BGP Fake-AS
Today I am talking about BGP. Notes from work - so as not to disappear. There is such a functionality as a dummy AS.
The traditional usage scenario is to move from one speaker number to another, for example, when buying a network from one operator to another. At the same time, there are stopitsot neighbors who for some reason cannot take everything at once and move with us.
Then for them, we can set up the peering as if we were left in the old speaker. If you specify the fake-as command for a peer , then it will appear in both Open and AS-Path, and not a new (real) one. In tsiska the same functionality is called Local-as .
A handy tool when used as directed .
Now, conditionally, the customer’s network:
')
The client wants, cannot sleep, peering with AC3. But does not want to pay for VPN. Just asked AC2 to introduce AC3. This intermediate AC2 also sets up a dummy speaker on its ASBR, indicating AC3 in its capacity.
The problem is that the ASBR, when announcing the route, does not matter, such a scoundrel inserts a dummy speaker into the AS-Path, despite the fact that it is already there. That is, AS-Path for routes that the client receives, looks like <AC3, AC3, etc.>
The documentation says that if the neighborhood was established through a dummy speaker, then it will appear in the AS-Path. If through the real, then the real. But so that did not appear at all - it is impossible. Well, not neatly it, contrary to the ideology of BGP.
In this case, there is no other way on the Huawei equipment, except to manually overwrite AS-Path through a root-policy, which is not at all engineering, of course.
In new versions, it is possible to specify which speakers you want to add - dummy or real. But do not add at all - there is no such option.
I also want to say about a tsiska here - in the case of a customer, technically on a tsiska you can implement his wish list.
First, I’ll tell you the difference between the work of this team there - the main difference - by default, the tsiska inserts two speakers - both real and fictitious. This is done in order to eliminate the formation of a routing loop (this is in a bgpshnomu).
The local-as command has the no-prepend and replace-as attributes. No-prepend will not allow adding a dummy speaker number to the AS-Path — only a real one. The replace-as option allows you to replace it with a dummy.
That is, again, it seems like you can not implement a complete removal. In general, this kind of manipulation with AS-Path does not lead to anything good.
Just for example, we can recall the recent story about how recently Iran deprived itself of porn and neighboring countries, when it played with the announcements of BGP.
But the peculiarity is that the customer has the AC2 number private. And if you use the combination of local-as options no-prepend replace-as , and then add remove-private-as (the ciskov equivalent of the public-as-only command of the Huawei), it still works and the duplicate speaker is deleted.
But again, this is cheating and a crutch.
Here and further I speak in the notation of Huawei.
The traditional usage scenario is to move from one speaker number to another, for example, when buying a network from one operator to another. At the same time, there are stopitsot neighbors who for some reason cannot take everything at once and move with us.
Then for them, we can set up the peering as if we were left in the old speaker. If you specify the fake-as command for a peer , then it will appear in both Open and AS-Path, and not a new (real) one. In tsiska the same functionality is called Local-as .
A handy tool when used as directed .
Now, conditionally, the customer’s network:
')
The client wants, cannot sleep, peering with AC3. But does not want to pay for VPN. Just asked AC2 to introduce AC3. This intermediate AC2 also sets up a dummy speaker on its ASBR, indicating AC3 in its capacity.
The problem is that the ASBR, when announcing the route, does not matter, such a scoundrel inserts a dummy speaker into the AS-Path, despite the fact that it is already there. That is, AS-Path for routes that the client receives, looks like <AC3, AC3, etc.>
The documentation says that if the neighborhood was established through a dummy speaker, then it will appear in the AS-Path. If through the real, then the real. But so that did not appear at all - it is impossible. Well, not neatly it, contrary to the ideology of BGP.
In this case, there is no other way on the Huawei equipment, except to manually overwrite AS-Path through a root-policy, which is not at all engineering, of course.
In new versions, it is possible to specify which speakers you want to add - dummy or real. But do not add at all - there is no such option.
I also want to say about a tsiska here - in the case of a customer, technically on a tsiska you can implement his wish list.
First, I’ll tell you the difference between the work of this team there - the main difference - by default, the tsiska inserts two speakers - both real and fictitious. This is done in order to eliminate the formation of a routing loop (this is in a bgpshnomu).
The local-as command has the no-prepend and replace-as attributes. No-prepend will not allow adding a dummy speaker number to the AS-Path — only a real one. The replace-as option allows you to replace it with a dummy.
That is, again, it seems like you can not implement a complete removal. In general, this kind of manipulation with AS-Path does not lead to anything good.
Just for example, we can recall the recent story about how recently Iran deprived itself of porn and neighboring countries, when it played with the announcements of BGP.
But the peculiarity is that the customer has the AC2 number private. And if you use the combination of local-as options no-prepend replace-as , and then add remove-private-as (the ciskov equivalent of the public-as-only command of the Huawei), it still works and the duplicate speaker is deleted.
But again, this is cheating and a crutch.
Source: https://habr.com/ru/post/320768/
All Articles