Reject or deny, if applied to a routing policy, causes prefixes matching the criteria not to be installed into the routing table, redistributed to another routing protocol, or announced to a neighbour.

6.6POLICY ELEMENTS

The functions performed by the combination of access lists, prefix lists, community lists and route maps on Cisco routers are effectively analogous to the functions performed by the combination of firewall filters and policy statements in Juniper Network routers. It is difficult to draw direct comparisons between the specific functions of these features because Juniper Networks and Cisco Systems implementations do not map directly one to the other. There is overlap between different elements of the functionality to give, ultimately, roughly equivalent behaviour.

6.7 AS PATHS

As discussed in Chapter 5, in BGP, every autonomous system (AS) in the path from the origin of a prefix to your network adds its AS number to the AS PATH attribute of that prefix when it announces it to a neighbouring AS. The AS path length is one of the criteria upon which prefixes are compared when selecting one from a set of otherwise identical prefixes.

In addition to the length of the AS path, it is possible to match specific AS paths using regular expressions and to make policy decisions based on the match. Cisco and Juniper use different syntaxes for their pattern matching. Both syntaxes provide a flexible mechanism for identifying complex patterns in the AS PATH attribute.

It is also possible to artificially extend the AS path associated with a prefix to make that prefix less attractive than one with an unmodified AS path. This is known as AS path prepending and is achieved by adding your own AS more than once as you announce your prefixes to your neighbours (see Table 6.2).

6.8PREFIX LISTS AND ROUTE LISTS

Juniper treats prefix lists and route lists slightly differently from how Cisco treats them. Both treat prefix lists differently from route lists. Prefix lists are, as the name suggests, lists of prefixes. In JUNOS software, a prefix list contains just a simple list of prefixes and associated prefix lengths that matches any prefix of equal or longer prefix length to those listed (see Table 6.3).

In IOS software, prefix lists offer slightly more granular control, providing the means to constrain the prefix lengths matched to a particular range (see Table 6.4).

JUNOS route lists, which are analogous to certain functions of Cisco access lists when used in conjunction with distribute lists, may sound similar to prefix lists. However, they

policy-statement prepend-twice { term match-prefix-and-prepend {

from { protocol bgp;

route-filter 10.0.0.0/8 orlonger;

}

then {

as-prepend “1 1”; accept;

}

}

term default-accept { from protocol bgp; then accept;

}

}

as-path bad-path “1000 3456 5678”;

}

Table 6.3 JUNOS prefix list.

policy-options { prefix-list mylist {

permit 192.168.103.0/24; deny 0.0.0.0/0;

}

}

Table 6.4 IOS prefix list

ip prefix-list 1 permit 192.168.103.0/24 le /30 ip prefix-list 1 deny 0.0.0.0/0

are treated very differently and provide different functionality within the overall policy tool kit. In JUNOS route lists, prefixes can be declared as an exact match or declared to match a variety of range schemes. This includes the extra functionality provided by prefix lists in IOS software, but goes way beyond that (see Table 6.5).

IOS access lists (see Table 6.6) provide similar flexibility to JUNOS route lists as well as much of the functionality in JUNOS firewall filters. In fact, access lists and firewall filters are closer in overall functionality than access lists and route lists. Route lists are indeed a subcommand of firewall filters.

Table 6.5 JUNOS firewall filters

firewall { family inet {

filter myfilter {

term permitmyroutes { from {

route-list 192.168.103.0/24 exact accept; route-list 192.168.104.0/23 orlonger; route-list 192.168.106.0/23 upto 24 reject; route-list 192.168.108.0/23 longer;

}

then accept;

}

}

}

}

Table 6.6 IOS access lists

ip access-list permitmyroutes seq 5 permit 192.168.103.0 0.0.0.0 255.255. 255.0 0.0.0.0

ip access-list permitmyroutes seq 10 permit 192.168.104.0 0.0.1.255 255.255. 254.0 0.0.1.255

ip access-list permitmyroutes seq 15 deny 192.168.106.0 0.0.1.255 255.255. 254.0 0.0.1.0

ip access-list permitmyroutes seq 20 permit 192.168.108.0 0.0.1.255 255.255. 255.0 0.0.1.0

Prefix lists and route lists, when combined with BGP routing policy, are very effective tools for the protection of your network against having spurious routing information injected by your neighbours. In an ideal world, all peering sessions would be filtered based on an explicit list of prefixes per neighbour. The administrative load of this kind of filtering can be extremely high, even for customer connections in which you might expect the number of prefixes announced to be quite low. If the filtering were applied to peers, the load would be intolerable unless an automated and totally separate mechanism were available to everyone to announce to the world the set of prefixes they expect to advertise.

6.9 INTERNET ROUTING REGISTRIES

Fortunately for all of us, such a system exists. The Internet Routing Registries (IRRs) provide a globally distributed repository for information that provides the facility to fully describe sets of prefixes and their respective origin ASes being announced by any AS. In order for the repositories to be useful, it is necessary to be able to get the information out of them. Public domain tools exist to retrieve the information from the IRRs and convert it into a set of access lists and route maps for IOS or firewall filters for JUNOS policy statements. This makes it entirely feasible to apply prefix based filtering to all your peers.

However, it is important to note that for this mechanism to be reliable, it is essential that your peers maintain their IRR objects. If they do not keep their IRR objects up to date, you will find that your customers may not be able to reach subsets of their customers. This leads some organizations and individuals to consider that the imposition of this kind of filtering upon your peers is more disruptive that beneficial. There are strongly held opinions on both sides of the argument. Those in favour suggest that if service providers start imposing these constraints on their peers, those peers will ‘fall into line’ and start keeping their objects up to date. Experience tends to show that this is only partially true. Some service providers just do not keep their objects up to date. Those against the imposition of these constraints point out the woeful state of many IRR objects. Until those objects are complete, there is going to be substantially more hassle than can be justified by the potential benefits.

Note that you should never apply prefix-based filtering to your transit provider. I can guarantee that they will not list the entire Internet in their IRR objects so, if you applied this filtering mechanism to your transit provider, you will not get the transit for which you are paying.

6.10 COMMUNITIES

Communities are an optional attribute associated with one or more prefixes in BGP. They are merely arbitrary tags with no inherent meaning that provide the operator with the ability to group prefixes into ‘communities’ sharing some abstract characteristic or characteristics. A prefix may be associated with zero or more communities.

The use of communities allows network operators to classify groups of prefixes at one point within the network, usually at the ingress on receipt from a neighbour or at the point at which a prefix is originated, and then take actions based upon the communities elsewhere in the network, usually the egress. So, for example, all routes learned from customers could be tagged with a particular community, known throughout the AS to represent customers. Then, at the egress towards peers, those routes marked as customer routes would be accepted for announcement. However, if a community representing peers throughout the AS were applied to all prefixes learned from peers, those prefixes could be rejected for announcement to other peers on the basis of their community. Table 6.7 shows some example configurations demonstrating the use of communities.

Note that the export policy in the above example towards peers and transit providers is the same (only announce your own customers and your own networks). So, there is no policy named to-transit, the policy named to-peers is used for both.

In addition to user-defined communities, there are some ‘well known’ communities that can be passed between ASs and that retain the same meaning across AS boundaries. They are as follows:

•no-export. Informs the neighbour that this prefix should not be announced beyond the borders of their AS. A prefix with no-export set should never be announced to a neighbour in another AS. However, prefixes with this community are announced to other sub-ASes in a BGP confederation.