Yaping Zhu yapingz@cs.princeton.edu

with: Jennifer Rexford (Princeton University) Subhabrata Sen and Aman Shaikh (AT&T Labs-Research)

Impact of Prefix-Match Changes on IP Reachability

Yaping Zhu, Princeton University2

BGP and Prefix-Match Changes

• BGP updates are based on prefixes • An IP address can be covered by multiple prefixes

– Caused by prefix nesting: – E.g. IP 128.112.0.0 can be covered by two prefixes:

128.112.0.0/16 and 128.112.0.0/24

• Longest prefix-match (LPM) determines forwarding

• LPM for a given destination IP address may change over time

Yaping Zhu, Princeton University3

Prefix Nesting: Load Balancing and Backup Route

• IP addresses are allocated hierarchically from registries• Providers allocate subnets to their customers• Multi-homed customers divide their address block for:

– Load balancing (more-specific prefix)– Backup route (less-specific prefix)

15.0.0.0 / 17

15.0.0.0 / 16

15.0.128.0 / 17

15.0.0.0 / 16 (backup) 15.0.0.0 / 16 (backup)

Provider A Provider B

Customer

Yaping Zhu, Princeton University4

Prefix Nesting: Protect from Prefix Hijacking

• Prefix hijacking– Announcement of prefix from an AS that does not own

the prefix

• Protect from prefix hijacking by leveraging LPM– Announce more-specific prefixes

AT&TPrinceton

Local ISP

Comcast

IBM

12.0.0.0 / 8 12.0.0.0 / 8Prefix hijacking

12.128.0.0 / 912.0.0.0 / 9

Yaping Zhu, Princeton University5

Why Study Prefix-Match Changes?

• Even if the most-specific route is withdrawn…– Packets can be delivered using a less-specific route

15.0.0.0 / 17

15.0.0.0 / 16

15.0.128.0 / 17

15.0.0.0 / 16 (backup) 15.0.0.0 / 16 (backup)

Provider A Provider B

Customer

Yaping Zhu, Princeton University6

Why Study Prefix-Match Changes?

• Network troubleshooting– Given an IP packet from specific place at specific time,

what is the route it traversed to reach the destination?– Reachability and performance problems along the route– Route determined by LPM and changes to it

AT&TPrinceton

Local ISP

Comcast

IBM

128.112.0.0/16

128.112.0.0/24

128.112.0.0/16

128.112.0.0/24

Yaping Zhu, Princeton University7

Algorithm: Tracking of Prefix-Match Changes

• Input:– Start time and end time– BGP route table (at start time)– BGP updates (from start time to end time)– List of IP addresses

• Output:– LPM changes for all IP addresses over time

• Example:– For IP addresses 12.0.0.0-12.0.255.255– At start time, LPM /16– At t1 /16 withdrawn, LPM /8 (less-specific)– At t2 /16 announcement, LPM /16 (more-specific)

Yaping Zhu, Princeton University8

Algorithm: Tracking of Prefix-Match Changes

• Scalability challenge• Prefix set: all matching prefixes for a given IP address• Address range: contiguous addresses that have the same

prefix set (and same LPM)• Track changes of address ranges and their prefix sets

12.0.0.0 12.255.255.255

12/8

12.0.255.255 12.1.0.0

/8/16LPM

IPs

12/16

Prefix Set { /8, /16 } { /8 }

Yaping Zhu, Princeton University9

Static Analysis of Prefix Nesting

• 24% of IP addresses are covered by multiple prefixes

• BGP routing table dump collected in Feb 09 2009, 00:00:00 from one Route Reflector in AS 7018

Yaping Zhu, Princeton University10

Dynamic Analysis of Prefix-Match Changes

• BGP updates collected in Feb09 from one Route Reflector in AS 7018

new customer route,

sub-prefix hijacking, route leak

Load balancing, failover to backup route

6.5%

6.5%

More-specific prefix

Less-specific prefix

Gain reachability

Lose reachability

7.4%

7.4%

New prefix announcement

Existing prefix withdrawal

Route change69.5%Prefix-match unchanged

Possible Explanations%UpdCategory

Yaping Zhu, Princeton University11

Example: Destinations Remain Reachable after a BGP Withdrawal

• BGP prefix-match changes– The IP addresses change from /20 to /17 prefix for

about half an hour on February 18, 2009.– Only analyzing the BGP routes is not enough

• Joint analysis with Netflow traffic data – The IP address range continued receiving the same

amount of traffic– Traffic volume at 5-minutes interval collected using

Netflow

• Destinations remain reachable via less-specific prefix

Yaping Zhu, Princeton University12

Conclusion

• Understanding the impact of prefix-match changes– IP reachability– Network troubleshooting

• Algorithm for tracking prefix-match changes• Static analysis of prefix nesting

– 24% of IP addresses are covered by multiple prefixes

• Dynamic analysis of prefix-match changes– 13% of BGP updates cause prefix-match changes

Yaping Zhu, Princeton University13

Thanks!

• Questions?