RFC 1786
Representation of IP Routing Policies in a Routing Registry (ripe-81++)
Pages: 83
Informational
Informational
Part 1 of 2 – Pages 1 to 40
Network Working Group T. Bates Request for Comments: 1786 MCI Telecommunications Corporation Category: Informational E. Gerich Merit, Inc. L. Joncheray Merit, Inc. J-M. Jouanigot CERN D. Karrenberg RIPE NCC M. Terpstra Bay Networks, Inc. J. Yu Merit, Inc. March 1995 Representation of IP Routing Policies in a Routing Registry (ripe-81++) Status of this Memo This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract This document was originally published as a RIPE document known as ripe-181 but is also being published as an Informational RFC to reach a larger audience than its original scope. It has received community wide interest and acknowledgment throughout the Internet service provider community and will be used as the basic starting point for future work on Internet Routing Registries and routing policy representation. It can also be referred to as ripe-81++. This document is an update to the original `ripe-81'[1] proposal for representing and storing routing polices within the RIPE database. It incorporates several extensions proposed by Merit Inc.[2] and gives details of a generalized IP routing policy representation to be used by all Internet routing registries. It acts as both tutorial and provides details of database objects and attributes that use and make up a routing registry.
Table of Contents
1. Introduction ................................................ 3
2. Organization of this Document ............................... 3
3. General Representation of Policy Information ............... 5
4. The Routing Registry and the RIPE Database .................. 11
5. The Route Object ............................................ 16
6. The Autonomous System Object ................................ 26
7. AS Macros ................................................... 36
8. The Community Object ........................................ 38
9. Representation of Routing Policies .......................... 41
10. Future Extensions .......................................... 50
11. References ................................................. 51
12. Security Considerations .................................... 52
13. Authors' Addresses ......................................... 53
Appendix A - Syntax for the "aut-num" object ................... 55
Appendix B - Syntax for the "community" object ................. 68
Appendix C - Syntax for the "as-macro" object .................. 72
Appendix D - Syntax for the "route" object ..................... 76
Appendix E - List of reserved words ............................ 80
Appendix F - Motivations for RIPE-81++ ......................... 81
Appendix G - Transition strategy ............................... 83
1. Introduction This document is a much revised version of the RIPE routing registry document known as ripe-81 [1]. Since its inception in February, 1993 and the establishment of the RIPE routing registry, several additions and clarifications have come to light which can be better presented in a single updated document rather than separate addenda. Some of the text remains the same the as the original ripe-81 document keeping its tutorial style mixed with details of the RIPE database objects relating to routing policy representation. However this document does not repeat the background and historical remarks in ripe-81. For these please refer to the original document. It should be noted that whilst this document specifically references the RIPE database and the RIPE routing registry one can easily read "Regional routing registry" in place of RIPE as this representation is certainly general and flexible enough to be used outside of the RIPE community incorporating many ideas and features from other routing registries in this update. This document was originally published as a RIPE document known as ripe-181 but is also being published as an Informational RFC to reach a larger audience than its original scope. It has received large interest and acknowledgment within the Internet service provider community and will be used as the basic starting point for future work on Internet Routing Registries and routing policy representation. It but can also be referred to as ripe-81++. We would like to acknowledge many people for help with this document. Specifically, Peter Lothberg who was a co-author of the original ripe-81 document for his many ideas as well as Gilles Farrache, Harvard Eidnes, Dale Johnson, Kannan Varadhan and Cengiz Alaettinoglu who all provided valuable input. We would also like to thank the RIPE routing working group for their review and comment. Finally, we like to thank Merit Inc. for many constructive comments and ideas and making the routing registry a worldwide Internet service. We would also like to acknowledge the funding provided by the PRIDE project run in conjunction with the RARE Technical Program, RIPE and the RIPE NCC without which this paper would not have been possible. 2. Organization of this Document This document acts as both a basic tutorial for understanding routing policy and provides details of objects and attributes used within an Internet routing registry to store routing policies. Section 3 describes general issues about IP routing policies and their representation in routing registries. Experienced readers may wish to skip this section. Section 4 provides an overview of the RIPE
database, its basic concepts, schema and objects which make up the database itself. It highlights the way in which the RIPE database splits routing information from allocation information. Sections 5, 6, 7 and 8 detail all the objects associated with routing policy representation. Section 9 gives a fairly extensive "walk through" of how these objects are used for expressing routing policy and the general principles behind their use. Section 10 provides a list of references used throughout this document. Appendix A, B, C and D document the formal syntax for the database objects and attributes. Appendix F details the main changes from ripe-81 and motivations for these changes. Appendix G tackles the issues of transition from ripe-81 to ripe-81++.
3. General Representation of Policy Information Networks, Network Operators and Autonomous Systems Throughout this document an effort is made to be consistent with terms so as not to confuse the reader. When we talk about "networks" we mean physical networks which have a unique classless IP network number: Layer 3 entities. We do not mean organizations. We call the organizations operating networks "network operators". For the sake of the examples we divide network operators into two categories: "service providers" and "customers". A "service provider" is a network operator who operates a network to provide Internet services to different organizations, its "customers". The distinction between service providers and customers is not clear cut. A national research networking organization frequently acts as a service provider to Universities and other academic organizations, but in most cases it buys international connectivity from another service provider. A University networking department is a customer of the research networking organization but in turn may regard University departments as its customers. An Autonomous System (AS) is a group of IP networks having a single clearly defined routing policy which is run by one or more network operators. Inside ASes IP packets are routed using one or more Interior Routing Protocols (IGPs). In most cases interior routing decisions are based on metrics derived from technical parameters like topology, link speeds and load. The entity we refer to as an AS is frequently and more generally called a routing domain with the AS just being an implementation vehicle. We have decided to use the term AS exclusively because it relates more directly with the database objects and routing tools. By using only one term we hope to reduce the number of concepts and to avoid confusion. The academically inclined reader may forgive us. ASes exchange routing information with other ASes using Exterior Routing Protocols (EGPs). Exterior routing decisions are frequently based on policy based rules rather than purely on technical parameters. Tools are needed to configure complex policies and to communicate those policies between ASes while still ensuring proper operation of the Internet as a whole. Some EGPs like BGP-3 [8] and BGP-4 [9] provide tools to filter routing information according to policy rules and more. None of them provides a mechanism to publish or communicate the policies themselves. Yet this is critical for operational coordination and fault isolation among network operators and thus for the operation of the global Internet as a whole. This
document describes a "Routing Registry" providing this functionality.
Routing Policies
The exchange of routing information between ASes is subject to
routing policies. Consider the case of two ASes, X and Y exchanging
routing information:
NET1 ...... ASX <---> ASY ....... NET2
ASX knows how to reach a network called NET1. It does not matter
whether NET1 is belonging to ASX or some other AS which exchanges
routing information with ASX either directly or indirectly; we just
assume that ASX knows how to direct packets towards NET1. Likewise
ASY knows how to reach NET2.
In order for traffic from NET2 to NET1 to flow between ASX and ASY,
ASX has to announce NET1 to ASY using an external routing protocol.
This states that ASX is willing to accept traffic directed to NET1
from ASY. Policy thus comes into play first in the decision of ASX to
announce NET1 to ASY.
In addition ASY has to accept this routing information and use it.
It is ASY's privilege to either use or disregard the information that
ASX is willing to accept traffic for NET1. ASY might decide not to
use this information if it does not want to send traffic to NET1 at
all or if it considers another route more appropriate to reach NET1.
So in order for traffic in the direction of NET1 to flow between ASX
and ASY, ASX must announce it to ASY and ASY must accept it from ASX:
resulting packet flow towards NET1
<<===================================
|
|
announce NET1 | accept NET1
--------------> + ------------->
|
AS X | AS Y
|
<------------- + <--------------
accept NET2 | announce NET2
|
|
resulting packet flow towards NET2
===================================>>
Ideally, and seldom practically, the announcement and acceptance
policies of ASX and ASY are identical.
In order for traffic towards NET2 to flow, announcement and
acceptance of NET2 must be in place the other way round. For almost
all applications connectivity in just one direction is not useful at
all.
Usually policies are not configured for each network separately but
for groups of networks. In practise these groups are almost always
defined by the networks forming one or more ASes.
Routing Policy limitations
It is important to realize that with current destination based
forwarding technology routing policies must eventually be expressed
in these terms. It is relatively easy to formulate reasonable
policies in very general terms which CANNOT be expressed in terms of
announcing and accepting networks. With current technology such
policies are almost always impossible to implement.
The generic example of a reasonable but un-implementable routing is a
split of already joined packet streams based on something other than
destination address. Once traffic for the same destination network
passes the same router, or the same AS at our level of abstraction,
it will take exactly the same route to the destination (disregarding
special cases like "type of service" routing, load sharing and
routing instabilities).
In a concrete example AS Z might be connected to the outside world by
two links. AS Z wishes to reserve these links for different kinds of
traffic, let's call them black and white traffic. For this purpose
the management of AS Z keeps two lists of ASes, the black and the
white list. Together these lists comprise all ASes in the world
reachable from AS Z.
"W"
<--->
... AS Z .... NET 3
<--->
"B"
It is quite possible to implement the policy for traffic originating
in AS Z: AS Z will only accept announcements for networks in white
ASes on the white link and will only accept announcements for
networks in black ASes on the black link. This causes traffic from
networks within AS Z towards white ASes to use the white link and
likewise traffic for black ASes to use the black link.
Note that this way of implementing things makes it necessary to
decide on the colour of each new AS which appears before traffic can
be sent to it from AS Z. A way around this would be to accept only
white announcements via the white link and to accept all but white
announcements on the black link. That way traffic from new ASes
would automatically be sent down the black link and AS Z management
would only need to keep the list of white ASes rather than two lists.
Now for the unimplementable part of the policy. This concerns
traffic towards AS Z. Consider the following topology:
B AS ---) "W"
W AS ---) --->
B AS ---)>> AS A ---> ... AS Z .... NET 3
B AS ---) --->
W AS ---) "B"
As seen from AS Z there are both black and white ASes "behind" AS A.
Since ASes can make routing decisions based on destination only, AS A
and all ASes between AS A and the two links connecting AS Z can only
make the same decision for traffic directed at a network in AS Z, say
NET 3. This means that traffic from both black and white ASes
towards NET 3 will follow the same route once it passes through AS A.
This will either be the black or the white route depending on the
routing policies of AS A and all ASes between it and AS Z.
The important thing to note is that unless routing and forwarding decisions can be made based on both source and destination addresses, policies like the "black and white" example cannot be implemented in general because "once joined means joined forever". Access Policies Access policies contrary to routing policies are not necessarily defined in terms of ASes. The very simplest type of access policy is to block packets from a specific network S from being forwarded to another network D. A common example is when some inappropriate use of resources on network D has been made from network S and the problem has not been resolved yet. Other examples of access policies might be resources only accessible to networks belonging to a particular disciplinary group or community of interest. While most of these policies are better implemented at the host or application level, network level access policies do exist and are a source of connectivity problems which are sometimes hard to diagnose. Therefore they should also be documented in the routing registry according to similar requirements as outlined above. Routing vs. Allocation information The RIPE database contains both routing registry and address space allocation registry information. In the past the database schema combined this information. Because RIPE was tasked with running both an allocation and routing registry it seemed natural to initially combine these functions. However, experience has shown that a clear separation of routing information from allocation is desirable. Often the maintainer of the routing information is not the same as the maintainer of the allocation information. Moreover, in other parts of the world there are different registries for each kind of information. Whilst the actual routing policy objects will be introduced in the next section it is worthy of note that a transition from the current objects will be required. Appendix G details the basic steps of such a transition. This split in information represents a significant change in the representational model of the RIPE database. Appendix F expands on the reasons for this a little more.
Tools The network operators will need a series of tools for policy routing. Some tools are already available to perform some of the tasks. Most notably, the PRIDE tools [3] from the PRIDE project started in September 1993 as well as others produced by Merit Inc [4] and CERN [5]. These tools will enable them to use the routing policy stored in the RIPE routing registry to perform such tasks as check actual routing against policies defined, ensure consistency of policies set by different operators, and simulate the effects of policy changes. Work continues on producing more useful tools to service the Internet community.
4. The Routing Registry and the RIPE Database One of the activities of RIPE is to maintain a database of European IP networks, DNS domains and their contact persons along with various other kinds of network management information. The database content is public and can be queried using the whois protocol as well as retrieved as a whole. This supports NICs/NOCs all over Europe and beyond to perform their respective tasks. The RIPE database combines both allocation registry and routing registry functions. The RIPE allocation registry contains data about address space allocated to specific enterprises and/or delegated to local registries as well as data about the domain name space. The allocation registry is described in separate documents [6,7] and outside the scope of this document. Database Objects Each object in the database describes a single entity in the real world. This basic principle means that information about that entity should only be represented in the corresponding database object and not be repeated in other objects. The whois service can automatically display referenced objects where appropriate. The types of objects stored in the RIPE database are summarized in the table below: R Object Describes References ____________________________________________________________________ B person contact persons A inetnum IP address space person A domain DNS domain person R aut-num autonomous system person (aut-num,community) R as-macro a group of autonomous systems person, aut-num R community community person R route a route being announced aut-num, community R clns CLNS address space and routing person The first column indicates whether the object is part of the allocation registry (A), the routing registry (R) or both (B). The
last column indicates the types of objects referenced by the particular type of object. It can be seen that almost all objects reference contact persons. Objects are described by attributes value pairs, one per line. Objects are separated by empty lines. An attribute that consists of multiple lines should have the attribute name repeated on consecutive lines. The information stored about network 192.87.45.0 consists of three objects, one inetnum object and two person objects and looks like this:
inetnum: 192.87.45.0 netname: RIPE-NCC descr: RIPE Network Coordination Centre descr: Amsterdam, Netherlands country: NL admin-c: Daniel Karrenberg tech-c: Marten Terpstra rev-srv: ns.ripe.net rev-srv: ns.eu.net notify: ops@ripe.net changed: tony@ripe.net 940110 source: RIPE person: Daniel Karrenberg address: RIPE Network Coordination Centre (NCC) address: Kruislaan 409 address: NL-1098 SJ Amsterdam address: Netherlands phone: +31 20 592 5065 fax-no: +31 20 592 5090 e-mail: dfk@ripe.net nic-hdl: DK58 changed: ripe-dbm@ripe.net 920826 source: RIPE person: Marten Terpstra address: RIPE Network Coordination Centre (NCC) address: PRIDE Project address: Kruislaan 409 address: NL-1098 SJ Amsterdam address: Netherlands phone: +31 20 592 5064 fax-no: +31 20 592 5090 e-mail: Marten.Terpstra@ripe.net nic-hdl: MT2 notify: marten@ripe.net changed: marten@ripe.net 931230 source: RIPE Objects are stored and retrieved in this tag/value format. The RIPE NCC does not provide differently formatted reports because any desired format can easily be produced from this generic one.
Routing Registry Objects The main objects comprising the routing registry are "aut-num" and "route", describing an autonomous system and a route respectively. It should be noted that routes not described in the routing registry should never be routed in the Internet itself. The autonomous system (aut-num) object provides contact information for the AS and describes the routing policy of that AS. The routing policy is described by enumerating all neighboring ASes with which routing information is exchanged. For each neighbor the routing policy is described in terms of exactly what is being sent (announced) and allowed in (accepted). It is important to note that this is exactly the part of the global policy over which an AS has direct control. Thus each aut-num object describes what can indeed be implemented and enforced locally by the AS concerned. Combined together all the aut-num objects provide the global routing graph and permit to deduce the exact routing policy between any two ASes. While the aut-num objects describe how routing information is propagated, the route object describes a single route injected into the external routing mesh. The route object references the AS injecting (originating) the route and thereby indirectly provides contact information for the originating AS. This reference also provides the primary way of grouping routes into larger collections. This is necessary because describing routing policy on the level of single routes would be awkward to impractical given the number of routes in the Internet which is about 20,000 at the time of this writing. Thus routing policy is most often defined for groups of routes by originating AS. This method of grouping is well supported by current exterior routing protocols. The route object also references community objects described below to provide another method of grouping routes. Modification of aut-num object itself and the referencing by route objects is strictly protected to provide network operators control over the routing policy description and the routes originated by their ASes. Sometimes even keeping track of groups of routes at the AS level is cumbersome. Consider the case of policies described at the transit provider level which apply transitively to all customers of the transit provider. Therefore another level of grouping is provided by the as-macro object which provides groups of ASes which can be referenced in routing policies just like single ASes. Membership of as-macro groups is also strictly controlled. Sometimes there is a need to group routes on different criteria than ASes for purposes like statistics or local access policies. This is provided by the community object. A community object is much like an
AS but without a routing policy. It just describes a group of routes. This is not supported at all by exterior routing protocols and depending on aggregation of routes may not be generally usable to define routing policies. It is suitable for local policies and non- routing related purposes. These routing related objects will be described in detail in the sections below.
5. The Route Object As stated in the previous chapter routing and address space allocation information are now clearly separated. This is performed with the introduction of the route object. The route object will contain all the information regarding a routing announcement. All routing related attributes are removed from the inetnum object. Some old attributes are obsoleted: connect, routpr-l, bdryg-l, nsf- in, nsf-out, gateway). The currently useful routing attributes are moved to the route object: aut-sys becomes origin, ias-int will be encoded as part of the inet-rtr [15] object and comm-list simply moves. See [6] for detail of the "inetnum" object definition. The information in the old inetnum object inetnum: 192.87.45.0 netname: RIPE-NCC descr: RIPE Network Coordination Centre descr: Amsterdam, Netherlands country: NL admin-c: Daniel Karrenberg tech-c: Marten Terpstra connect: RIPE NSF WCW aut-sys: AS3333 comm-list: SURFNET ias-int: 192.87.45.80 AS1104 ias-int: 192.87.45.6 AS2122 ias-int: 192.87.45.254 AS2600 rev-srv: ns.ripe.net rev-srv: ns.eu.net notify: ops@ripe.net changed: tony@ripe.net 940110 source: RIPE will be distributed over two objects:
inetnum: 192.87.45.0 netname: RIPE-NCC descr: RIPE Network Coordination Centre descr: Amsterdam, Netherlands country: NL admin-c: Daniel Karrenberg tech-c: Marten Terpstra rev-srv: ns.ripe.net rev-srv: ns.eu.net notify: ops@ripe.net changed: tony@ripe.net 940110 source: RIPE route: 192.87.45.0/24 descr: RIPE Network Coordination Centre origin: AS3333 comm-list: SURFNET changed: dfk@ripe.net 940427 source: RIPE The route object is used to represent a single route originated into the Internet routing mesh. The actual syntax is given in Appendix D. However, there are several important aspects of the attributes worthy of note. The value of the route attribute will be a classless address. It represents the exact route being injected into the routing mesh. The representation of classless addresses is described in [10]. The value of the origin attribute will be an AS reference of the form AS1234 referring to an aut-num object. It represents the AS injecting this route into the routing mesh. The "aut-num" object (see below) thus referenced provides all the contact information for this route. Special cases: There can only be a single originating AS in each route object. However in todays Internet sometimes a route is injected by more than one AS. This situation is potentially dangerous as it can create conflicting routing policies for that route and requires coordination between the originating ASes. In the routing registry this is represented by multiple route objects.
This is a departure from the one route (net), one AS principle of the
ripe-81 routing registry. The consequences for the different tools
based in the routing registry will need to be evaluated and possibly
additional consistency checking of the database is needed.
The examples below will illustrate the usage of the route object
further. Suppose three chunks of address space of 2 different
enterprises represented by the following inetnum objects:
Examples
inetnum: 193.0.1.0
netname: ENT-1
descr: Enterprise 1
...
inetnum: 193.0.8.0
netname: ENT-2
descr: Enterprise 2
...
inetnum: 193.0.9.0
netname: ENT-2-SPEC
descr: Enterprise 2
...
Supposing that the Enterprises have their own AS numbers straight
application of routing without aggregation would yield:
route: 193.0.1.0/24
descr: Enterprise 1
origin: AS1
...
route: 193.0.8.0/24
descr: Enterprise 2
origin: AS2
...
route: 193.0.9.0/24
descr: Enterprise 2
origin: AS2
...
NB: This representation can be achieved by straight translation from the ripe-81 representation. See Appendix G for more details. Homogeneous Aggregation The two chunks of address space of Enterprise 2 can be represented by one aggregate route turning two route objects into one and potentially saving routing table space for one route. route: 193.0.8.0/23 descr: Enterprise 2 origin: AS2 ... Note that AS2 can also decide to originate all routes mentioned so far, two 24-bit prefixes and one 23-bit prefix. This case would be represented by storing all three route objects in the database. In this particular example the additional routes will not add any functionality however and only increase the amount of routes announced unnecessarily. Heterogeneous Aggregation Consider the following case however: route: 193.0.8.0/24 descr: Enterprise 2 origin: AS2 ... route: 193.0.9.0/24 descr: Enterprise 2 / Special origin: AS2 comm-list: SPECIAL ... Now the prefix 193.0.9.0/24 belongs to community SPECIAL (this community may well not be relevant to routing) and the other prefix originated by AS2 does not. If AS2 aggregates these prefixes into the 193.0.8.0/23 prefix, routing policies based on the community value SPECIAL cannot be implemented in general, because there is no way to distinguish between the special and the not-so-special parts of AS2.
If another AS has the policy to accept only routes to members of
community SPECIAL it cannot implement it, because accepting the route
to 193.0.8.0/23 would also route to 193.0.8.0/24 and not accepting
this route would lose connectivity to the special part 193.0.9.0/24.
We call aggregate routes consisting of components belonging to
different communities or even different ASes "heterogeneous
aggregates".
The major problem introduced with heterogeneous aggregates is that
once the homogeneous more specific routes are withdrawn one cannot
tell if a more specific part of the heterogeneous route has a
different policy. However, it can be counter argued that knowing this
policy is of little use since a routing policy based on the less
specific heterogeneous aggregate only cannot be implemented. In fact,
this displays a facet of CIDR itself in that one may actually trade
off implementing slight policy variations over announcing a larger
(albeit heterogeneous in terms of policy) aggregate to save routing
table space.
However, it is still useful to be able to document these variations
in policy especially when this homogeneous more specific route is
just being withdrawn. For this one can use the "withdrawn" attribute.
The withdrawn attribute can serve to both indicate that a less
specific aggregate is in fact heterogeneous and also allow the
general documenting of route withdrawal.
So there has to be a way for AS2 to document this even if it does not
originate the route to 193.0.9.0/24 any more. This can be done with
the "withdrawn" attribute of the route object. The aggregate route
to 193.0.8.0/23 is now be registered as:
route: 193.0.8.0/23
descr: Enterprise 2
origin: AS2
...
With the two homogeneous routes marked as withdrawn from the Internet
routing mesh but still preserving their original routing information.
route: 193.0.8.0/24
descr: Enterprise 2
origin: AS2
withdrawn: 940701
...
route: 193.0.9.0/24
descr: Enterprise 2 / Special
origin: AS2
comm-list: SPECIAL
withdrawn: 940701
...
It should be noted that the date value used in the withdrawn
attribute can only be in the past.
Proxy Aggregation
The next step of aggregation are aggregates consisting of more than
one AS. This generally means one AS is aggregating on behalf of
another. It is called proxy aggregation. Proxy aggregation should be
done with great care and always be coordinated with other providers
announcing the same route.
Consider the following:
route: 193.0.0.0/20
descr: All routes known by AS1 in a single package
origin: AS1
...
route: 193.0.1.0/24
descr: Foo
origin: AS1
withdrawn: 940310
...
route: 193.0.8.0/24
descr: Bar
origin: AS2
withdrawn: 940310
...
route: 193.0.9.0/24
descr: Bar-2
origin: AS2
withdrawn: 940310
comm-list: SPECIAL
...
If AS1 announced no other routes to a single homed neighboring AS,
that neighbor can in general either take that route or leave it but
not differentiate between AS1 and AS2.
Note: If the neighbor was previously configured to accept routes
originating in AS2 but not in AS1 they lose connectivity to AS2 as
well. This means that proxy aggregation has to be done carefully and
in a well coordinated fashion. The information in the withdrawn route
object can help to achieve that.
Aggregates with Holes
If we assume that the world of our example still consists of only
three chunks of address space the aggregate above contains what are
called holes, parts of an aggregate that are not reachable via the
originator of the route. From the routing information itself one
cannot tell whether these are holes and what part of the route falls
inside one. The only way to tell is to send a packet there and see
whether it gets to the destination, or an ICMP message is received
back, or there is silence. On the other hand announcing aggregates
with holes is quite legitimate. Consider a 16-bit aggregate with
only one 24-bit prefix unreachable. The savings in routing table
size by far outweigh the hole problem.
For operational reasons however it is very useful to register these
holes in the routing registry. Consider the case where a remote
network operator experiences connectivity problems to addresses
inside an aggregate route. If the packets are getting to the AS
announcing the aggregate and there are no more specific routes, the
normal cause of action is to get in touch with the originating AS of
the aggregate route and ask them to fix the problem. If the address
falls into a hole this is futile. Therefore problem diagnosis can be
sped up and unnecessary calls prevented by registering the holes in
the routing registry. We do this by using the "hole" attribute. In
our example the representation would be:
route: 193.0.0.0/20
descr: All routes known by AS1
origin: AS1
hole: 193.0.0.0/24
hole: 193.0.2.0/23
hole: 193.0.4.0/22
hole: 193.0.10.0/23
hole: 193.0.12.0/22
...
Note: there would also be two routes with the withdrawn attribute as
displayed above (i.e. 193.0.8.0/24 and 193.0.9.0/24). It is not
mandatory to document all holes. It is recommended all holes routed
by another service provider are documented.
Multiple Proxy Aggregation
Finally suppose that AS2 decides to announce the same aggregate, as
in the previous example, they would add the following route object to
the registry:
route: 193.0.0.0/20
descr: All routes known by AS2
origin: AS2
hole: 193.0.0.0/24
hole: 193.0.2.0/23
hole: 193.0.4.0/22
hole: 193.0.10.0/23
hole: 193.0.12.0/22
...
Both AS1 and AS2 will be notified that there already is a route to
the same prefix in the registry.
This multiple proxy aggregation is very dangerous to do if the sub- aggregates of the route are not the same. It is still dangerous when the sub-aggregates are consistent but connectivity to the sub- aggregates varies widely between the originators. Route object update procedures Adding a route object will have to be authorised by the maintainer of the originating AS. The actual implementation of this is outside the scope of this document. This guarantees that an AS guardian has full control over the registration of the routes it announces [11]. What is an Inter-AS network ? An inter-AS network (Inter-AS IP networks are those networks are currently called FIXes, IXFs, DMZs, NAPs, GIX and many other acronyms) exists for the purpose of passing traffic and routing information between different autonomous systems. The most simple example of an inter-AS network is a point-to-point link, connecting exactly two ASes. Each end of such a link is connected to an interface of router belonging to each of the autonomous systems. More complex examples are broadcast type networks with multiple interfaces connecting multiple ASes with the possibility of more than one connection per AS. Consider the following example of three routers 1, 2 and 3 with interfaces a through f connected by two inter-AS networks X and Y: X Y a1b --- c2d --- e3f Suppose that network X is registered in the routing registry as part of AS1 and net Y as part of AS3. If traffic passes from left to right prtraceroute will report the following sequence of interfaces and ASes: a in AS1 c in AS1 e in AS3 The traceroute algorithm enumerates only the receiving interfaces on the way to the destination. In the example this leads to the passage
of AS2 going unnoticed. This is confusing to the user and will also generate exceptions when the path found is checked against the routing registry. For operational monitoring tools such as prtraceroute it is necessary to know which interface on an inter-AS network belongs to which AS. If AS information is not known about interfaces on an inter-AS network, tools like prtraceroute cannot determine correctly which ASes are being traversed. All interfaces on inter-AS networks will are described in a separate object know as the `inet-rtr' object [15].
6. The Autonomous System Object Autonomous Systems An Autonomous System (AS) is a group of IP networks operated by one or more network operators which has a single and clearly defined external routing policy. An AS has a unique number associated with it which is used both in exchange of exterior routing information and as an identifier of the AS itself. Exterior routing protocols such as BGP and EGP are used to exchange routing information between ASes. In routing terms an AS will normally use one or more interior gateway protocols (IGPs) in conjunction with some sort of common agreed metrics when exchanging network information within its own AS. The term AS is often confused or even misused as a convenient way of grouping together a set of networks which belong under the same administrative umbrella even if within that group of networks there are various different routing policies. We provide the "community" concept for such use. ASes can strictly have only one single external routing policy. The creation of an AS should be done in a conscious and well coordinated manner to avoid creating ASes for the sake of it, perhaps resulting in the worst case scenario of one AS per routing announcement. It should be noted that there is a limited number of AS numbers available. Also creating an AS may well increase the number of AS paths modern EGPs will have to keep track of. This aggravates what is known as "the routing table growth problem". This may mean that by applying the general rules for the creation and allocation of an AS below, some re-engineering may well be needed. However, this may be the only way to actually implement the desired routing policy anyway. The creation and allocation of an AS should be done with the following recommendations in mind: + Creation of an AS is only required when exchanging routing information with other ASes. Some router implementations make use of an AS number as a form of tagging to identify the routing process. However, it should be noted that this tag does not need to be unique unless routing information is indeed exchanged with other ASes.
+ For a simple case of customer networks connected to a single
service provider, the IP network should normally be a member of
the service providers AS. In terms of routing policy the IP
network has exactly the same policy as the service provider and
there is no need to make any distinction in routing information.
This idea may at first seem slightly alien to some, but it
highlights the clear distinction in the use of the AS number as
a representation of routing policy as opposed to some form of
administrative use.
+ If a network operator connects to more than one AS with
different routing policies then they need to create their own
AS. In the case of multi-homed customer networks connected to
two service providers there are at least two different routing
policies to a given customer network. At this point the
customer networks will be part of a single AS and this AS would
be distinct from either of the service providers ASes. This
allows the customer the ability of having a different
representation of policy and preference to the different service
providers. This is the ONLY case where a network operator
should create its own AS number.
+ As a general rule one should always try to populate the AS with
as many routes as possible, providing all routes conform to the
same routing policy.
Each AS is represented in the RIPE database by both an aut-num object
and the route objects representing the routes originated by the AS.
The aut-num object stores descriptive, administrative and contact
information about the AS as well as the routing policies of the AS in
relation to all neighboring ASes.
The origin attributes of the route objects define the set of routes
originated by the AS. Each route object can have exactly one origin
attribute. Route objects can only be created and updated by the
maintainer of the AS and not by those immediately responsible for the
particular routes referenced therein. This ensures that operators,
especially service providers, remain in control of AS routing
announcements.
The AS object itself is used to represent a description of
administrative details and the routing policies of the AS itself. The
AS object definition is depicted as follows.
Example: aut-num: AS1104 descr: NIKHEF-H Autonomous system as-in: from AS1213 100 accept AS1213 as-in: from AS1913 100 accept AS1913 as-in: from AS1755 150 accept ANY as-out: to AS1213 announce ANY as-out: to AS1913 announce ANY as-out: to AS1755 announce AS1104 AS1913 AS1213 tech-c: Rob Blokzijl admin-c: Eric Wassenaar guardian: as-guardian@nikhef.nl changed: ripe-dbm@ripe.net 920910 source: RIPE See Appendix A for a complete syntax definition of the "aut-num" object. It should be noted that this representation provides two things: + a set of routes. + a description of administrative details and routing policies. The set of routes can be used to generate network list based configuration information as well as configuration information for exterior routing protocols knowing about ASes. This means an AS can be defined and is useful even if it does not use routing protocols which know about the AS concept.
Description of routing policies between ASs with multiple connections
- "interas-in/interas-out"
The following section is only relevant for ASes which use different
policies on multiple links to the same neighboring AS. Readers not
doing this may want to skip this section.
Description of multiple connections between ASs defines how two ASs
have chosen to set different policies for the use of each or some of
the connections between the ASs. This description is necessary only
if the ASs are connected in more than one way and the routing policy
and differs at these two connections.
Example:
LINK1
193.0.1.1 +----------+ 193.0.1.2
| |
AS1------AS2== ==AS3-----AS4
| |
193.0.1.5 +----------+ 193.0.1.6
LINK2
Note: LINK here denotes the peer connection points between
ASs. It is not necessarily just a serial link. It could
be ethernet or any other type of connection as well. It
can also be a peer session where the address is the same at
one end and different at the other end.
It may be that AS2 wants to use LINK2 only for traffic towards AS4.
LINK1 is used for traffic to AS3 and as backup to AS4, should LINK2
fail. To implement this policy, one would use the attribute
"interas-in" and "interas-out." This attribute permits ASs to
describe their local decisions based on its preference such as
multi-exit-discriminators (MEDs) as used in some inter-domain routing
protocols (BGP4, IDRP) and to communicate those routing decisions.
This information would be useful in resolving problems when some
traffic paths changed from traversing AS3's gateway in Timbuktu
rather than the gateway in Mogadishu. The exact syntax is given in
Appendix A. However, if we follow this example through in terms of
AS2 we would represent this policy as follows:
Example:
aut-num: AS2
as-in: from AS3 10 accept AS3 AS4
as-out: to AS3 announce AS1 AS2
interas-in:from AS3 193.0.1.1/32 193.0.1.2/32 (pref=5) accept AS3
interas-in:from AS3 193.0.1.1/32 193.0.1.2/32 (pref=9) accept AS4
interas-in:from AS3 193.0.1.5/32 193.0.1.6/32 (pref=7) accept AS4
...
Here we see additional policy information between two ASs in terms of
the IP addresses of the connection. The parentheses and keyword are
syntactic placeholders to add the readability of the attributes. If
pref=MED is specified the preference indicated by the remote AS via
the multi-exit- discriminator metric such as BGP is used. Of course
this type on inter-AS policy should always be bilaterally agreed upon
to avoid asymmetry and in practice there may need to be
corresponding interas-out attributes in the policy representation of
AS3.
The interas-out attribute is similar to interas-in as as-out is to
as-in. The one major difference being that interas-out allows you to
associate an outgoing metric with each route. It is important to note
that this metric is just passed to the peer AS and it is at the peer
AS's discretion to use or ignore it. A special value of IGP
specifies that the metric passed to the receiving AS will be derived
from the IGP of the sending AS. In this way the peer AS can choose
the optimal link for its traffic as determined by the sending AS.
If we look at the corresponding interas-out for AS3 we would see the
following:
Example:
aut-num: AS3
as-in: from AS2 10 accept AS1 A2
as-out: to AS2 announce AS3 AS4
interas-out:to AS2 193.0.1.2/32 193.0.1.1/32 (metric-out=5) announce AS3
interas-out:to AS2 193.0.1.2/32 193.0.1.1/32 (metric-out=9) announce AS4
interas-out:to AS2 193.0.1.6/32 193.0.1.5/32 (metric-out=7) announce AS4
...
Descriptions of interas policies do not replace the global
policy described in as-in, as-out and other policy attributes which
should be specified too. If the global policy mentions more routes
than the combined local policies then local preferences for these
routes are assumed to be equal for all links.
Any route specified in interas-in/out and not specified in as-in/out
is assumed not accepted/announced between the ASes concerned.
Diagnostic tools should flag this inconsistency as an error. It
should be noted that if an interas-in or interas-out policy is
specified then it is mandatory to specify the corresponding global
policy in the as-in or as-out line. Please note there is no relevance
in the cost associated with as-in and the preferences used in
interas-in.
The interaction of interas-in/interas-out with as-in/as-out
Although formally defined above, the rules associated with policy
described in terms of interas-in and interas-out with respect to as-
in and as-out are worthy of clarification for implementation.
When using interas-in or interas-out policy descriptions, one must
always make sure the set of policies described between two ASes is
always equal to or a sub-set of the policy described in the global
as-in or as-out policy. When a sub-set is described remember the
remaining routes are implicitly shared across all connections. It is
an error for the interas policies to describe a superset of the
global policies, i.e. to announce or accept more routes than the
global policies.
When defining complex interas based policies it is advisable to
ensure that any possible ambiguities are not present by explicitly
defining your policy with respect to the global as-in and as-out
policy.
If we look at a simple example, taking just in-bound announcements to
simplify things. If we have the following global policy:
aut-num: AS1
as-in: from AS2 10 accept AS100 OR {10.0.0.0/8}
Suppose there are three peerings between AS1 and AS2, known as L1-R1,
L2-R2 and L3-R3 respectively. The actual policy of these connections
is to accept AS100 equally on these three links and just route
10.0.0.0/8 on L3-R3. The simple way to mention this exception is to
just specify an interas policy for L3-R3:
interas-in: from AS2 L3 R3 (pref=100) accept {10.0.0.0/8}
The implicit rule that all routes not mentioned in interas policies
are accepted on all links with equal preference ensures the desired
result.
The same policy can be written explicitly as:
interas-in: from AS2 L1 R1 (pref=100) accept AS100
interas-in: from AS2 L2 R2 (pref=100) accept AS100
interas-in: from AS2 L3 R3 (pref=100) accept AS100 OR {10.0.0.0/8}
Whilst this may at first sight seem obvious, the problem arises when
not all connections are mentioned. For example, if we specified only
an interas-in line for L3-R3 as below:
aut-num: AS1
as-in: from AS2 10 accept AS100 OR {10.0.0.0/8}
interas-in: from AS2 L3 R3 (pref=100) accept AS100 OR {10.0.0.0/8}
then the policy for the other links according to the rules above
would mean they were equal to the global policy minus the sum of the
local policies (i.e. ((AS100 OR {10.0.0.0/0}) / (AS100 OR
{10.0.0.0/0})) = empty) which in this case would mean nothing is
accepted on connections L1-R1 and L2-R2 which is incorrect.
Another example: If we only registered the policy for link L2-
R2:
interas-in: from AS2 L2 R2 (pref=100) accept AS100
The implicit policy for both L1-R1 and L3-R3 would be as follows:
interas-in: from AS2 L1 R1 (pref=100) accept {10.0.0.0/8}
interas-in: from AS2 L3 R3 (pref=100) accept {10.0.0.0/8}
This is derived as the set of global policies minus the set of
interas-in policies (in this case just accept AS100 as it was the
L2-R2 interas-in policy we registered) with equal cost for the
remaining connection. This again is clearly not what was intended.
We strongly recommend that you always mention all policies for all interas connections explicitly, to avoid these possible errors. One should always ensure the set of the interas policies is equal to the global policy. Clearly if interas policies differ in complex ways it is worth considering splitting the AS in question into separate ASes. However, this is beyond the direct scope of this document. It should also be noted there is no direct relationship between the cost used in as-in and the preference used in interas-in.
How to describe the exclusion policy of a certain AS - "as-exclude" Some ASes have a routing policy based on the exclusion of certain routes if for whatever reason a certain AS is used as transit. Whilst, this is in general not good practice as it makes implicit assumptions on topology with asymmetry a possible outcome if not coordinated, this case needs to be accommodated within the routing policy representation. The way this is achieved is by making use of the "as-exclude" attribute. The precise syntax of this attribute can be found in Appendix A along with the rest of the defined syntax for the "aut- num" object. However, some explanation of the use of this attribute is useful. If we have the following example topology. Example: AS4--------AS3 | | | | | | AS1--------AS2--------AS5 With a simple corresponding policy like so: Example: aut-num: AS1 as-in: from AS2 100 accept ANY as-out: to AS2 announce AS1 as-exclude: exclude AS4 to ANY .... We see an interesting policy. What this says in simple terms is AS1 doesn't want to reach anything if it transits AS4. This can be a perfectly valid policy. However, it should be realized that if for whatever reason AS2 decides to route to AS3 via AS4 then immediately AS1 has no connectivity to AS3 or if AS1 is running default to AS2 packets from AS1 will still flow via AS4. The important point about this is that whilst AS1 can advise its neighbors of its policy it has no direct control on how it can enforce this policy to neighbors upstream.
Another interesting scenario to highlight the unexpected result of
using such an "as-exclude" policy. If we assume in the above example
AS2 preferred AS4 to reach AS3 and AS1 did not use default routing
then as stated AS1 would have no connectivity to AS3. Now lets
suppose that for example the link between AS2 and AS4 went down for
some reason. Like so:
Example:
AS4--------AS3
|
|
AS1--------AS2--------AS5
Suddenly AS1 now has connectivity to AS3. This unexpected behavior
should be considered when created policies based on the "as-exclude"
attribute.
The second problem with this type of policy is the potential of
asymmetry. In the original example we saw the correct policy from
AS1's point of view but if ASes with connectivity through AS4 do not
use a similar policy you have asymmetric traffic and policy. If an
AS uses such a policy they must be aware of the consequences of its
use. Namely that the specified routes which transit the AS (i.e.
routing announcements with this AS in the AS path information) in
question will be excluded. If not coordinated this can easily cause
asymmetry or even worse loss of connectivity to unknown ASes behind
(or in front for that matter) the transit AS in question. With this
in mind this attribute can only be viewed as a form of advisory to
other service providers. However, this does not preclude its use with
policy based tools if the attribute exists.
By having the ability to specify a route keyword based on any of the
four notations given in the syntax it allows the receiving AS to
specify what routes it wishes to exclude through a given transit AS
to a network granularity.
7. AS Macros It may be difficult to keep track of each and every new AS that is represented in the routing registry. A convenient way around this is to define an `AS Macro' which essentially is a convenient way to group ASes. This is done so that each and every AS guardian does not have to add a new AS to it's routing policy as described by the as-in and as-out attributes of it's AS object. However, it should be noted that this creates an implicit trust on the guardian of the AS-Macro. An AS-Macro can be used in <routing policy expressions> for the "as- in" and "as-out" attributes in the aut-num object. The AS-Macro object is then used to derive the list or group of ASes. A simple example would be something like: Example: aut-num: AS786 as-in: from AS1755 100 accept AS-EBONE AND NOT AS1104 as-out to AS1755 announce AS786 ..... Where the as-macro object for AS-EBONE is as follows: as-macro: AS-EBONE descr: ASes routed by EBONE as-list: AS2121 AS1104 AS2600 AS2122 as-list: AS1103 AS1755 AS2043 guardian: guardian@ebone.net ...... So the policy would be evaluated to: aut-num: AS786 as-in: from AS1755 100 accept (AS2121 OR AS1104 OR AS2600 OR AS2122 as-in: from AS1755 100 accept AS1103 OR AS1755 OR as-in: from AS1755 100 accept AS2043) AND NOT AS1104 ......
It should be noted that the above examples incorporates the rule for line wrapping as defined in Appendix A for policy lines. See Appendix C for a definition on the AS-Macro syntax.
8. The Community Object A community is a group of routes that cannot be represented by an AS or a group of ASes. It is in some circumstances useful to define a group of routes that have something in common. This could be a special access policy to a supercomputer centre, a group of routes used for a specific mission, or a disciplinary group that is scattered among several autonomous systems. Also these communities could be useful to group routes for the purpose of network statistics. Communities do not exchange routing information, since they do not represent an autonomous system. More specifically, communities do not define routing policies, but access or usage policies. However, they can be used as in conjunction with an ASes routing policy to define a set of routes the AS sets routing policy for. Communities should be defined in a strict manner, to avoid creating as many communities as there are routes, or even worse. Communities should be defined following the two rules below; + Communities must have a global meaning. Communities that have no global meaning, are used only in a local environment and should be avoided. + Communities must not be defined to express non-local policies. It should be avoided that a community is created because some other organization forces a policy upon your organization. Communities must only be defined to express a policy defined by your organization. Community examples There are some clear examples of communities: BACKBONE - all customers of a given backbone service provider even though they can have various different routing policies and hence belong to different ASes. This would be extremely useful for statistics collection.
HEPNET -
the High Energy Physics community partly shares infrastructure
with other organizations, and the institutes it consists of are
scattered all over Europe, often being part of a non HEPNET
autonomous system. To allow statistics, access or part of a
routing policy , a community HEPNET, consisting of all routes
that are part of HEPNET, conveniently groups all these routes.
NSFNET -
the National Science Foundation Network imposes an acceptable
use policy on routes that wish to make use of it. A community
NSFNET could imply the set of routes that comply with this
policy.
MULTI -
a large multinational corporation that does not have its own
internal infrastructure, but connects to the various parts of
its organizations by using local service providers that connect
them all together, may decide to define a community to restrict
access to their networks, only by networks that are part of this
community. This way a corporate network could be defined on
shared infrastructure. Also, this community could be used by any
of the service providers to do statistics for the whole of the
corporation, for instance to do topology or bandwidth planning.
Similar to Autonomous systems, each community is represented in the
RIPE database by both a community object and community tags on the
route objects representing the routes belonging to the community.
The community object stores descriptive, administrative and contact
information about the community.
The community tags on the route objects define the set of routes
belonging to a community. A route can have multiple community tags.
The community tags can only be created and updated by the "guardian"
of the community and not by those directly responsible for the
particular network. This ensures that community guardians remain in
control of community membership.
Here's an example of how this might be represented in terms of the
community tags within the network object. We have an example where
the route 192.16.199.0/24 has a single routing policy (i.e. that of
AS 1104), but is part of several different communities of interest.
We use the tag "comm-list" to represent the list of communities
associated with this route. NIKHEF-H uses the service provider
SURFNET (a service provider with customers with more than one routing
policy), is also part of the High Energy Physics community as well as having the ability to access the Supercomputer at CERN (the community `CERN-SUPER', is somewhat national, but is intended as an example of a possible use of an access policy constraint). Example: route: 192.16.199.0/24 descr: Local Ethernet descr: NIKHEF section H origin: AS1104 comm-list: HEPNET CERN-SUPER SURFNET changed: ripe-dbm@ripe.net 920604 source: RIPE In the above examples some communities have been defined. The community object itself will take the following format: Example: community: SURFNET descr: Dutch academic research network authority: SURFnet B.V. guardian: comm-guardian@surfnet.nl admin-c: Erik-Jan Bos tech-c: Erik-Jan Bos changed: ripe-dbm@ripe.net 920604 source: RIPE For a complete explanation of the syntax please refer to Appendix B.
(next page on part 2)