CA2308697A1 - Exclusion routes in border gateway protocol (bgp) routers - Google Patents
Exclusion routes in border gateway protocol (bgp) routers Download PDFInfo
- Publication number
- CA2308697A1 CA2308697A1 CA002308697A CA2308697A CA2308697A1 CA 2308697 A1 CA2308697 A1 CA 2308697A1 CA 002308697 A CA002308697 A CA 002308697A CA 2308697 A CA2308697 A CA 2308697A CA 2308697 A1 CA2308697 A1 CA 2308697A1
- Authority
- CA
- Canada
- Prior art keywords
- route
- exclusion
- router
- routes
- forwarding table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/54—Organization of routing tables
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Efficient control of packet forwarding by a router is enabled by storing in a forwarding table information explicitly identifying exclusion routes to which packets may not be forwarded. An exclusion route includes the same attributes as a conventional "inclusionary" route, and thus will be returned from a forwarding table for any matching packets using conventional best-match algorithms. The exclusion route is identified by a zero fill of its Next Hop attribute, which indicates that the exclusion route is inaccessible. Any packets matching an exclusion route are discarded. This permits access control to selected addresses in the network space.
Description
EXCLUSIC>N ROUTE;S IN BORDER GATEWAY PROTOCOL
(BGP) ROUTERS
CROSS-REFERENCE TO RE,7~ATED APPLICATIONS
This is the first application filed for the present invention.
MICROFICHE APPENDIX
Not Applicable.
TECHNICAL FIELD
The pre:>ent in'Tention relates to routing protocols _!0 for connectionless traffic in a data network, and in particular to explicitly defined exclusion routes in border gateway protocol. (BGP) routers of a data network.
BACKGROUND OF THE INVENTION
The modern data network space is made up of a 7_5 plurality of autonomous systems that are directly or indirectly linked to a data network, such as the Internet.
In this respect, it will be noted that the classical definition of an. "auton.omous system" refers to a set of one or more routers under a single technical administration, 20 using an interior gate~~ay protocol (IGP) and common metrics to route packets within. the autonomous system, and using an exterior gateway proto~~ol (EGP) to route packets to other autonomous systems. ~ince this classic definition was developed, it has become common for single autonomous 25 systems to use several interior gateway protocols and sometimes several different sets of metrics within an AS.
(BGP) ROUTERS
CROSS-REFERENCE TO RE,7~ATED APPLICATIONS
This is the first application filed for the present invention.
MICROFICHE APPENDIX
Not Applicable.
TECHNICAL FIELD
The pre:>ent in'Tention relates to routing protocols _!0 for connectionless traffic in a data network, and in particular to explicitly defined exclusion routes in border gateway protocol. (BGP) routers of a data network.
BACKGROUND OF THE INVENTION
The modern data network space is made up of a 7_5 plurality of autonomous systems that are directly or indirectly linked to a data network, such as the Internet.
In this respect, it will be noted that the classical definition of an. "auton.omous system" refers to a set of one or more routers under a single technical administration, 20 using an interior gate~~ay protocol (IGP) and common metrics to route packets within. the autonomous system, and using an exterior gateway proto~~ol (EGP) to route packets to other autonomous systems. ~ince this classic definition was developed, it has become common for single autonomous 25 systems to use several interior gateway protocols and sometimes several different sets of metrics within an AS.
- 2 -In the present application, the term autonomous system is used to emphasize the fact that, even when multiple IGPs and metrics are used, the technical administration of an AS
appears to other autonomous systems to have a single coherent interior routing plan and presents a consistent picture of what destinations are reachable through it.
Fig. 1 is a block diagram showing three autonomous systems (ASl, A5~2 and ~~53) that are linked together and to a data network (e.g. the Internet) by means of links R1 L0 through R5. ThE~~relationship between autonomous systems illustrated in Fig. 1 :~~s typical of that set up to connect an enterprise domain (such as a corporate local area network) represented ai. ASl to the Internet via a pair of Internet service providers respectively represented at AS2 J.5 and AS3. Interacaion bEtween each of the autonomous systems (that is, over .Links RL through R5) , including transfer of route information is controlled. by BGP. BGP may also be used to control. routi:zg within the data network. Within each of the autonom~~us systems, an interior gateway a?0 protocol is used to co:ztrol the routing of traffic. Any of a variety of interior gateway protocol implementations may be used for this purpose. Exemplary interior gateway protocol implementations include the routing information protocol (RIP) and the Open Shortest Path First (OSPF) 25 protocol. Using this arrangement, information concerning addresses that are re<~chable through the Internet can be obtained by the: autonomous systems AS2 and AS3 using BGP
update messages receivE~d over links R3 and R4 respectively.
The autonomous systE~m AS1 :is then able to obtain 30 information concerning routes that are reachable through
appears to other autonomous systems to have a single coherent interior routing plan and presents a consistent picture of what destinations are reachable through it.
Fig. 1 is a block diagram showing three autonomous systems (ASl, A5~2 and ~~53) that are linked together and to a data network (e.g. the Internet) by means of links R1 L0 through R5. ThE~~relationship between autonomous systems illustrated in Fig. 1 :~~s typical of that set up to connect an enterprise domain (such as a corporate local area network) represented ai. ASl to the Internet via a pair of Internet service providers respectively represented at AS2 J.5 and AS3. Interacaion bEtween each of the autonomous systems (that is, over .Links RL through R5) , including transfer of route information is controlled. by BGP. BGP may also be used to control. routi:zg within the data network. Within each of the autonom~~us systems, an interior gateway a?0 protocol is used to co:ztrol the routing of traffic. Any of a variety of interior gateway protocol implementations may be used for this purpose. Exemplary interior gateway protocol implementations include the routing information protocol (RIP) and the Open Shortest Path First (OSPF) 25 protocol. Using this arrangement, information concerning addresses that are re<~chable through the Internet can be obtained by the: autonomous systems AS2 and AS3 using BGP
update messages receivE~d over links R3 and R4 respectively.
The autonomous systE~m AS1 :is then able to obtain 30 information concerning routes that are reachable through
- 3 -AS2 by means of BGP up~iate messages received over link R1.
Similarly, ASl is able to obtain information concerning routes that are reacr.able through AS3 by means of BGP
update messages received over link R2.
In the modern data network space, packetized data traffic is transported using an assortment of different protocols (e.g. multi-protocol label switching [MPLS]:
Internet protocol [IP],, frame relay, asynchronous transfer mode [ATM], etc.). Some of these protocols, such as ATM, .LO are connection-oriente~~, in packets are propagated across the network space hop-by-hop along a path that is set up at the beginning of a communications session. Other protocols, (such as I):~) which do not transport data over predefined end-to-end paths are referred to as :15 "connectionless".
Connecti_onless traffic is normally routed across a communications network using a shortest-path or least-cost-path routine protocol. Typical examples of such routing protocols include the Interior Gateway Protocol 20 (IGP), and the Exterior Gateway Protocol (EGP). IGP is designed to handle routing of traffic within an autonomous system, while EGP is used for routing traffic between autonomous systems. ~'he Border Gateway Protocol (BGP) is an evolution of: the EGP. A recently released version of 25 BGP (BGP-4) is capablE: of routing traffic both within and between autonomous systems.
Each of: these routing protocols operates on the basis of a forwarding or routing table, which is maintained by a routing table manager (RTM) and used to map 12509ROCAOlU 9-13528-114CA
Similarly, ASl is able to obtain information concerning routes that are reacr.able through AS3 by means of BGP
update messages received over link R2.
In the modern data network space, packetized data traffic is transported using an assortment of different protocols (e.g. multi-protocol label switching [MPLS]:
Internet protocol [IP],, frame relay, asynchronous transfer mode [ATM], etc.). Some of these protocols, such as ATM, .LO are connection-oriente~~, in packets are propagated across the network space hop-by-hop along a path that is set up at the beginning of a communications session. Other protocols, (such as I):~) which do not transport data over predefined end-to-end paths are referred to as :15 "connectionless".
Connecti_onless traffic is normally routed across a communications network using a shortest-path or least-cost-path routine protocol. Typical examples of such routing protocols include the Interior Gateway Protocol 20 (IGP), and the Exterior Gateway Protocol (EGP). IGP is designed to handle routing of traffic within an autonomous system, while EGP is used for routing traffic between autonomous systems. ~'he Border Gateway Protocol (BGP) is an evolution of: the EGP. A recently released version of 25 BGP (BGP-4) is capablE: of routing traffic both within and between autonomous systems.
Each of: these routing protocols operates on the basis of a forwarding or routing table, which is maintained by a routing table manager (RTM) and used to map 12509ROCAOlU 9-13528-114CA
- 4 -received packets to downstream links. The forwarding table contains information identifying routes to which packets can be forwarded. Exemplary data fields within the forwarding table include: IP Address; Mask; Route; Next Hop and Next Hop Interface. As each packet arrives at a router, its destination address is read and used to query the forwarding table. If a matching route in the forwarding table is located, the corresponding Next Hop and Next Hop Interface fields are used to forward the packet to a downstream link towards its destination. Otherwise, the packet is discarded.
The routes identified in the forwarding table are always "inclusionary", in the sense that a router can forward packets to any route identified in the forwarding table. Conversely, the router is unable to forward packets to any routes that ar~~ not identified in the forwarding table. Typically, the forwarding table contains a list of explicitly defined mutes to which packets may be forwarded, and/or a c.efault route to which the router forwards packet~;.that do not match any of the explicitly defined routes.
The use of a comprehensive list of accessible (explicitly de:Eined) routes enables maximum routing flexibility, and thus is generally favored for routers within the network core, as well as for access servers (e. g. maintained by network service providers) where routing flexibi7_ity is very desirable. This method also provides a high level of control over forwarding of traffic to any particular route or destination on the network. For ~~0 example, if ii. is desired to restrict or prohibit 12509ROCAOlU 9-13528-114CA
The routes identified in the forwarding table are always "inclusionary", in the sense that a router can forward packets to any route identified in the forwarding table. Conversely, the router is unable to forward packets to any routes that ar~~ not identified in the forwarding table. Typically, the forwarding table contains a list of explicitly defined mutes to which packets may be forwarded, and/or a c.efault route to which the router forwards packet~;.that do not match any of the explicitly defined routes.
The use of a comprehensive list of accessible (explicitly de:Eined) routes enables maximum routing flexibility, and thus is generally favored for routers within the network core, as well as for access servers (e. g. maintained by network service providers) where routing flexibi7_ity is very desirable. This method also provides a high level of control over forwarding of traffic to any particular route or destination on the network. For ~~0 example, if ii. is desired to restrict or prohibit 12509ROCAOlU 9-13528-114CA
- 5 -forwarding of traffic to any particular route or destination address, then the associated route is simply removed from the forwarding table. However, a limitation of this method is the size of the forwarding table. At present, the Internet comprises in excess of 70,000 routes, all of which mu:~t be registered in the forwarding table to permit the router to forward packets to destination addresses subtending those routes. This large number of routes, which i~~ rapid~.y increasing, imposes a heavy demand :LO on router resources. 'this leads to a requirement for more powerful (and thus ex~~ensive) router equipment to achieve satisfactory performance.
The use of a i:orwarding table containing a single default route sacrifices routing flexibility to obtain maximum throughput performance with minimum system resources. Consequently, this method has found favor for use in domain server,, such as gateway routers serving autonomous systems anti corporate networks. Such systems are commonly connected to the Internet through an access server through which all traffic is directed. In this case, the default route of the forwarding table identifies the access server, ant. thus all traffic originating in the domain is routE:d to the access server irrespective of the destination address of any particular packet. In practice, this does not imposf~ any real limitations on routing flexibility, since all traffic originating on the domain passes through the access server in any event. However, this techniques dramatically reduces the size of the forwarding table, thE~reby permitting the use of smaller
The use of a i:orwarding table containing a single default route sacrifices routing flexibility to obtain maximum throughput performance with minimum system resources. Consequently, this method has found favor for use in domain server,, such as gateway routers serving autonomous systems anti corporate networks. Such systems are commonly connected to the Internet through an access server through which all traffic is directed. In this case, the default route of the forwarding table identifies the access server, ant. thus all traffic originating in the domain is routE:d to the access server irrespective of the destination address of any particular packet. In practice, this does not imposf~ any real limitations on routing flexibility, since all traffic originating on the domain passes through the access server in any event. However, this techniques dramatically reduces the size of the forwarding table, thE~reby permitting the use of smaller
- 6 -(and therefore less exp~=nsive) routers, without sacrificing performance.
A limitation of this method is that since all traffic is forwarded i,o the access server, the routing protocol of the domain ;server cannot be used to restrict or prohibit forwarf.ing packets to any particular routes or destinations. As a result, policies restricting the forwarding of packets are typically implemented by route and/or packet filterinc algorithms, which may be provided as part of a firewall or router application. However, these solutions incre<~se the complexity of forwarding applications, and often contribute to scalability issues because system performmce often degrades rapidly as the number of restricted routes increases.
1.5 AccordincLly, a system f_or enabling policy-based restriction of packet forwarding to one or more routes, that can be implemented at the level of the routing protocol, while minimizing system resource requirements, remains highly desirable.
2 0 SU1~1ARY OF TFiE xNVENTI:ON
An objeci: of the invention is to provide a method of enabling efficient policy-based restrictions on packet forwarding by a routing protocol.
A further objects of the present invention is to 2.5 provide an extension to Border Gateway Protocol (BGP) to enable efficient policy-based restrictions on packet forwarding.
-Accordingly, an aspect of the present invention provides a method of enabling efficient restrictions on packet forwarding by a router having a forwarding table.
The method comprises steps of: storing in the forwarding table information explicitly identifying an exclusion route to which packet:> may nit be forwarded; and discarding any packet having a respective destination address matching the exclusion route.
Another .aspect of the present invention provides a router for forwarding connectionl.ess packet traffic through a network space, the router comprising a forwarding table adapted to store information explicitly identifying exclusion routes to which packets may not be forwarded.
Each exc:Lusion route is preferably identified by a respective predetermined value of a selected field of the forwarding table. The selected field may be a "Next Hop"
field, and the predetez~mined value can be a zero fill of the Next Hop fie7_d (e.g.. "0Ø0.0") .
Information explicitly identifying any included routes to which packets may be forwarded can also be stored in the forwarding table. In some embodiments, information identifying a single included route is stored in the forwarding table as a default route to which all packets having a destination address that does not match an exclusion route are forwarded.
An advantage of the present invention is that the forwarding of frames can be controlled on a route-by-route basis with minimum dem2.nd on system resources within the router.
_ g _ BRIEF DESCRIPTION OF THE DRAWINGS
Further features and advantages of the present invention will become ~~pparent from the following detailed description, t<~ken in combination with the appended drawings, in which:
Fig. 1 is a block diagram schematically illustrating a data neilwork in which the present invention may be utilized and Fig. 2 shows a schematic representation of a 1.0 portion of a forwarding table in accordance with an embodiment of the present invention.
It will be noted that throughout the appended drawings, like features are identified by like reference numerals.
1.5 DETAILED DESCRIPTION ~OF THE PREFERRED EI~ODIMENT
The present invention provides a system for controlling the forwarding of connectionless traffic across a communications net~rork. As shown in Fig. 1, a communications network 2 in which the present invention may 20 be utilized generally comprises a plurality of autonomous systems (ASs) connected to a data network 4, such as, for example, the Internet. In the exemplary embodiment of Fig.
1, three autonomous systems (AS:i, AS2 and AS3) are shown, interconnected by links R1, R2 and R3. AS2 and AS3 are 25 further connected to the data network 4 through links R4 and R5 respectively. This arrangement is typical of connection schemes foo providing Internet access to an enterprise, for example. Thus, :451 may be implemented as a 12509ROCAOlU 9-13528-114CA
corporate local area network (LAN), which is connected to the data network 4 (e.g. the Internet) using a pair of service providers (ISP~.) at AS2 and AS3 respectively.
Each autonomous system comprises one or more routers (not shown), under a single technical administration, and transport of data packets within an autonomous system is controlled using one or more implementations of the Interior Gateway Protocol (IGP). As is known in the art, a router may be implemented as ~_0 physical hardware or as a virtual router running in a server, for example. Exemplary implementations of IGP used for the transport o:E packet data traffic within an autonomous system include: routing information protocol (RIP); and Open Shortest Path First (OSPF). Transport of :'~5 packet data traffic over links R1 - R5, that is, between AS1, AS3 and A:33, and between AS2 and AS3 and the data network 4, is ce~ntrollE~d by an implementation of the border gateway protocol. ~(BGP) .
As is well known in the art, forwarding of traffic a?0 under the BGP is conv~rolled by a forwarding or routing table (RT) whic:h is m~.intained by a routing table manager (RTM - not shown) and <<ccessible to each router. Thus each autonomous system AS1 - AS3 is provided with at least one respective routing table RT1-RT3 A routing table will :Z5 normally be co-resident with a respective router, but may be maintained at a reriote location and accessible through the network. Under tr.e BGP, each route that is reachable through a routes is explicitly identified in the respective routing table. Exemplary data fields used to identify 12509ROCAOlU 9-13528-114CA
routes in the forwarding table include: Mask 6; Route 8;
Next Hop 10; and Next Hop Interface 12 (see Fig. 2).
As mentioned previously, each autonomous system AS1 - AS3 may comprise one or more routers (which may be implemented as virtua:_ routers), and each router will normally have a respective routing table. However, for simplicity of description, in the illustrated embodiment, AS1 is assumed to include a single router, which handles all traffic flow through links Rl and R2 between ASl and AS2 and AS3 using a respective routing table RT1. AS2 and AS3 are assumed i.o each include a respective single router, which handle all traffic flow between AS1 and other points in the communications network 2 using respective routing tables RT2 and R'r3. Both of these routing tables (RT2 and RT3) will generally contain a comprehensive listing of every route that is reachable by AS1 through the respective autonomous system. This affords maximum routing flexibility for forwaroing connectionless traffic through the communications net~~ork 2. Additionally, AS2 and AS3 may adjust the content of their respective routing tables RT2 and RT3 on the basis of policies that are specific to AS1.
As shown in Fig. 2, in order to minimize demand on system resources, ASl (Fig. 1) is provisioned with a 2'i respective routing table RT1 containing a default route 18.
As shown in Fig. 2, the default route 14 is identified by a zero fill (i.e. "0Ø0.0") of the Route field 8 in the routing table RT1. The forwarding address stored in the Next Hop field 10 identifies a se=Lected one of AS2 and AS3.
In the absence of a roui~e matching the destination address of a packet, conventional best-match searching algorithms will return the default route 18.
For the purposes of the present example, it will be assumed that the Next fop field 10 of the default route 14 identifies AS2. As a result, every packet originating on ASl and destined for an address outside of AS1 will be automatically :Eorward~~d to AS2, unless the routing table RT1 contains other routes which match the packet destination address. AS2 then uses its own forwarding table 1.0 RT2 to forward those packets towards their destinations.
It will be no~~ed that in Fig. 2, no values are shown for the Next Ho~~ Interface field 12 of the routing table RTl. It will be appreciated that this field will normally contain~non-~,ero values that, in general, will 1.5 depend on the specifics of each route, and are not material to the present invention. Accordingly, they are omitted from the illustration cf Fig. 2.
In accordance with the present invention, improved control over routing of traffic originating in AS1 is 20 enabled by storing one or more "exclusion routes" 16 (one is illustrated in Fig. 2) in the routing table RT1, in addition to the default route 18. The exclusion route 20 differs from conventional inclusionary routes (including the default route 14) in that it explicitly identifies a 25 route to which traffic may not be forwarded. The exclusion route 16 preferably po~~sesses the same number and type of attributes as a conventional (i.nclusionary) route. As a result, no modii=ications are required in the routing table or routing table manager to accommodate the insertion of one or more exclusion routes 16. Additionally these routes will match pacl~ets destined to them using conventional best-match algorithms, so that: the exclusion route 16, rather than the default route 14 will be automatically returned for matching packets. The primary differences between an exclusion route 16 and conventional (inclusionary) routes lay in the value of the Next Hop attribute 10, and the way in which that value is interpreted by the pscket forwarding algorithm of the J_0 autonomous system ASl.
In particular, as shown in Fig. 2, the exclusion route 16 has a Next Hop 10 value that is zero-filled (i.e.
"0Ø0.0"). It will oe seen that this differs from the default route 1~4, in which the Route attribute is zero-~_5 filled (i.e. "0Ø0.0") and the Next Hop attribute contains a forwarding address (e.g. identifying AS2) . A zero fill of the Next Hop attribute 10 is interpreted by the packet forwarding algorithm running of AS1 as a non-reachable route, and any pack=ts having a destination address a?0 matching the exclusion route 16 are discarded.
Various methods may be used to create exclusion routes. Exemplary methods include: local creation of exclusion routes based on import policies; and remote creation of exclusion routes. Each of these methods are :?5 described in greater detail below, first in general terms, and then by way of spe<:ific example with reference to Figs.
1 and 2.
Exclusion routes can be created locally based on BGP import policies. .~.s is known in the art, standard BGP
provides a mechanism by which a router can create and remove routes (that is, store route information in and delete route informat=ion from its routing table) in response to update messages received from another router.
The response of the router to each update message can be controlled by means of import policies defined for the router. In general, ~.n import policy defines the actions that are to be taken in the event that an update message matches a set of predetermined criteria. These criteria :LO normally include predetermined values of any route attribute, which may b~~ well known attributes or a private attribute assigned by a peer muter in accordance with a service agreement, for example.
Conventionally, BGP import policies provide two :15 alternative actions that can be taken when an update message contains routs information matching the defined criteria: either the update message is ignored, or a new (inclusionary) route is created so that packets may be forwarded to that roui:e. In accordance with the present 20 invention, this facilii,y can be extended to also enable the creation of exclusion routes. This provides a convenient, policy-based method for creating exclusion routes based on received update messages.
In accordance with the present invention, exclusion 25 routes can also be remotely created. In one embodiment, this may be accomplish=d by defining an "exclusion" message type. Thus, a first router can send an exclusion-type update message to a ~~eer router, identifying itself (the first router) in the F;oute attribute. This exclusion-type 30 update message:, inc:Luding the self-identifying Route 12509ROCAOlU 9-13528-114CA
attribute, can then be used by the peer router, in accordance with its own import policies, to create an exclusion route identii=ying the first router. As a result of this action, the packet forwarding algorithm in the peer router will recognize the route to the first router as an exclusion route, and any packets arriving at the peer router and destined fo:_ the first router will therefore be discarded.
In the following discussion, a number of examples :LO of the use of exclusion routes are provided.
Example 1: Exclusion Routes Used to Restrict Access to Selected Routes,' Exclusion routes can readily be created by AS1 to restrict (or prevent; access to certain predetermined routes or destination addresses through the communications network. In a simple embodiment, this can be accomplished by defining an import policy for ASl that matches on an attribute identifying the restricted route (e.g. the IP
Address attribute) Subsequently, any update messages received by AS:L and matching the selected criteria, will result in the creation of an exclusion route 16 in the routing table I~T1. ~~s a result of this action, packets originating in AS1 and destined for the restricted route (e.g. to request a download of data) will be discarded by AS1, so that access to the restricted route by users of AS1 is prevented.
A more comple:~ embodiment involves the assignment of a private attribute value to a selected set of routes by a service provider, and then using the assigned attribute as the basis for creating exclusion routes. For example, AS1 may wish to preven~~ access to certain target addresses (e.g. addresses carrying pornographic content). Thus ASl and a service provider at AS2 may enter into an agreement according to wh_Lch AS2 will attach a predetermined private attribute (such as a community t:ag) to any update messages propagated from any of the target addresses. AS1 can then define an import po~.icy so that any update messages received from AS2 and bearing the predetermined local attribute will result in the creation of an exclusion route :LO 16 in the routing tab=_e RT1. As a result of this action, packets originating in AS1 and destined for any of the target addresses (e. g. to request a download of data) will be discarded by AS1, so that access to the target addresses by users of AS1 is pre~Tented.
L5 Example 2: Trafi:ic eng:_neering This example illustrates the use of exclusion routes for traffic engineering. In particular, AS1 may wish to use AS~? (via link R1) for outgoing traffic only, and AS3 (via link R2) for incoming traffic only. In this 20 case, AS1 can create a conventional default route 14 in routing table ftTl which identifies AS2 in the Next Hop attribute 10. Thus any packets originating on ASl and destined for routes outside to AS1 will be forwarded through link R1 to AS2 in an conventional manner.
25 AS1 can then use remote creation of an exclusion route to control incorr.ing traffic. In particular, AS1 can formulate and send an exclusion-type update message to AS2 identifying itself (P.Sl) in the Route attribute. This update message can then be used by AS2 to create an 30 exclusion route 16 in its routing table RT2 identifying 12509ROCAOlU 9-13528-114CA
AS1. As a result; any packets arriving at AS2 and destined for AS1 will be discarded, and consequently ASl will only receive packets from AS3, which is the desired result.
This operation may be enhanced by identifying link R1 in the Next Hop Interface 12 attribute of the update message sent by ASl to AS2. Consequently, the routing table RT2 can identii-y "AS1 through link R1" as the exclusion route 16. The packet forwarding algorithm running in AS2 may thEm recognize that AS1 is reachable through AS3, and thus :=orward packets arriving at AS2 and destined for AS1, through link R3 to AS3. Again, the desired result is obtained, in that ASl will only receive packets from AS3..
Example 3: Subscriber-specific service offering 1.5 As mentioned above, a service provider (e.g. at AS2 or AS3) can implement one virtual routes and an associated routing table fo:r each subscriber connection. This allows the service provider to implement exclusion routes on behalf of the subscriber.
As discu~;sed in Example 1 above, a service provider can assign privai:e attributes (such as a community tag) to a selected set o:f routes. This concept can be extended to enable a service provider to define a number of categories (e. g. based on content ~r some other attribute) and assign 2!~ a respective community t:ag to the members of each category.
A subscriber, would then be able to select (e.g. using an account management window accessed by the subscriber after logging into the service provider's server) any categories that they do not wish to access. This selection can then - 1~ _.
be used to define an import policy for a subscriber-specific virtual router (instantiated when the subscriber logs onto the system) such that any routes matching the selected categories arE: identified in the routing table as exclusion route;s.. As a result, packets originating from the subscriber and destined for any route matching one of the selected c:ategor_es will be discarded to thereby preclude access to tho:>e routes by the subscriber.
Because the subscriber's selection of restricted sites is implemented on a subscriber-specific virtual router that is instant:iated when the subscriber logs into the service provider's server, system resources required to implement this funcaion are minimized, and other subscribers are not affected. Furthermore, this functionality can be provided by the service provider even in cases where the subscriber is not capable of using BGP.
Thus it: will be seen that the present invention provides an Efficient technique for controlling the forwarding of connectionless traffic by a router.
The embodiments of the invention described above are intended t:o be exemplary only. The scope of the invention is therefore intended to be limited solely by the scope of the appended claims.
A limitation of this method is that since all traffic is forwarded i,o the access server, the routing protocol of the domain ;server cannot be used to restrict or prohibit forwarf.ing packets to any particular routes or destinations. As a result, policies restricting the forwarding of packets are typically implemented by route and/or packet filterinc algorithms, which may be provided as part of a firewall or router application. However, these solutions incre<~se the complexity of forwarding applications, and often contribute to scalability issues because system performmce often degrades rapidly as the number of restricted routes increases.
1.5 AccordincLly, a system f_or enabling policy-based restriction of packet forwarding to one or more routes, that can be implemented at the level of the routing protocol, while minimizing system resource requirements, remains highly desirable.
2 0 SU1~1ARY OF TFiE xNVENTI:ON
An objeci: of the invention is to provide a method of enabling efficient policy-based restrictions on packet forwarding by a routing protocol.
A further objects of the present invention is to 2.5 provide an extension to Border Gateway Protocol (BGP) to enable efficient policy-based restrictions on packet forwarding.
-Accordingly, an aspect of the present invention provides a method of enabling efficient restrictions on packet forwarding by a router having a forwarding table.
The method comprises steps of: storing in the forwarding table information explicitly identifying an exclusion route to which packet:> may nit be forwarded; and discarding any packet having a respective destination address matching the exclusion route.
Another .aspect of the present invention provides a router for forwarding connectionl.ess packet traffic through a network space, the router comprising a forwarding table adapted to store information explicitly identifying exclusion routes to which packets may not be forwarded.
Each exc:Lusion route is preferably identified by a respective predetermined value of a selected field of the forwarding table. The selected field may be a "Next Hop"
field, and the predetez~mined value can be a zero fill of the Next Hop fie7_d (e.g.. "0Ø0.0") .
Information explicitly identifying any included routes to which packets may be forwarded can also be stored in the forwarding table. In some embodiments, information identifying a single included route is stored in the forwarding table as a default route to which all packets having a destination address that does not match an exclusion route are forwarded.
An advantage of the present invention is that the forwarding of frames can be controlled on a route-by-route basis with minimum dem2.nd on system resources within the router.
_ g _ BRIEF DESCRIPTION OF THE DRAWINGS
Further features and advantages of the present invention will become ~~pparent from the following detailed description, t<~ken in combination with the appended drawings, in which:
Fig. 1 is a block diagram schematically illustrating a data neilwork in which the present invention may be utilized and Fig. 2 shows a schematic representation of a 1.0 portion of a forwarding table in accordance with an embodiment of the present invention.
It will be noted that throughout the appended drawings, like features are identified by like reference numerals.
1.5 DETAILED DESCRIPTION ~OF THE PREFERRED EI~ODIMENT
The present invention provides a system for controlling the forwarding of connectionless traffic across a communications net~rork. As shown in Fig. 1, a communications network 2 in which the present invention may 20 be utilized generally comprises a plurality of autonomous systems (ASs) connected to a data network 4, such as, for example, the Internet. In the exemplary embodiment of Fig.
1, three autonomous systems (AS:i, AS2 and AS3) are shown, interconnected by links R1, R2 and R3. AS2 and AS3 are 25 further connected to the data network 4 through links R4 and R5 respectively. This arrangement is typical of connection schemes foo providing Internet access to an enterprise, for example. Thus, :451 may be implemented as a 12509ROCAOlU 9-13528-114CA
corporate local area network (LAN), which is connected to the data network 4 (e.g. the Internet) using a pair of service providers (ISP~.) at AS2 and AS3 respectively.
Each autonomous system comprises one or more routers (not shown), under a single technical administration, and transport of data packets within an autonomous system is controlled using one or more implementations of the Interior Gateway Protocol (IGP). As is known in the art, a router may be implemented as ~_0 physical hardware or as a virtual router running in a server, for example. Exemplary implementations of IGP used for the transport o:E packet data traffic within an autonomous system include: routing information protocol (RIP); and Open Shortest Path First (OSPF). Transport of :'~5 packet data traffic over links R1 - R5, that is, between AS1, AS3 and A:33, and between AS2 and AS3 and the data network 4, is ce~ntrollE~d by an implementation of the border gateway protocol. ~(BGP) .
As is well known in the art, forwarding of traffic a?0 under the BGP is conv~rolled by a forwarding or routing table (RT) whic:h is m~.intained by a routing table manager (RTM - not shown) and <<ccessible to each router. Thus each autonomous system AS1 - AS3 is provided with at least one respective routing table RT1-RT3 A routing table will :Z5 normally be co-resident with a respective router, but may be maintained at a reriote location and accessible through the network. Under tr.e BGP, each route that is reachable through a routes is explicitly identified in the respective routing table. Exemplary data fields used to identify 12509ROCAOlU 9-13528-114CA
routes in the forwarding table include: Mask 6; Route 8;
Next Hop 10; and Next Hop Interface 12 (see Fig. 2).
As mentioned previously, each autonomous system AS1 - AS3 may comprise one or more routers (which may be implemented as virtua:_ routers), and each router will normally have a respective routing table. However, for simplicity of description, in the illustrated embodiment, AS1 is assumed to include a single router, which handles all traffic flow through links Rl and R2 between ASl and AS2 and AS3 using a respective routing table RT1. AS2 and AS3 are assumed i.o each include a respective single router, which handle all traffic flow between AS1 and other points in the communications network 2 using respective routing tables RT2 and R'r3. Both of these routing tables (RT2 and RT3) will generally contain a comprehensive listing of every route that is reachable by AS1 through the respective autonomous system. This affords maximum routing flexibility for forwaroing connectionless traffic through the communications net~~ork 2. Additionally, AS2 and AS3 may adjust the content of their respective routing tables RT2 and RT3 on the basis of policies that are specific to AS1.
As shown in Fig. 2, in order to minimize demand on system resources, ASl (Fig. 1) is provisioned with a 2'i respective routing table RT1 containing a default route 18.
As shown in Fig. 2, the default route 14 is identified by a zero fill (i.e. "0Ø0.0") of the Route field 8 in the routing table RT1. The forwarding address stored in the Next Hop field 10 identifies a se=Lected one of AS2 and AS3.
In the absence of a roui~e matching the destination address of a packet, conventional best-match searching algorithms will return the default route 18.
For the purposes of the present example, it will be assumed that the Next fop field 10 of the default route 14 identifies AS2. As a result, every packet originating on ASl and destined for an address outside of AS1 will be automatically :Eorward~~d to AS2, unless the routing table RT1 contains other routes which match the packet destination address. AS2 then uses its own forwarding table 1.0 RT2 to forward those packets towards their destinations.
It will be no~~ed that in Fig. 2, no values are shown for the Next Ho~~ Interface field 12 of the routing table RTl. It will be appreciated that this field will normally contain~non-~,ero values that, in general, will 1.5 depend on the specifics of each route, and are not material to the present invention. Accordingly, they are omitted from the illustration cf Fig. 2.
In accordance with the present invention, improved control over routing of traffic originating in AS1 is 20 enabled by storing one or more "exclusion routes" 16 (one is illustrated in Fig. 2) in the routing table RT1, in addition to the default route 18. The exclusion route 20 differs from conventional inclusionary routes (including the default route 14) in that it explicitly identifies a 25 route to which traffic may not be forwarded. The exclusion route 16 preferably po~~sesses the same number and type of attributes as a conventional (i.nclusionary) route. As a result, no modii=ications are required in the routing table or routing table manager to accommodate the insertion of one or more exclusion routes 16. Additionally these routes will match pacl~ets destined to them using conventional best-match algorithms, so that: the exclusion route 16, rather than the default route 14 will be automatically returned for matching packets. The primary differences between an exclusion route 16 and conventional (inclusionary) routes lay in the value of the Next Hop attribute 10, and the way in which that value is interpreted by the pscket forwarding algorithm of the J_0 autonomous system ASl.
In particular, as shown in Fig. 2, the exclusion route 16 has a Next Hop 10 value that is zero-filled (i.e.
"0Ø0.0"). It will oe seen that this differs from the default route 1~4, in which the Route attribute is zero-~_5 filled (i.e. "0Ø0.0") and the Next Hop attribute contains a forwarding address (e.g. identifying AS2) . A zero fill of the Next Hop attribute 10 is interpreted by the packet forwarding algorithm running of AS1 as a non-reachable route, and any pack=ts having a destination address a?0 matching the exclusion route 16 are discarded.
Various methods may be used to create exclusion routes. Exemplary methods include: local creation of exclusion routes based on import policies; and remote creation of exclusion routes. Each of these methods are :?5 described in greater detail below, first in general terms, and then by way of spe<:ific example with reference to Figs.
1 and 2.
Exclusion routes can be created locally based on BGP import policies. .~.s is known in the art, standard BGP
provides a mechanism by which a router can create and remove routes (that is, store route information in and delete route informat=ion from its routing table) in response to update messages received from another router.
The response of the router to each update message can be controlled by means of import policies defined for the router. In general, ~.n import policy defines the actions that are to be taken in the event that an update message matches a set of predetermined criteria. These criteria :LO normally include predetermined values of any route attribute, which may b~~ well known attributes or a private attribute assigned by a peer muter in accordance with a service agreement, for example.
Conventionally, BGP import policies provide two :15 alternative actions that can be taken when an update message contains routs information matching the defined criteria: either the update message is ignored, or a new (inclusionary) route is created so that packets may be forwarded to that roui:e. In accordance with the present 20 invention, this facilii,y can be extended to also enable the creation of exclusion routes. This provides a convenient, policy-based method for creating exclusion routes based on received update messages.
In accordance with the present invention, exclusion 25 routes can also be remotely created. In one embodiment, this may be accomplish=d by defining an "exclusion" message type. Thus, a first router can send an exclusion-type update message to a ~~eer router, identifying itself (the first router) in the F;oute attribute. This exclusion-type 30 update message:, inc:Luding the self-identifying Route 12509ROCAOlU 9-13528-114CA
attribute, can then be used by the peer router, in accordance with its own import policies, to create an exclusion route identii=ying the first router. As a result of this action, the packet forwarding algorithm in the peer router will recognize the route to the first router as an exclusion route, and any packets arriving at the peer router and destined fo:_ the first router will therefore be discarded.
In the following discussion, a number of examples :LO of the use of exclusion routes are provided.
Example 1: Exclusion Routes Used to Restrict Access to Selected Routes,' Exclusion routes can readily be created by AS1 to restrict (or prevent; access to certain predetermined routes or destination addresses through the communications network. In a simple embodiment, this can be accomplished by defining an import policy for ASl that matches on an attribute identifying the restricted route (e.g. the IP
Address attribute) Subsequently, any update messages received by AS:L and matching the selected criteria, will result in the creation of an exclusion route 16 in the routing table I~T1. ~~s a result of this action, packets originating in AS1 and destined for the restricted route (e.g. to request a download of data) will be discarded by AS1, so that access to the restricted route by users of AS1 is prevented.
A more comple:~ embodiment involves the assignment of a private attribute value to a selected set of routes by a service provider, and then using the assigned attribute as the basis for creating exclusion routes. For example, AS1 may wish to preven~~ access to certain target addresses (e.g. addresses carrying pornographic content). Thus ASl and a service provider at AS2 may enter into an agreement according to wh_Lch AS2 will attach a predetermined private attribute (such as a community t:ag) to any update messages propagated from any of the target addresses. AS1 can then define an import po~.icy so that any update messages received from AS2 and bearing the predetermined local attribute will result in the creation of an exclusion route :LO 16 in the routing tab=_e RT1. As a result of this action, packets originating in AS1 and destined for any of the target addresses (e. g. to request a download of data) will be discarded by AS1, so that access to the target addresses by users of AS1 is pre~Tented.
L5 Example 2: Trafi:ic eng:_neering This example illustrates the use of exclusion routes for traffic engineering. In particular, AS1 may wish to use AS~? (via link R1) for outgoing traffic only, and AS3 (via link R2) for incoming traffic only. In this 20 case, AS1 can create a conventional default route 14 in routing table ftTl which identifies AS2 in the Next Hop attribute 10. Thus any packets originating on ASl and destined for routes outside to AS1 will be forwarded through link R1 to AS2 in an conventional manner.
25 AS1 can then use remote creation of an exclusion route to control incorr.ing traffic. In particular, AS1 can formulate and send an exclusion-type update message to AS2 identifying itself (P.Sl) in the Route attribute. This update message can then be used by AS2 to create an 30 exclusion route 16 in its routing table RT2 identifying 12509ROCAOlU 9-13528-114CA
AS1. As a result; any packets arriving at AS2 and destined for AS1 will be discarded, and consequently ASl will only receive packets from AS3, which is the desired result.
This operation may be enhanced by identifying link R1 in the Next Hop Interface 12 attribute of the update message sent by ASl to AS2. Consequently, the routing table RT2 can identii-y "AS1 through link R1" as the exclusion route 16. The packet forwarding algorithm running in AS2 may thEm recognize that AS1 is reachable through AS3, and thus :=orward packets arriving at AS2 and destined for AS1, through link R3 to AS3. Again, the desired result is obtained, in that ASl will only receive packets from AS3..
Example 3: Subscriber-specific service offering 1.5 As mentioned above, a service provider (e.g. at AS2 or AS3) can implement one virtual routes and an associated routing table fo:r each subscriber connection. This allows the service provider to implement exclusion routes on behalf of the subscriber.
As discu~;sed in Example 1 above, a service provider can assign privai:e attributes (such as a community tag) to a selected set o:f routes. This concept can be extended to enable a service provider to define a number of categories (e. g. based on content ~r some other attribute) and assign 2!~ a respective community t:ag to the members of each category.
A subscriber, would then be able to select (e.g. using an account management window accessed by the subscriber after logging into the service provider's server) any categories that they do not wish to access. This selection can then - 1~ _.
be used to define an import policy for a subscriber-specific virtual router (instantiated when the subscriber logs onto the system) such that any routes matching the selected categories arE: identified in the routing table as exclusion route;s.. As a result, packets originating from the subscriber and destined for any route matching one of the selected c:ategor_es will be discarded to thereby preclude access to tho:>e routes by the subscriber.
Because the subscriber's selection of restricted sites is implemented on a subscriber-specific virtual router that is instant:iated when the subscriber logs into the service provider's server, system resources required to implement this funcaion are minimized, and other subscribers are not affected. Furthermore, this functionality can be provided by the service provider even in cases where the subscriber is not capable of using BGP.
Thus it: will be seen that the present invention provides an Efficient technique for controlling the forwarding of connectionless traffic by a router.
The embodiments of the invention described above are intended t:o be exemplary only. The scope of the invention is therefore intended to be limited solely by the scope of the appended claims.
Claims (14)
1. A method of enabling efficient restriction of packet forwarding by a router having a forwarding table, the method comprising the steps of:
a) storing in the forwarding table information explicitly identifying an exclusion route to which packets may not be forwarded; and b) discarding any packet having a respective destination address corresponding to any exclusion route identified in the forwarding table.
a) storing in the forwarding table information explicitly identifying an exclusion route to which packets may not be forwarded; and b) discarding any packet having a respective destination address corresponding to any exclusion route identified in the forwarding table.
2. A method as claimed in claim 1, wherein each exclusion route is identified by a respective predetermined value of a selected field of the forwarding table
3. A method as claimed in claim 2, wherein the selected field is a "Next Hop" field.
4. A method as claimed in claim 3, wherein the predetermined value is a zero fill in each portion of the Next Hop field.
5. A method as claimed in claim 1, further comprising a step of storing in the forwarding table information explicitly identifying an inclusionary route to which packets may be forwarded.
6. A method as claimed in claim 5, wherein information identifying a single inclusionary route is stored as a default route in the forwarding table.
7. A method as claimed in claim 1, wherein the step of storing information explicitly identifying an exclusion route is performed in response to reception of an update message containing information identifying the exclusion route.
8. A method as claimed in claim 1, wherein the step of storing information explicitly identifying an exclusion route is performed in accordance with an import policy.
9. A method as claimed in claim 8, wherein the step of storing information explicitly identifying an exclusion route is performed in response to reception of an update message containing information identifying either one of an inclusionary route and an exclusion route.
10. A router for forwarding connectionless packet traffic through a network space, the router comprising a forwarding table adapted to store information explicitly identifying exclusion routes to which packets may not be forwarded.
11. A router as claimed in claim 10, wherein each exclusion route is identified by a respective predetermined value of a selected field of the forwarding table.
12. A router as claimed in claim 11, wherein the selected field is a "Next Hop" field.
13. A router as claimed in claim 12, wherein the predetermined value is a zero fill of the Next Hop field.
14. A router as claimed in claim 10, further comprising means for discarding any packet having a destination address corresponding to an exclusion route.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002308697A CA2308697A1 (en) | 2000-05-15 | 2000-05-15 | Exclusion routes in border gateway protocol (bgp) routers |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002308697A CA2308697A1 (en) | 2000-05-15 | 2000-05-15 | Exclusion routes in border gateway protocol (bgp) routers |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2308697A1 true CA2308697A1 (en) | 2001-11-15 |
Family
ID=4166169
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002308697A Abandoned CA2308697A1 (en) | 2000-05-15 | 2000-05-15 | Exclusion routes in border gateway protocol (bgp) routers |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2308697A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004084517A1 (en) * | 2003-03-20 | 2004-09-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Data unit transmission method and device |
| US7554949B2 (en) | 2002-11-11 | 2009-06-30 | Orange S.A. | Filtering data packets at a network gateway working as a service-based policy (sblp) enforcement point |
| CN110380968A (en) * | 2019-07-08 | 2019-10-25 | 新华三信息安全技术有限公司 | A kind of method and device of Message processing |
-
2000
- 2000-05-15 CA CA002308697A patent/CA2308697A1/en not_active Abandoned
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7554949B2 (en) | 2002-11-11 | 2009-06-30 | Orange S.A. | Filtering data packets at a network gateway working as a service-based policy (sblp) enforcement point |
| WO2004084517A1 (en) * | 2003-03-20 | 2004-09-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Data unit transmission method and device |
| CN110380968A (en) * | 2019-07-08 | 2019-10-25 | 新华三信息安全技术有限公司 | A kind of method and device of Message processing |
| CN110380968B (en) * | 2019-07-08 | 2021-08-27 | 新华三信息安全技术有限公司 | Message processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7773596B1 (en) | Distribution of traffic flow criteria | |
| US7831733B2 (en) | Policy-based forwarding in open shortest path first (OSPF) networks | |
| US7756998B2 (en) | Managing L3 VPN virtual routing tables | |
| US7477642B2 (en) | MPLS traffic engineering for point-to-multipoint label switched paths | |
| US7283529B2 (en) | Method and system for supporting a dedicated label switched path for a virtual private network over a label switched communication network | |
| US8599685B2 (en) | Snooping of on-path IP reservation protocols for layer 2 nodes | |
| US7639688B2 (en) | Automatic protection of an SP infrastructure against exterior traffic | |
| US6584500B1 (en) | Data routing in a communication network | |
| US7388840B2 (en) | Methods and apparatuses for route management on a networking control plane | |
| US20060227758A1 (en) | Apparatus and method creating virtual routing domains in an internet protocol network | |
| EP2541866A1 (en) | Management schemes for filter sets | |
| EP1816789B1 (en) | A method and system for controlling the selection of the transmitting path for the media flow in the next generation network | |
| US8542580B2 (en) | Method and system for transporting service flow securely in an IP network | |
| US20030162499A1 (en) | Methods and arrangements in telecommunications system | |
| JP2002530939A (en) | How to Manage Internet Protocol Connection Oriented Services | |
| US20060114904A1 (en) | Differentiated services multicast system and method using encapsulation and unicast | |
| KR101155386B1 (en) | Devices and methods for routing a unit of data in a network | |
| US7647425B2 (en) | Efficient intra-domain routing in packet-switched networks | |
| US20040133700A1 (en) | Multiprotocol label switching label distribution method, a related first multiprotocol label switching network element and a related second multiprotocol label switching network element | |
| CA2308697A1 (en) | Exclusion routes in border gateway protocol (bgp) routers | |
| Hoogendoorn et al. | Towards carrier-grade next generation networks | |
| Cisco | Configuring IP Routing Protocol-Independent Features | |
| Cisco | IP Routing Protocol-Independent Commands: redistribute (IP) Through traffic-share min | |
| EP1185029B1 (en) | Service deployment in data networks | |
| KR100519166B1 (en) | Method for Echo Requesting in ATM MPLS VPN Network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued |