routes from its customers but at the very minimum do some sanity checks on them. For example, if a multi-homed customer is clumsy enough to advertise BGP routes between service providers, it’s nice if you still stop him from turning into a transit AS. The required filter is conceptually quite simple: all the BGP routes from the customer should contain only his AS number in the AS-path.

If you're looking for more in-depth BGP knowledge, try our Configuring BGP on Cisco Routers e-learning solution. If you just need to enhance your hands-on skill, the BGP Remote Lab Bundle is the perfect choice.

The initial non-scalable approach is obvious: accept only the AS paths that have exactly the customer’s AS number in the AS path. For example, if your customer’s AS number is 65001, you could use this filter: ip as-path access-list 100 permit ^65001$.

Note: the caret sign at the beginning of the string and the dollar sign at its end are mandatory; otherwise the as-path access-list will match any AS-path with the string 65001 in it.

A more generic approach might recognize that the AS path received from the customer shall contain a single AS number, so the filter can be rewritten as ip as-path access-list 100 permit ^[0-9]+$, where the expression [0-9]+ matches one or more digits (also known as a number).

Both filters described above have a common problem: they fail if the customer is using AS-path prepending. In those cases, you should accept all AS-paths that contain a single number (potentially repeating multiple times). The explicit filter is simple: ip as-path access-list 100 permit ^65001(_65001)*$. This filter matches all AS paths that start with 65001 and contain zero or more occurrences of a delimiter (whitespace) followed by 65001.

Writing an implicit AS-path filter that recognizes AS-path prepending is trickier and requires the use of pattern recall – part of regular expression could match a pattern recognized earlier in the regular expression. In our case, the first AS number recognized could be repeated many times over as expressed with this cryptic filter: ip as-path access-list 100 permit ^([0-9]+)(_\1)*$. The \1 part of the filter is pattern recall and matches whatever was matched within the first parenthesis (the first AS number in the AS path).

Cisco partners and employees can access the Employing AS-Path Filters remote lab free-of-charge on the Partner Education Connection.

2 comments:

  1. what symbols are used in the as-path display to indicate AS_SEQ, AS_SET, AS_CONFED_SEQ and AS_CONFED_SET? <nothing>, {}, (), and []?</nothing>

    ReplyDelete
  2. Ivan Pepelnjak19 March, 2012 20:55

    I don't know the internal details, but it appears from the outside like the BGP process would convert AS path into a string that you can see in the "show ip bgp" printout, and match that string with the regular expression. Helps?

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.