Tải bản đầy đủ - 0 (trang)
Chapter 1. The Border Gateway Protocol

Chapter 1. The Border Gateway Protocol

Tải bản đầy đủ - 0trang

Chapter1.We'llthenmoveintovariousdeploymentsituations,

startingwithsmallenterprisenetworksusingBGPinternallyand

toconnecttotheInternet.Fromtherewe'llcontinuetomove

throughever-largerscaledeploymentsofBGP,discussinghow

BGPanditsextensivepolicymechanismsfitintonetwork

architectures.Wecontinuebyprovidingdetailsaboutfinely

tuningBGPtoperformoptimallyandscaleeffectivelyinan

arrayofdeploymentscenarios.Wefinishwithin-depth

discussionsondebuggingandtroubleshootingvariousproblems

withintheprotocolandBGPnetworks.



ExteriorandInteriorGatewayProtocols

InordertounderstandwhyBGPisdesignedthewayitis,you

firstneedtounderstandwhereitfitsintheworldofrouting

protocols.Routingprotocolscanbedividedalongseveralaxes,

thefirstbeingInteriorGatewayProtocols(IGPs)versusExterior

GatewayProtocols(EGPs).Theprimarydifferencebetween

EGPsandIGPsistheplaceinthenetworkwheretheyprovide

reachabilityinformation;thatis,withinanadministrative

routingdomain(intradomain)orbetweenadministrativerouting

domains(interdomain).



RoutingDomains

Exactlywhataroutingdomainisdependsprimarilyonthe

context.InIntermediateSystemtoIntermediateSystem(ISIS)terminology,forinstance,aroutingdomainistheareain

whichtopologyinformationisflooded.OpenShortestPathFirst

(OSPF)simplyreferstothisasanarea.Withinthecontextof

BGP,however,aroutingdomainisthesetofroutersunderthe

sameadministrativecontrol.Inotherwords,therearerouters

yourcompany,school,division,andsooncanadminister,

configure,andmanage,andthereareroutersbeyondyour

control.Thoseroutersunderyourcontrolaretypicallysaidto

bewithinyourroutingdomain;thoseoutsideyourcontrolare

outsideyourroutingdomain.Thisdefinitionisn'taspreciseasit

sounds,sinceaparticularroutermaybewithinthecontrolofan

entity,butnotunderthecontrolofeveryonewhoworksforthat

entityorisapartofthatentity.Forexample,alimitedsetof

peoplewithinanorganizationmaybeabletoconfigurethe

routerthatconnectsthatorganizationtotheInternet,butthat

doesn'tnecessarilymeanthisrouterisinaseparaterouting

domainfromtherestoftheroutersintheorganization.



WithintheworldofBGP,thoseroutersunderasinglepointof

administrativecontrolarereferredtoasanautonomoussystem

(AS).Exteriorrouting,then,concernsitselfwithproviding

routinginformationbetweenroutingdomains,orautonomous

systemboundarieswhileinteriorroutingconcernsitselfwith

providingroutinginformationwithinaroutingdomainor

autonomoussystem.



WhyNotUseaSingleProtocolforBothInternal

andExternalRouting?

Ifallroutingprotocolsprovidethesameinformationreachability

andpathinformationwhynotuseasingleroutingprotocolfor

bothinteriorandexteriorrouting?Thesimpleansweristhat

routingprotocolsmaynotjustprovidereachability

informationtheymayalsoprovidepolicyinformation.Thereare

severalreasonswhyprotocolsdesignedtoroutewithinan

autonomoussystemdon'tcarrypolicyinformation:

Withinanautonomoussystem(AS),policypropagation

generallyisn'timportant.Sincealltherouterscontained

withintheroutingdomainareunderasingleadministrative

control,policiescanbeimplementedonalltherouters

administratively(throughmanualconfiguration).Assuch,

theroutingprotocoldoesn'tneedtopropagatethis

information.

Speedofconvergenceisaveryimportantfactorforrouting

protocolswithinanautonomoussystem,whileitisnotas

muchofafactorasstabilitybetweenautonomoussystems.

Routingprotocolsprovidingreachabilityinformationwithin

anautonomoussystemneedtobefocusedononething:

providingaccurateinformationaboutthetopologyofthe

networkasquicklyandefficientlyaspossible.Open



ShortestPathFirst(OSPF),IntermediateSystemto

IntermediateSystem(IS-IS),andEnhancedInterior

GatewayProtocol(EIGRP)allprovidethissortofrouting,

expresslydesignedforintradomainrouting.



Somepolicypropogationiscreepingintointeriorgatewayprotocolsintheform

ofinformationaboutthequalityofserviceacrossvariouspathswithinanetwork;

evenhere,thedefinitionsofinteriorandexteriorroutingbecomesblurred.



Whyisitsoimportanttosplittheroutinginformationlearned

fromwithinyourdomainfromtheroutinginformationlearned

fromoutsideyourdomain?Therearemanyreasonsforinstance,

inordertoscopepropagationofchangesmadewithinarouting

domainsotheydon'timpactexternalroutingdomains,or

perhapstoprovidethecapabilitytohidespecificinformation

aboutyournetworkfromexternalentities.Thereasoning

behindtheseandmanyotherpossibleresponseswillbecome

moreobviousasweproceedthroughthebook.



PreventingChangesinOtherRoutingDomains

fromImpactingNetworkOperation

Let'sexaminethenetworkillustratedinFigure1.1andconsider

howchangesinoneroutingdomaincouldhaveaserious

negativeimpactontheoperationofanotherroutingdomain.



Figure1.1.Unintentionalconsequencesof

bringingupanewlinkwhensharingrouting

information.



Inthisnetwork,thenetworkadministratorshavedecidedto

shareroutinginformationthroughaninteriorgatewayprotocol,

includingspecificinformationabouthowtoreachserversand

hostswithineachother'snetworksasneeded.It'sdecidedthat

10.1.1.0/24isoneofthedestinationsthattheyneedtoshare

informationabout,soredistributionbetweentheIGPsusedin

PartnerAandPartnerB'snetworksissetuptoallowthis

informationtoleakbetweenthetworoutingdomains.Intime,

PartnerBalsopartnerswithPartnerCandagainusesIGP

redistributiontoshareinformationaboutreachabledestinations

betweenthetworoutingdomains.

However,inthiscase,theroutinginformationprovidedby

PartnerCintoPartnerB'sroutingdomain,andthusleakedinto

PartnerA'sroutingdomain,overlaps(orconflicts)withthe

internalroutinginformationinPartnerA'sroutingdomain.The

resultisthatsomedestinationswithinPartnerA'snetworkwill

becomeunreachabletosourceswithinPartnerA'snetworkthe

actionsofPartnerB'snetworkadministratorshavecauseda

faultinPartnerA'snetwork.Thissortofproblemisnotonly

difficulttoidentify,itisalsodifficulttofix,sinceitwillinvolve

actionsonthepartofthenetworkadministratorsfrom,



possibly,allthreeroutingdomains.



HidingInformationaboutYourNetwork

ThenetworkillustratedinFigure1.1alsouncoversanother

problemwhichcanresultwhensimpleIGPredistributionisused

toshareinformationbetweenautonomoussystems;inthis

case,informationaboutPartnerC'sinternalnetwork

infrastructureispassedontoPartnerA.IfPartnerAand

PartnerCareactuallycompetitors,theinformationabout

PartnerC'snetworkcouldactuallybeusedtocompromisetheir

competitiveposition.Ingeneral,itisalwaysbesttousepolicybasedrulestopreventinformationaboutyourinternalnetwork

fromleakingbeyonditsintendedbounds.



PoliciesbetweenDomains

ExaminingtheissuesillustratedthroughFigure1.1,itis

apparentthatsomesortofpolicyimplementedbyPartnerA,in

thefirstcase,andbyPartnerC,inthesecondcase,would

preventtheproblemsdescribed.Forinstance,inthefirstcase,

apolicyofnotacceptingroutinginformationfromoutsidethe

networkthatwouldinterferewithinternalroutinginformation

wouldresolvethisproblem,andallsuchfutureproblems,

withoutmanuallyconfiguringalistoffiltersonaregularbasis.

Inthisexample,simplyfilteringtheroutinginformationlearned

byPartnerAfromPartnerBsothatnoprefixeswithaprefix

lengthlongerthan24bitsbeacceptedwouldresolvethisissue

permanentlyifallthenetworkswithinPartnerA'srouting

domainhavea24-bitlength.

Inthesecondcase,ifPartnerCcouldsomehowmarkthe

routinginformationitisadvertisingtoPartnerBsothatPartner

BwillnotpasstheinformationontoPartnerA,thisproblem

couldalsoberesolvedwithoutresortingtomanuallists



maintainedbyPartnerB.Sotwopossiblepolicieswewould

wanttoimplementbetweenroutingdomainswouldbetomark

routessotheycannot(orshouldnot)beadvertisedbeyondthe

adjacentroutingdomain(PartnerB)andtopreventleaking

informationthatwouldprovideabetterroutetointernal

networksthantheinternalroutinginformationprovides.What

othersortsofpolicieswouldwewanttoimplementthroughan

ExteriorGatewayProtocol(EGP)?

Alwaystaketheclosestexitpoint.Ifyouwanttoallow

trafficfromothernetworkstotraverseyournetworkbut

youwanttominimizetheamountofbandwidthyouneedto

provisioninordertoallowthis,thenyoushouldbeableto

setupapolicyofalwaystakingtheclosestexitpointoutof

yournetwork,ratherthanthebestpath,towardthe

destination.Thisistypicallyreferredtoasclosest-exitor

hotpotatorouting.

Taketheclosestexitpointtothefinalcustomer.Insome

cases,inordertoprovidebetterservicetocustomerswho

arereachingyournetworkthroughanotherautonomous

system,youwanttobeabletoalwayschoosethebest,or

shortest,pathtothefinaldestinationratherthanthe

shortestpathoutofyournetwork.Thisistypicallyreferred

toasbest-exitrouting,thoughoddlyit'ssometimesalso

referredtoascoldpotatorouting.

Takethecheapestexitpoint.Insomecases,youmayhave

contractsrequiringpaymentperagivenamountoftraffic

sentonaparticularlinkorsetoflinks.Ifthisistrue,you

maywanttoroutetrafficoutofyourautonomoussystem

basedonthecheapestexitpointratherthantheclosest.

Don'ttraversecertainnetworks.Ifyouarerunninga

networkcarryingsecureorsensitivedata,youmightwant

tohavesomecontroloverthephysicalforwardingpaththe



traffictakesonceitleavesyournetwork.Inreality,

controllingthepathyourtraffictakesisalmostimpossible,

evenwithBGP,becauseIPpacketsareroutedhopbyhop,

andthusanyoneyousendthepacketstocandecideto

sendthemsomeplaceyoudon'twantthemtogo.

Avoidacceptingredundantorunstableroutinginformation

fromothernetworks.Inordertoscoperesource

consumptionwithinyournetwork,youmaywanttoimpose

policiesthatdiscardredundantroutinginformationor

suppressunstablerouteadvertisement.

Insomecases,combiningtwoormoreofthesedifferent

policiesmayberequired.Forinstance,youmaywanttotake

theclosestcheapexitpoint,fromyounetwork,andnottraverse

certainothernetworks.Thesepolicydefinitionsareratherhigh

level;theystategoalsratherthantheimplementationofgoals.

OneofthemoreconfusingaspectsofdeployingBGPisturning

suchgoalsintoactualimplementedpolicieswithinandatthe

bordersofyournetwork.



DistanceVector,LinkState,andPathVector

Routingprotocolsareeffectivelydistributeddatabasesystems.

Theypropagateinformationaboutthetopologyofthenetwork

amongtherouterswithinthenetwork.Eachrouterinthe

networkthenusesthisdistributeddatabasetodeterminethe

bestloopfreepaththroughthenetworktoreachanygiven

destination.Therearetwofundamentalwaystodistributethe

datathroughanetwork:

Bydistributingvectors,eachrouterinthenetwork

advertisesthedestinationsitcanreach,alongwith

informationthatcanbeusedtodeterminethebestpathto

eachreachabledestination.Aroutercandeterminethebest

vector(path)byexaminingthedestinationsreachable

througheachadjacentrouterorneighbor,combinedwith

additionalinformation,suchasthemetric,whichindicates

thedesirabilityofthatpath.Therearetwotypesofvectorbasedprotocols:distancevectorandpathvector.

Bydistributingthestateofthelinksattachedtotherouters,

eachrouterfloods(oradvertisestoallotherroutersinthe

network,whetherdirectlyadjacentornot)thestateofeach

linktowhichitisattached.Thisinformationisused

independentlybyeachrouterwithintheroutingdomainto

buildatreerepresentingatopologyofthenetwork(calleda

shortestpathtree).Routingprotocolsthatdistributethe

stateofattachedlinksarecalledlinkstatealgorithms.

Eachofthesedatadistributionmethodsisgenerallytiedtoa

specificmethodoffindingthebestpathtoanygivendestination

withinthenetwork.Thefollowingsectionsprovideaquick

overview(orreview)ofeachofthesetypesofroutingprotocols.

Rememberthataprimarygoalofroutingprotocoldesignisthat



routingprotocolsmustbecapableofdeterminingloopfree

pathsthroughthenetwork.Generally,routingprotocolsassume

thatthebest(orshortest)paththroughthenetworkisalsoloop

free.



LinkState

Linkstateprotocols,suchasIS-ISandOSPF,relyoneach

routerinthenetworktoadvertisethestateofeachoftheir

linkstoeveryotherrouterwithinthelocalroutingdomain.The

resultisacompletenetworktopologymap,calledashortest

pathtree,compiledbyeachrouterinthenetwork.Asarouter

receivesanadvertisement,itwillstorethisinformationina

localdatabase,typicallyreferredtoasthelinkstatedatabase,

andpasstheinformationontoeachofitsadjacentpeers.This

informationisnotprocessedormanipulatedinanywaybefore

itispassedontotherouter'sadjacentpeers.Thelinkstate

informationisfloodedthroughtheroutingdomainunchanged,

justastheoriginatingrouteradvertisesit.

Aseachrouterbuildsacompletedatabaseofthelinkstate

informationasadvertisedbyeveryotherrouterwithinthe

network,itusesanalgorithm,calledtheshortestpathfirst

algorithm,tobuildatreewithitselfasthecenterofthattree.

Theshortestpathtoeachreachabledestinationwithinthe

networkisfoundbytraversingthetree.Themostcommon

shortestpathfirstalgorithmistheDijkstraalgorithm.



DistanceVector

Routersrunningdistancevectoralgorithmsadvertisethevector

(path)anddistance(metric)foreachdestinationreachable

withinthenetworktoadjacent(directlyconnected)peers.This

informationisplacedinalocaldatabaseasitisreceived,and



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 1. The Border Gateway Protocol

Tải bản đầy đủ ngay(0 tr)

×