BGP経路問題発生時の行動を考えよう AS？ なくても大丈夫だ

Transcript

1. "4ʁ
   ͳͯ͘΋େৎ෉ͩ Shintaro Kojima ίʔμϯε / @codeout #(1ܦ࿏໰୊ൃੜ࣌ͷߦಈΛߟ͑Α͏

2. ϑϦʔϥϯεͷ
   ωοτϫʔΫΤϯδχΞͰ͢ ͱ͘ʹಛఆͷ૊৫ʹଐͯ͠ͳ͍ 2

3. ɺϒϩάॻ͖·ͨ͠ 3

4. ͦͦ͜͜ಡ·Εͨ 4 http://b.hatena.ne.jp/hotentry/it

5. ֨ͷ͕͍ͪ 5 http://b.hatena.ne.jp/hotentry/it

6. ΠϯλʔωοτΛถࠃࢹ఺ͰΈͯͨΓɺ
 ো֐ΛਅԣͰ؍ଌͰ͖ͯΔ͋ͨΓ͕͍͢͝
   6 • "広報された宛先向けの通信が
 ถ国経由になった" • "େ量の経路広報を受信した" https://www.attn.jp/maz/p/t/pdf/20170825-routeleakage.pdf

7. ࣋ͨ͟Δऀ΋ઓ͑Δ w ܦ࿏Λه࿥ͯ͠ͳ͍
   w ࠃࡍճઢ͕ͳ͍ 7 ৔߹Ͱ΋ɺެ։͞Ε͍ͯΔ৘ใ͔Βো֐Λߟ͑ɺ
 ରࡦ͢Δ͜ͱ͕Ͱ͖Δ͸ͣ

8. Ϟνϕʔγϣϯ 8 େͳΓখͳΓܦ࿏ো֐ͷӨڹΛड͚ͨɻ
   ো֐ͷݪҼΛ஌ͬͯɺ࣍͸ࢭΊ͍ͨɻ

9. ͱ͍͏࿩Λ͠·͢ w ܦ࿏ো֐ɺͲ͏΍ͬͯௐ΂Δ
   ʁ
   w 
   ͷέʔεελσΟ 9

10. ܦ࿏ো֐ɺͲ͏΍ͬͯௐ΂Δ
    ʁ σʔλιʔε
    w .35
    %VNQ
    w 3PVUF7JFXT
    1SPKFDU
    w 3*1&
    3*4
    w -PPLJOH
    (MBTT
    

    w 3*1&TUBU
    #(1MBZ
    w "4
    ෼ੳσʔλ
    w DBJEB
    "4
    3FMBUJPOTIJQT 10 AS間の関係を 推測するのに使う

11. 3PVUF
    7JFXT
    1SPKFDU 11 ੈքதͷ*9ʹίϨΫλʔΛஔ͖ɺ
 #(1
    6QEBUF
    ͱ3*#
    ͷه࿥Λެ։ͯ͘͠Εͯ ͍Δ
 ˠ
    ͷ΂
    
    "4
    ͷϕετύεมԽΛ
    ͳΜͱͳ͘ͱΒ͑Δ͜ͱ͕Ͱ͖Δ ⚠ ݟ͑ͳ͍ܦ࿏มԽ͕͋Δ͜ͱʹ஫ҙ

12. 
    .35
    ΞʔΧΠϒΛऔͬͯ ͖ͯ1PTUHSF42-
    ʹೖΕΔ 12 createdb -E UTF8 -T template0 route_leak ruby

    route_views.rb migrate route_leak for i in 0300 0315 0330 0345; \ ruby route_views.rb update download 20170825.$i ruby route_views.rb update load route_leak ruby route_views.rb rib download 20170825.0200 ruby route_views.rb rib load route_leak ͱ͍͏ϓϩάϥϜΛॻ͘
    ˠ
    αϯϓϧ

13. 13 SELECT masklen(prefix) AS len, count(distinct prefix) \
 FROM updates

    WHERE \
 ix='wide' AND neighbor_as=2497 AND aspath ='2497 701 15169 4713' AND \ time > '2017-08-25 03:23'::TIMESTAMP AND \ time < '2017-08-25 03:35'::TIMESTAMP \ GROUP BY len ORDER BY count DESC LIMIT 10; len | count -----+------- 24 | 16594 22 | 3035 23 | 2432 21 | 1764 20 | 868 19 | 79 16 | 29 18 | 15 17 | 10 15 | 3 (10 rows) 
    ͻͨ͢Β4&-&$5

14. 14 ࣮ࡍ͸
    +VQZUFS
    /PUFCPPL
    ͱ͔Ͱ

15. 
    ͷέʔεελσΟ 15 ࣋ͨ͟Δऀ
    ࢹ఺ͰΈ͑ͨ͜ͱ

16. 16 EJYJF
    Ͱݟ͑ͨΞοϓσʔτ਺ 
    d
    
    65$
    #(1
    6QEBUF
    ͕ٸ૿

17. 17 route_leak=# SELECT count(distinct prefix) FROM updates WHERE time >=

    '2017-08-25 03:23'::TIMESTAMP AND time < '2017-08-25 03:35'::TIMESTAMP AND ix = 'wide' AND withdraw IS NOT TRUE; count -------- 122891 (1 row) route_leak=# SELECT distinct count(distinct prefix) FROM updates
 JOIN rib USING (prefix) WHERE updates.time >= '2017-08-25 03:23'::TIMESTAMP AND
 updates.time < '2017-08-25 03:35'::TIMESTAMP AND updates.ix = 'wide' AND rib.ix = 'wide' AND withdraw IS NOT TRUE; count ------- 30972 (1 row) #(1
    Ξοϓσʔτͷத਎
    
    1SFpY਺ 122,891 - 30,972 = 91,919
    ৽ن
    1SFpY

18. ؍ଌ
     w ೔ຊۙลͰɺ ສܦ࿏;͑ͨ
    ىͬͨ͜Ͱ͋Ζ͏͜ͱ
    w ܦ࿏ٸ૿ʹΑΔෛՙ
    w ܦ࿏ٸ૿ʹΑΔ3*#
    
    '*#
    ͋;Ε 18

19. 19 EJYJF
    "4ܦ༝ Ͱݟ͑ͨɺ
 "4@1"5)
    ͋ͨΓͷ1SFpY਺

20. 20 EJYJF
    "4ܦ༝ Ͱݟ͑ͨɺ
 "4@1"5)
    ͋ͨΓͷ1SFpY਺ ͳΜͱͳ͘ɺ"4
    ͕ڬ·͍ͬͯΔʁ

21. 21 EJYJF
    "4ܦ༝ Ͱݟ͑ͨɺ
 "4@1"5)
    ͋ͨΓͷ1SFpY਺ ѹ౗త
    
    

22. 22 2497 701 15169 4713 w (PPHMF 
    ͕0$/ 

    
    Λ τϥϯδοτ͍ͯ͠Δͷ͸͓͔͍͠
    w ͦͷ΄͔ͷ
    "4ؔ܎͸Θ͔Βͳ͍
    ˠ
    ॏཁͳ͜ͱͳͷͰɺਪଌ͍ͨ͠

23. 23 2497 701 15169 4713 route_leak=# SELECT aspath, count(aspath) FROM

    updates WHERE aspath ~ '701 15169' GROUP BY aspath ORDER BY count DESC; aspath | count --------------------------------------------------------+-------- 286 701 15169 4713 | 105228 2497 701 15169 4713 | 100706 7500 2516 701 15169 4713 | 49684 34288 15576 8220 5511 701 15169 4713 | 49662 286 701 15169 7029 | 41958 286 701 15169 9121 | 33838 w 
    ͷܦ࿏ΛΑ͘ΈΔͱʜ
    286 701 15169...
    w 286 / 5511 ↔ 701
    
    ϐΞͱࢥΘΕΔ
 ˠ
    701 ↔ 15169
    ͸τϥϯδοτͱࢥΘΕΔ ⚠ 701͕ϛεͬͯͳ͚Ε͹ɺͱ͍͏લఏ

24. 2497 701 15169 4713 
    ͷܦ࿏Λద౰ ʹҾ͘
 → 12956 701 2497


    ͱ͍͏ܦ࿏͕ݟ͑Δ
 → 12956 ↔ 701 
 ͸ϐΞͱࢥΘΕΔ
 ˠ
    701 ↔ 2497 ͸
 τϥϯδοτͱࢥΘΕΔ

25. 25 2497 701 15169 4713 ·ͱΊΔͱɺͨͿΜ͜͏ AS4713 (OCN) AS15169 (Google)

    AS701 (Verizon) AS2497 (IIJ) ࠓճͷܦ࿏ͷྲྀΕ
    ຊདྷͷܦ࿏ͷྲྀΕ

26. 26 ٙ໰ AS4713 (OCN) AS15169 (Google) AS701 (Verizon) AS2497 (IIJ)

    ࠓճͷܦ࿏ͷྲྀΕ
    ຊདྷͷܦ࿏ͷྲྀΕ ͜ͷܦ࿏͕ϕετʹͳͬͨͷ͸ͳ͔ͥʁ

27. 27 EJYJF
    "4ܦ༝ Ͱݟ͑ͨɺ
 1SFpY௕
    ͋ͨΓͷ1SFpY਺
 2497 701 15169 4713
    ݶఆ ࡉ͔͍ܦ࿏ʹٵ͍ࠐ·Ε༷ͨࢠ

28. ؍ଌ
     w 
    Λ͸͡Ίͱ͢Δࡉ͔͍ܦ࿏͕૿͑ͨ
    ىͬͨ͜Ͱ͋Ζ͏͜ͱ
    w -POHFTU
    .BUDI
    ʹΑΓࣗ"4Ѽͯͷύ έοτ͕ɺ·ͨ͸ࣗ"4ൃͷύέοτ͕ ٵ͍ࠐ·Εͨ
    ˠ
    %SPQ
    3BUF
    ͸ະ֬ೝ 28

29. ؍ଌ
     ৽ͨͳٙ໰
    w ࡉ͔͍ܦ࿏͸Ͳ͔͜Βདྷͨʁ
    w 
    ͷೖΓޱͰࢭ·Βͳ͔ͬͨͷ͸ͳ͔ͥʁ 29 AS4713 AS1516 AS701

    AS2497

30. 30 ٙ໰
    ࡉ͔͍ܦ࿏͸Ͳ͔͜Βདྷͨʁ  
    ॴ༗ऀ
    ͕ΦϦδωʔτ͍ͯͨ͠
     "4@1"5)
    ͷ్தͷ"4
    ͕෼ׂ͍ͯͨ͠
     શ͘ผͷ"4
    ͕޿ࠂ͍ͯͨ͠

    ˠ
    
    ͷՄೳੑ͕͋Γͦ͏
    ਪଌ

31. 8/25 のみ 31 ී௨ɺ͜͏͸ͳΒͳ͍ɻʹ؍ଌ͞Εͨܦ࿏ͷ͏ͪɺ
    w Λ"4@1"5)
    ʹؚΉ
    
    "4@1"5)௕
    
    
    ͷܦ࿏਺ˠ
    30,700 w ͦͷ͏ͪɺ͜ͷΑ͏ͳλΠϓͷܦ࿏਺
    ˠ
    20,457 w ಛผΞϨϯδͦΜͳʹଟ͍ʁ
    ˠ
    ஥հऀ͕ΦϦδωʔτ͍ͯ͠ΔͷͰ͸ʁ

    2497 701 15169 9264 1659 AS9264 AS15169  AS1659   ❌

32. 32 ٙ໰
    
    ͷೖΓޱͰࢭ·Βͳ͔ͬͨͷ͸ͳ͔ͥʁ ココ Α͘෼͔Βͳ͍ɻී௨͸ϑΟϧλʔ͞Εͦ͏ AS4713 (OCN) AS15169 (Google) AS701

    (Verizon) AS2497 (IIJ)

33. ւ֎ͷ*9͸Ͳ͏͔
    *9
    "4
    ผͷɺ"4
    6QEBUF਺ 33 3PVUF
    7JFXT
    ͱܨ͕͍ͬͯΔͷ΂
    "4
    ͷ͏ͪɺӨڹ͋ͬͨͷ͸
    "4͘Β͍

34. ؍ଌ
     w άϩʔόϧͰΈΕ͹ɺӨڹ͋ͬͨ"4ͱ ͳ͔ͬͨ"4͕͋Δ
    ਪଌ
    w ద੾ʹܦ࿏ϑΟϧλʔ͕ޮ͍ͨʁ
    w ΋͘͠͸ɺͦ΋ͦ΋ϦʔΫ͕ͳ͔ͬͨʁ
    w

    ΋͘͠͸ɺϐΞ͝ͱམͪͨʁ
    34

35. ؍ଌͱٙ໰·ͱΊ 35 w ܦ࿏਺͕
    ສ
    ؍ଌ
    w ͦͷଟ͘͸
    ͳͲɺࡉ͔͍ܦ࿏
    ؍ଌ

    
    w ීஈ͸Πϯλʔωοτʹଘࡏ͠ͳ͍
    ٙ໰
    ٞ࿦͍ͨ͠఺
    w ࡉ͔͍ܦ࿏͸Ͳ͔͜Βདྷͨʁ
    ॴ༗ऀ͕޿ࠂ͍ͯͨ͠΍ͭʁ
    w τϥϯδοτͷܦ࿏ϑΟϧλʔͰࢭ·Βͳ͔ͬͨͷ͸ͳͥʁ
 ࢭ·ͬͨέʔε΋͋Γͦ͏ͳͷʹ
    w ࣗӴ͢Δํ๏͸͋Δ͔ʁ

36. ϙΠϯτ 36 ύϒϦοΫͳσʔλιʔε͔Β
    ͜͜·Ͱ෼͔Γ·͢ɻ
    
 .35
    %VNQ
    ײँ
    

37. 37 +"/0(
    ΍
    /"/0(
    ͳͲͰ΋
    ༷ʑͳٞ࿦͕ ରࡦ

38. ࣗӴ͍ͨ͠ 38 自 AS Peer AS Transit AS ܦ࿏ Transit

    AS 経路障害につよい トランジットを選ぶ

39. ࣗӴ͍ͨ͠ 39 自 AS Peer AS Transit AS ܦ࿏ Transit

    AS RIB / FIB の限界 を 知っておく 経路数の監視

40. ࣗӴ͍ͨ͠ 40 自 AS Peer AS Transit AS ܦ࿏ Transit

    AS Max Pref or
 maximum-prefix maximum discard- extra-paths (IOS-XR) Max Pref

41. ࣗӴ͍ͨ͠ 41 自 AS Peer AS Transit AS ܦ࿏ Transit

    AS NO-EXPORT? ? Max Pref Out Max Pref Out

42. Ϟνϕʔγϣϯ 42 େͳΓখͳΓܦ࿏ো֐ͷӨڹΛड͚ͨɻ
    ো֐ͷݪҼΛ஌ͬͯɺ࣍͸ࢭΊ͍ͨɻ
    ˠ
    ͍͍ΞΠσΞ͋Γ·ͤΜ͔ʁ