Loopback Filter with Truman Boyes

Sooner or later enterprises will reach a point where EIGRP is no longer appropriate as the routing protocol of choice for the IGP. This is sometime due to the buggy nature of EIGRP (stuck in active issues), the lack of traffic engineering capabilities, or that the protocol is proprietary to cisco, and the enterprise is looking for more flexibility in vendor choices. So if not EIGRP then what? Well there are pretty much just another two choices available when choosing an IGP: OSPF or ISIS.

I was trying out Dynamips to see how well it performs on the MBP, so I scrapped together a little example on how to migrate a very small EIGRP network to OSPF. The basic premise is to first gather details about the topology, and understand how or if OSPF will fulfill the functionality of the existing EIGRP network. EIGRP and OSPF are very different in nature, therefore some concepts in EIGRP will not carry over to OSPF directly. The same is true in the reverse direction. While OSPF has the concept of areas which create a method of hierarchy, EIGRP doesn’t exactly have this concept although it can be configured in a way that creates similarity. In other words, a Toyota is not exactly a Lexus even if they have a lot of the same functionality and parts.

The topology for this lab looks like this:

The relevant routing configurations with only EIGRP enabled (ie. status-quo) looks like this:
R1:

router eigrp 1
redistribute connected
redistribute static
network 20.20.20.0 0.0.0.255
auto-summary
!
no ip http server
!
ip route 10.10.10.1 255.255.255.255 Null0
ip route 10.10.10.2 255.255.255.255 Null0
ip route 10.10.10.3 255.255.255.255 Null0


R2:

router eigrp 1
redistribute connected
redistribute static
network 20.20.20.0 0.0.0.255
auto-summary
!
no ip http server
!
ip route 10.10.20.1 255.255.255.255 Null0
ip route 10.10.20.2 255.255.255.255 Null0
ip route 10.10.20.3 255.255.255.255 Null0

R3:
router eigrp 1
redistribute connected
redistribute static
network 20.20.20.0 0.0.0.255
network 30.30.30.0 0.0.0.255
no auto-summary
!
no ip http server
!
ip route 10.10.30.1 255.255.255.255 Null0
ip route 10.10.30.2 255.255.255.255 Null0
ip route 10.10.30.3 255.255.255.255 Null0

The connected and static routes are redistributed into EIGRP; these show up as External EIGRP routes. Here is an example:

R3#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

100.0.0.0/32 is subnetted, 3 subnets
D EX 100.100.100.1 [170/2297856] via 20.20.20.5, 05:15:50, Serial2/0
D EX 100.100.100.2 [170/2297856] via 20.20.20.9, 05:15:59, Serial1/1
C 100.100.100.3 is directly connected, Loopback0
20.0.0.0/30 is subnetted, 3 subnets
C 20.20.20.4 is directly connected, Serial2/0
D 20.20.20.0 [90/2681856] via 20.20.20.9, 05:16:37, Serial1/1
[90/2681856] via 20.20.20.5, 05:16:37, Serial2/0
C 20.20.20.8 is directly connected, Serial1/1
10.0.0.0/32 is subnetted, 9 subnets
D EX 10.10.10.2 [170/2169856] via 20.20.20.5, 05:13:56, Serial2/0
D EX 10.10.10.3 [170/2169856] via 20.20.20.5, 05:13:53, Serial2/0
D EX 10.10.10.1 [170/2169856] via 20.20.20.5, 05:13:59, Serial2/0
D EX 10.10.20.1 [170/2169856] via 20.20.20.9, 05:14:24, Serial1/1
D EX 10.10.20.2 [170/2169856] via 20.20.20.9, 05:14:22, Serial1/1
D EX 10.10.20.3 [170/2169856] via 20.20.20.9, 05:14:19, Serial1/1
S 10.10.30.2 is directly connected, Null0
S 10.10.30.3 is directly connected, Null0
S 10.10.30.1 is directly connected, Null0

If we just turned on OSPF right now on R1, R2, and R3, the routers would choose some routes using OSPF and some routes using EIGRP. Why would this happen? This happens because internal EIGRP routes have an admin preference of 90, External EIGRP routes have a preference of 170, and OSPF has a preference of 110. What we want to do is turn on OSPF without disturbing the actual forwarding or routing tables, then once we are ready, we can flick the switch to move over to OSPF.

Let’s first setup OSPF in a very simple single area configuration on all interfaces.

router ospf 1
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
network 20.20.20.0 0.0.0.255 area 0
distance 255

Note that we set the distance to ‘255′, which is the highest admin distance you can set in IOS. Let’s take a look at the OSPF database to make sure it has the information we need to populate the routing table:

R3#show ip ospf database

OSPF Router with ID (100.100.100.3) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
100.100.100.1 100.100.100.1 87 0×80000003 0×0071DF 4
100.100.100.2 100.100.100.2 106 0×80000002 0×00F750 4
100.100.100.3 100.100.100.3 168 0×80000004 0×00122A 4

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag
10.10.10.1 100.100.100.1 76 0×80000001 0×00054E 0
10.10.10.2 100.100.100.1 76 0×80000001 0×00FA57 0
10.10.10.3 100.100.100.1 76 0×80000001 0×00F060 0
10.10.20.1 100.100.100.2 96 0×80000001 0×0090B7 0
10.10.20.2 100.100.100.2 96 0×80000001 0×0086C0 0
10.10.20.3 100.100.100.2 96 0×80000001 0×007CC9 0
10.10.30.1 100.100.100.3 134 0×80000001 0×001C21 0
10.10.30.2 100.100.100.3 134 0×80000001 0×00122A 0
10.10.30.3 100.100.100.3 134 0×80000001 0×000833 0
100.100.100.1 100.100.100.1 86 0×80000001 0×0050F3 0
100.100.100.2 100.100.100.2 106 0×80000001 0×004002 0
100.100.100.3 100.100.100.3 152 0×80000001 0×003010 0

Great! As you can see we have all external LSAs and router LSAs that we need. Now let’s make the switch to OSPF on each router, starting with R3. We will keep EIGRP running just in case something goes wrong, but we will prefer OSPF routes by lowering the admin distance to ‘85′ which is less than the internal and external EIGRP routes.

router ospf 1
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
network 20.20.20.0 0.0.0.255 area 0
distance 85

Then we check the routing table:

R3#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

100.0.0.0/32 is subnetted, 3 subnets
O E2 100.100.100.1 [85/20] via 20.20.20.5, 00:00:38, Serial2/0
O E2 100.100.100.2 [85/20] via 20.20.20.9, 00:00:38, Serial1/1
C 100.100.100.3 is directly connected, Loopback0
20.0.0.0/30 is subnetted, 3 subnets
C 20.20.20.4 is directly connected, Serial2/0
O 20.20.20.0 [85/128] via 20.20.20.9, 00:00:38, Serial1/1
[85/128] via 20.20.20.5, 00:00:38, Serial2/0
C 20.20.20.8 is directly connected, Serial1/1
10.0.0.0/32 is subnetted, 9 subnets
O E2 10.10.10.2 [85/20] via 20.20.20.5, 00:00:38, Serial2/0
O E2 10.10.10.3 [85/20] via 20.20.20.5, 00:00:38, Serial2/0
O E2 10.10.10.1 [85/20] via 20.20.20.5, 00:00:38, Serial2/0
O E2 10.10.20.1 [85/20] via 20.20.20.9, 00:00:38, Serial1/1
O E2 10.10.20.2 [85/20] via 20.20.20.9, 00:00:38, Serial1/1
O E2 10.10.20.3 [85/20] via 20.20.20.9, 00:00:38, Serial1/1
S 10.10.30.2 is directly connected, Null0
S 10.10.30.3 is directly connected, Null0
S 10.10.30.1 is directly connected, Null0

Awesome! Now we just go to each router perform the same change and then remove EIGRP once everything is working fine with OSPF. With the entire network running OSPF, you can then delete the admin distance for OSPF, thus letting is go back to it’s default value of ‘90′.

Finally got around to enabling IPv6 on postfix for suspicious.org. For the longest time the IPv6 tunnel was up to Hurricane Electric, and yet aside from ping6, traceroute6, and the webserver, we weren’t really using production IPv6 services. I think the real killer app on Internet is still email even if it is pale in comparison to the bandwidth of p2p traffic flows; without email being seamlessly carried over IPv6 networks, we don’t have a chance in hell of converting the masses to the new protocol. My main goal is to provide all the same services on ipv6 as we do on ipv4 and then when I have some time I will setup some v6-only services that create an incentive for the switch.

Postfix is now fully IPv6 enabled. Our main box, inanna is running Linux and we have SIT interfaces for the IP-IP tunnels back to the tunnelbrokers. If speakeasy starts providing native IPv6 services I would easily switch over to a dual stack setup with them, in the meantime the tunnelbroker service is in NYC and the round trip time is less than 15ms from our box. Not too bad.

Setting up Postfix for IPV6 services is as simple as this statement in main.cf:

inet_protocols = ipv4,ipv6

The hard part after setting this up and restarting Postfix is finding an IPv6 SMTP server on the Internet. I would love to see some stats about reachable IPv6 SMTP servers because most of the sites I checked that even talked about IPv6 did not turn up IPv6 SMTP. That being said, after some digging, I found that the Pittsburgh Supercomputer Center (psc.edu) has IPv6 enabled MTAs and I tested some random addresses at their server, and hoped for a bounce message with some information that indicated the message was sent via IPv6:

<test@psc.edu>: host mailer1.psc.edu[2001:5e8:1:3a::64] said: 550 5.1.1
<test@psc.edu>… User unknown (in reply to RCPT TO command)
Reporting-MTA: dns; dns.suspicious.org
X-Postfix-Queue-ID: 68F217CE4
X-Postfix-Sender: rfc822; truman@suspicious[nospam].org
Arrival-Date: Sat, 24 May 2008 04:16:10 -0400 (EDT)

Final-Recipient: rfc822; test@psc.edu
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mailer1.psc.edu[2001:5e8:1:3a::64] said: 550
5.1.1 <test@psc.edu>… User unknown (in reply to RCPT TO command)

Then I wanted to very the outbound message from our MTA to their MTA was sent via IPv6, doing this I just checked the logs:

[root @ inanna : /etc/postfix]>grep smtp /var/log/maillog | grep “\[2001"
May 25 00:24:57 inanna postfix/smtp[8108]: 6781615C6B: to=<test@psc.edu>, relay=mailer1.psc.edu[2001:5e8:1:3a::64], delay=2, status=bounced (host mailer1.psc.edu[2001:5e8:1:3a::64] said: 550 5.1.1 <test@psc.edu>… User unknown (in reply to RCPT TO command))

I haven’t yet testing inbound IPv6 to our MTA, but I presume it is working because I have setup A and AAAA records for the MX record for our domains. Subscribing to a mailing list that uses IPv6 MTAs should be a good test.

A security article on scam and cyberfraud stated:

Companies such as McAfee, of course, are on the front lines in the fight against organized cyber crime. CEO and president Dave DeWalt outlined the latest trends for eChannel Line and other sites and publications last month. The company sees an “alarming” increase in the amount and sophistication of malware and says there have been increasingly sophisticated attacks on government departments and corporations. He said these targets are beginning to tackle cyber security in the same way they traditionally protect physical assets. The emergence of IPv6, DeWalt said, is worrisome because its sophistication creates more more vulnerabilities

What exactly are these IPv6 vulnerabilities that DeWalt is referring to? And furthermore how are these attacks more sophisticated than the plethora of IPv4 attacks (packet modification, cross site scripting, buffer overflow, etc) that continue to increase in sophistication? When it comes to IPv6 there are some concerns however given the number of hosts connected today I would argue that the number of attacks in relation to the number of machines on the ipv6 networks is still quite low. Attacks are generally directed at applications, either on servers or clients, and the number of active ipv6 applications is quite low. The most blatant issue that will affect security in organizations is the use of tunnels (regardless of IPv4 or IPv6) because the security perimeter will be loosely compromised by the use of this tunnel originating on a client workstation or local router and the fact that this now bridges another domain to this domain.

I was surprised when I read through a marketing press release-style  write up about networking company Accedian Networks and their Zero-Latency shaping solution or technology; the content of the article lacked anything digestible that actually presented something new to the market. The article claimed that the technology performed two things:

• Zero Latency
• The ability to treat a real-time class of traffic with no shaping delay

So effectively this is an expedited forwarding class with a strict-priority is it not? Routing vendors and even Opensource firewalls like PF and IPFW for various BSDs allow the creation of low latency queues and some with infinite weight in the scheduler. Zero Latency? That seems like a pretty drastic claim since the fastest that any device is capable of forwarding at is light speed and conventional networking technologies today will scale up to 40Gbps (OC-768) serialization rates. Even with store and forward removed, and ASIC or FPGAs setup to allow optical-electrical-optical forwarding with a classification system that can classify based on particular ToS settings, it is still a bit much to claim zero latency.

What they may be able to do is create a real time forwarding class that does not queue (possibly) and that it is treated as a strict priority; ie. the most latency would be a single packet that is head of line. Otherwise, I can’t see how this would even be possible. Any interface type regardless of technology will still have a constant service rate. If the offered rate to the interface is greater than the sum, then the interface will need to queue or drop traffic.

Our book (BNA) is apparently doing quite well. I just found it on Target.com : http://tinyurl.com/yulxzb ; and as of today we are #4 on Amazon in the category of Books: Professional and Technical: Engineering : Telecommunications : Networks.

Been working with source-class-usage and destination-class-usage (SCU/DCU) for some recent project work; it is pretty cool what you can do with JUNOS policy to accomplish some complex data accounting based on pretty much anything. For example, it is possible to tag BGP communities against some particular routes, then you can create source class usage or destination class usage datasets when traffic either comes from those prefixes or is destined to those prefixes or you can get data for both directions.

Also, been hacking away on some IPv6 accounting with SCU/DCU, found an issue or two but still working through it.

Went up to Auckland today on AirNZ; next time I should use google maps to find exactly where the destination location exists. I paid a $25 cab fee to take me 5 minutes away (flat rate from airport) to a logistics depot. The purpose of the visit: check out some M10i’s that were dropped by a freight carrier. They were all good, so I headed down to Wellington.

The AirNZ Koru Club in the domestic terminal of Auckland is actually really nice. I was surprised because I have had some horrific service from AirNZ, but the place was a real treat, and it actually served as my lunch, as I had worked through my normal lunch time.

Tomorrow, meetings in Australia, then spending the weekend kicking around Sydney. Maybe we can book a trip on the Darling Harbour Bridge for the bridge walk. I hope to do something exciting …

On another thought of the day; it is possible to run IPsec SA’s in transport mode to protect OSPFv2. Impossible you say? OSPFv2 only supports no encryption, plain text, and md5? Sure, but on JUNOS you can also use IPSEC in a proprietary manner. And it even works on broadcast links / sham links, etc. The cool part of this feature is that with pre-shared keys on the core routers running OSPF with IPSEC is that you are not vulnerable to md5 collisions and the data is actually encrypted, not just hashed.

Logical routers are really amazing. I was able to build up a whole 13 router MPLS domain with a few route reflectors and keep all of this inside a single M10. The best part about Logical Routers is that each logical router is a seperate rpd task. So basically, if one were to crash for some reason the other routers would continue to keep working.

Tomorrow a few meetings, some more coding as I start templating some JUNOS configurations and also look at scaling up a large Inter provider Option B/C setup. Then a flight over to Australia on Friday, and then hopefully the weekend in Sydney.

Today a co-worker asked me about setting up the appropriate remote-gateway field in IPsec for the SA with OSPFv3 on JUNOS. Upon looking a bit deeper at this configuration, it appears that OSPFv3 with IPsec is used for securing virtual links; as it is not the same as the functionality that MD5 provides for OSPFv2 on broadcast links. Interesting, I think this is more the reason to run ISIS as your IGP

The relevant link: http://www.juniper.net/techpubs/software/junos/junos76/feature-guide-76/html/fg-ipsec30.html#1084093

Well, another thing to truely consider is only running OSPFv2 for traffic engineering and advertising links and loopbacks, and then to implement 6PE on top as an MPLS overlay.