Routing BGP Protocol-Theory RFC – How is BGP AS_SET Used?

bgpprotocol-theoryrfcrouting

RFC 1771 defines a path attribute type of AS_PATH as follows:

AS_PATH (Type Code 2):

AS_PATH is a well-known mandatory attribute that is composed
of a sequence of AS path segments. Each AS path segment is
represented by a triple <path segment type, path segment
length, path segment value>.

The path segment type is a 1-octet long field with the
following values defined:

Value Segment Type
1 AS_SET:      unordered set of ASs a route in the
               UPDATE message has traversed
2 AS_SEQUENCE: ordered set of ASs a route in
               the UPDATE message has traversed

Using a AS_PATH type of AS_SEQUENCE makes perfect sense to me: You end up with a reverse list of the ASN's you cross to get to a particular prefix.

However, I have no idea what purpose having an unordered list of ASN's between you and the prefix that would occur if you chose to use an AS_PATH of AS_SET.

The quote above is from the UPDATE message format, so presumably, an Admin has the option to send to BGP peers an ordered list or an unordered list. My question then is, what would the purpose be of sending an unordered list? In what cases would you be better off sending an unordered list as opposed to an ordered list?

Best Answer

My question then is, what would the purpose be of sending an unordered list? In what cases would you be better off sending an unordered list as opposed to an ordered list?

as-set is commonly used when aggregating routes downstream of an autonomous system; so the use case for an unordered list is bgp aggregation.

EXAMPLE:

In the example below, AS65500 aggregates the eBGP announcements from AS65000 and AS65001 into 10.1.0.0/23. After aggregating the announcements from AS65000 and AS65001, AS65500 sends NETWORK: 10.1.2.0/23 AS-PATH: 65500 and NETWORK: 10.1.0.0/23 AS-PATH: 65500 {65000, 65001} (the aggregate). Typically, an AS will aggregate when it has delegated portions of a larger address block to customers.

It doesn't make sense to build an ordered list when you aggregate space for multiple ASNs; for instance, an ordered AS-PATH for the aggregate below would be either 65500 [65000, 65001] or 65500 [65001, 65000]. However, both of those ordered lists are non-sense because ordering is irrelevant to the aggregate (i.e. both autonomous systems are directly connected to AS 65500). Ordering implies a sequence which is meaningless to the aggregate.

Unordered lists (i.e. mathematical sets) make the most sense for an AS_SET.

          _.------------.
      ,-''               `--.
    ,'                       `.
   (         AS65000           )
    `.       10.1.0.0/24     ,'
      `--.               _.-'
          `------------''
                    \          ------> NETWORK: 10.1.2.0/23   AS-PATH: 65500
                     \         ------> NETWORK: 10.1.0.0/23   AS-PATH: 65500 {65000, 65001}
           _.--------------.        router bgp 65500
       ,-''                 `--.     no sync
     ,'                         `.   no auto-summary
    (          AS65500             ) neighbor 10.1.0.2 remote-as 65000
     `.        10.1.2.0/23      ,'   neighbor 10.1.1.2 remote-as 65001
       --.                 _.-'      network 10.1.2.0 mask 255.255.254.0
           `--------------''         aggregate-add 10.1.0.0 255.255.254.0 summary-only as-set
                    /
                   /
          _.--------------.
      ,-''                 `--.
   ,'                         `.
  (           AS65001           )
   `.         10.1.1.0/24     ,'
     `--.                 _.-'
         `--------------''

Related Solutions

Routing – BGP remote-triggered blackhole (RTBH) filter for Juniper

There is no reason to limit customer to blackhole only /32, allow them to blackhole anything from them.

Something like this:

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            prefix-list-filter AS42 orlonger;
        }
        then {
            community add NO-EXPORT;
            next-hop 192.0.2.1;
            accept;
        }
    }
    term advertise {
        from {
            prefix-list AS42;
        }
        then {
            community add ADVERTISE;
            next-hop peer-address;
            accept;
        }
    }
    term reject {
        then reject;
    }
}

Remember to set 'accept-remote-nexthop' under BGP settings, so that the next-hop can be changed to something else than link address.

I also strongly support that providers start to support different blackhole communities than just 'full blackhole'. Especially if you operate in more than one country usually attack is from transit and often customer actually mostly wants to access domestic peerings, so it's useful to implement several levels of blackhhole:

Full
Outside local country (local IXP, whole own AS + customers seen)
Outside local area (if applicable, like for me it could be 'Nordics')
Include/Exclude specific peering router in blackhole

I'm happy to give example how to implement something like this with JNPR DCU/SCU, provided your peering routers are JNPR, but it's possible with just communities, just bit more awkward.

If you absolutely want to limit your customer's options you can add this:

policy-statement /32 {
    term /32 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /32-/32;
        }
        then accept;
    }
    term reject {
        then reject;
    }
}

policy-statement AS42-IN {
    term blackhole {
        from {
            community BLACKHOLE;
            policy /32;
            prefix-list-filter AS42 orlonger;
        }
..
}

This way it should be logical AND. But I really don't see the value in creating complexity to reduce expressiveness of configuration.

How is the OSPF Opaque LSA Option used

Opaque LSA's are used to extend the capabilities of OSPF, and to allow for transmission of arbitrary data that OSPF does not necessarily need to care about. For example, if you were writing an application and you decided you wanted to use OSPF to transport the application's data but you did not want OSPF to use this data for its own purposes, ie route calculations.

There are three types of Opaque LSA's (in context of the subtype of the Opaque LSA, similar to other LSA types), which determine the scope of flooding of those LSA's:

Type 9 - link-local scope
Type 10 - area-local scope
Type 11 - AS scope

The Opaque LSA has 32 bits allocated for the Opaque Type (8 bits) and the Opaque ID (24 bits). There are (AFAIK) currently four Opaque types that have been allocated by the IANA:

Traffic Engineering LSA - used for MPLS-TE
Sycamore Optical Topology Descriptions - likely proprietary. I wasn't able to find much info on this, other than the fact that John Moy works for Sycamore.
Grace LSA - used for OSPF graceful restart
Router Information LSA - Intended (but not yet implemented AFAIK) to supplement the options field to allow for communication of optional capabilities between neighbors. Currently the options field is only 8 bits and there is only a single bit that can be used that just determines if a neighbor supports Opaque LSA's. This RI LSA would provide TLV values to signal support of up to 32 different capabilities between neighbors without needing to add more bits to the options field in the LSA.

In regards to practical application of the Opaque LSA, likely the most common implementation you'll see of this in the wild is in MPLS traffic engineering. In OSPF extensions for MPLS traffic engineering, Opaque LSA's are used to communicate traffic engineering interface parameters (such as maximum bandwidth, maximum reservable bandwidth, unreserved bandwidth, etc) throughout an area in order to populate the traffic engineering databases of the routers within the area.

As for "how to use it" - you shouldn't have to, unless you're writing code that you would need to use it. In terms of practical application on a routing platform, on platforms I have experience with, there's not a specific knob you need to turn that "enables" Opaque LSAs. These should be implicitly enabled if you implement something that has dependencies on them, such as MPLS.

Best Answer

Related Solutions

Routing – BGP remote-triggered blackhole (RTBH) filter for Juniper

How is the OSPF Opaque LSA Option used

Related Topic