ããã«ã¡ã¯ãç§ã®ååã¯ã¢ã¬ã¯ãµã³ããŒã»ã¢ãžã¢ãã§ãã Yandex ã§ã¯ãããŸããŸãªç£èŠã·ã¹ãã ãšãã©ã³ã¹ããŒã ãããã¯ãŒã¯ ã¢ãŒããã¯ãã£ãéçºããŠããŸãã ããããä»æ¥ã¯ BGP ãããã³ã«ã«ã€ããŠè©±ããŸãã
XNUMX é±éåãYandex ã¯ãã¹ãŠã®ãã¢ãªã³ã° ããŒãããŒãšã®ã€ã³ã¿ãŒãã§ã€ã¹ããã³ãã©ãã£ãã¯äº€æãã€ã³ã㧠ROV (ã«ãŒã ãªãªãžã³ ããªããŒã·ã§ã³) ãæå¹ã«ããŸããã ãããè¡ãããçç±ãšããããéä¿¡äºæ¥è
ãšã®ããåãã«ã©ã®ãããªåœ±é¿ãäžãããã«ã€ããŠã¯ã以äžããèªã¿ãã ããã
BGP ãšãã®åé¡ç¹
ãããããBGP ããã¡ã€ã³éã«ãŒãã£ã³ã° ãããã³ã«ãšããŠèšèšãããããšã¯ãåç¥ã§ãããã ãããããã®éçšã§ã䜿çšäºäŸã®æ°ã¯ãªããšãå¢å ããŸãããçŸåšã§ã¯ãBGP ã¯å€æ°ã®æ¡åŒµæ©èœã®ãããã§ãã¡ãã»ãŒãž ãã¹ã«å€ããããªãã¬ãŒã¿ãŒã® VPN ããä»æµè¡ã® SD-WAN ãŸã§ã®ã¿ã¹ã¯ãã«ããŒãã次ã®ãããªçšéããèŠã€ãããŸããã SDN ã®ãããªã³ã³ãããŒã©ãŒã®ãã©ã³ã¹ããŒãã§ãè·é¢ãã¯ãã« BGP ããªã³ã¯ ãµãã ãããã³ã«ã«äŒŒããã®ã«å€æããŸãã
å³ã 1ã BGP SAFI
ãªã BGP ã¯ããã»ã©å€ãã®çšéã«å©çšãããŠãã (ãããŠåä¿¡ãç¶ããŠãã) ã®ã§ãããã? äž»ãªçç±ã¯ XNUMX ã€ãããŸãã
- BGP ã¯èªåŸã·ã¹ãã (AS) éã§æ©èœããå¯äžã®ãããã³ã«ã§ãã
- BGP ã¯ãTLV (type-length-value) 圢åŒã®å±æ§ããµããŒãããŸãã ã¯ããããã¯ãããã³ã«ã ãã§ã¯ãããŸããããéä¿¡äºæ¥è éã®æ¥ç¶ç¹ã§ã¯ãããã³ã«ã«ä»£ãããã®ããªããããè¿œå ã®ã«ãŒãã£ã³ã° ãããã³ã«ããµããŒããããããããããã³ã«ã«å¥ã®æ©èœèŠçŽ ãä»å ããæ¹ãæçã§ããããšãåžžã«å€æããŸãã
圌ã®äœãåé¡ãªã®ã§ããããïŒ ã€ãŸãããã®ãããã³ã«ã«ã¯ãåä¿¡ããæ å ±ã®æ£ç¢ºãããã§ãã¯ããããã®ã¡ã«ããºã ãçµã¿èŸŒãŸããŠããŸããã ã€ãŸããBGP ã¯ã¢ããªãªãªãªä¿¡é Œãããã³ã«ã§ããèªåãçŸåš RostelecomãMTSããŸã㯠Yandex ã®ãããã¯ãŒã¯ãææããŠããããšãäžçã«äŒãããå Žåã¯ãã©ãã!
IRRDB ããŒã¹ã®ãã£ã«ã¿ãŒ - ææªã®äžã®æè¯ã®ãã®
ãªãã€ã³ã¿ãŒãããã¯ãã®ãããªç¶æ³ã§ãæ©èœããã®ã§ãããã?ãšããçåãçããŸãã ã¯ããã»ãšãã©ã®å Žåæ©èœããŸãããåæã«å®æçã«ççºããåœå
ã»ã°ã¡ã³ãå
šäœã«ã¢ã¯ã»ã¹ã§ããªããªããŸãã BGP ã«ãããããã«ãŒã®æŽ»åãå¢å ããŠããŸãããã»ãšãã©ã®ç°åžžã¯äŸç¶ãšããŠãã°ã«ãã£ãŠåŒãèµ·ããããŠããŸãã ä»å¹Žã®äŸã¯ã
ç±³ã 2.Cloudflareãã©ãã£ãã¯ã®åå
ããããããã§ãããã®ãããªç°åžžãæ¯æ¥ã§ã¯ãªããå幎ã«äžåºŠçºçããã®ã¯ãªãã§ãããã? éä¿¡äºæ¥è ã¯ã«ãŒãã£ã³ã°æ å ±ã®å€éšããŒã¿ããŒã¹ã䜿çšããŠãBGP ãã€ããŒããåä¿¡ãããã®ãæ€èšŒããããã§ãã ãã®ãããªããŒã¿ããŒã¹ã¯å€æ°ãããã¬ãžã¹ãã©ã«ãã£ãŠç®¡çãããŠãããã® (RIPEãAPNICãARINãAFRINIC) ãããã°ãç¬ç«ãããã¬ãŒã€ãŒ (æãæåãªã®ã¯ RADB) ãããã倧äŒæ¥ãææããã¬ãžã¹ãã©ã®ã»ããå šäœ (ã¬ãã« 3) ããããŸãã ãNTTãªã©ïŒã ãããã®ããŒã¿ããŒã¹ã®ãããã§ããã¡ã€ã³éã«ãŒãã£ã³ã°ã®åäœã®çžå¯Ÿçãªå®å®æ§ãç¶æãããŸãã
ãã ãããã¥ã¢ã³ã¹ããããŸãã ã«ãŒãã£ã³ã°æ å ±ã¯ãROUTE-OBJECTS ããã³ AS-SET ãªããžã§ã¯ãã«åºã¥ããŠãã§ãã¯ãããŸãã ãããŠãæåã®ã¯ã©ã¹ã IRRDB ã®äžéšã«å¯Ÿããèªå¯ãæå³ããå ŽåãXNUMX çªç®ã®ã¯ã©ã¹ã«ã¯ã¯ã©ã¹ãšããŠã®èªå¯ã¯ãããŸããã ã€ãŸãã誰ã§ãèªåã®ã»ããã«è¿œå ã§ãããããäžæµãããã€ããŒã®ãã£ã«ã¿ãŒããã€ãã¹ã§ããŸãã ããã«ãç°ãªã IRR ããŒã¹éã§ã® AS-SET åœåã®äžææ§ã¯ä¿èšŒãããŠããªããããäœãå€æŽããªãã£ãéä¿¡äºæ¥è ã«ãšã£ãŠãçªç¶æ¥ç¶ã倱ãããé©ãã¹ã圱é¿ãçããå¯èœæ§ããããŸãã
ãããªã課é¡ã¯ãAS-SET ã®äœ¿çšãã¿ãŒã³ã§ãã ããã§ã®ãã€ã³ã㯠XNUMX ã€ãããŸãã
- ãªãã¬ãŒã¿ãŒã¯æ°ããã¯ã©ã€ã¢ã³ããååŸãããšãããã AS-SET ã«è¿œå ããŸãããåé€ããããšã¯ã»ãšãã©ãããŸããã
- ãã£ã«ã¿ãŒèªäœã¯ãã¯ã©ã€ã¢ã³ããšã®ã€ã³ã¿ãŒãã§ã€ã¹ã§ã®ã¿æ§æãããŸãã
ãã®çµæãBGP ãã£ã«ã¿ãŒã®ææ°ã®åœ¢åŒã¯ãã¯ã©ã€ã¢ã³ããšã®ã€ã³ã¿ãŒãã§ã€ã¹ã§æ®µéçã«å£åãããã£ã«ã¿ãŒãšããã¢ãªã³ã° ããŒãããŒã IP ãã©ã³ãžãã ãããã€ããŒããã®ãã®ã«å¯Ÿããã¢ããªãªãªãªä¿¡é Œã§æ§æãããŠããŸãã
AS-SET ã«åºã¥ããã¬ãã£ãã¯ã¹ ãã£ã«ã¿ãŒã®çœ®ãæããšã¯äœã§ãã? æãèå³æ·±ãã®ã¯ãçæçã«ã¯äœãèµ·ãããªããšããããšã§ãã ããããIRRDB ããŒã¹ã®ãã£ã«ã¿ãŒã®æ©èœãè£å®ããè¿œå ã®ã¡ã«ããºã ãç»å ŽããŠããããŸã第äžã«ãããã¯ãã¡ãã RPKI ã§ãã
RPKI
åçŽåãããšãRPKI ã¢ãŒããã¯ãã£ã¯ãèšé²ãæå·çã«æ€èšŒã§ããåæ£ããŒã¿ããŒã¹ãšèããããšãã§ããŸãã ROA (Route Object Authorization) ã®å Žåã眲åè ã¯ã¢ãã¬ã¹ç©ºéã®ææè ã§ãããã¬ã³ãŒãèªäœã¯ããªãã« (prefixãasnãmax_length) ã§ãã åºæ¬çã«ããã®ãšã³ããªã¯æ¬¡ã®ããšãåæãšããŠããŸãã$prefix ã¢ãã¬ã¹ç©ºéã®ææè ã¯ãAS çªå· $asn ã $max_length 以äžã®é·ãã®ãã¬ãã£ãã¯ã¹ãã¢ããã¿ã€ãºããããšãèš±å¯ããŠããŸãã ãŸããã«ãŒã¿ãŒã¯ RPKI ãã£ãã·ã¥ã䜿çšããŠããã¢ã®æºæ æ§ããã§ãã¯ã§ããŸãã æ¥é èª - éäžã®æåã®è©±è .
å³ 3. RPKI ã¢ãŒããã¯ãã£
ROA ãªããžã§ã¯ãã¯ããªãé·ãéæšæºåãããŠããŸããããå®éã«ã¯æè¿ãŸã§ IETF ãžã£ãŒãã«ã®çŽé¢äžã«ã®ã¿æ®ãããŠããŸããã ç§ã®æèŠã§ã¯ããã®çç±ã¯æãããããã«æããŸããããŒã±ãã£ã³ã°ãæªãããã§ãã æšæºåãå®äºããåŸã¯ãROA ã BGP ãã€ãžã£ãã¯ããä¿è·ããããšããã€ã³ã»ã³ãã£ãããããŸããããããã¯çå®ã§ã¯ãããŸããã§ããã æ»æè ã¯ããã¹ã®å é ã«æ£ãã AC çªå·ãæ¿å ¥ããããšã§ãROA ããŒã¹ã®ãã£ã«ã¿ãŒãç°¡åã«ãã€ãã¹ã§ããŸãã ãããŠããã®èªèãåŸããããšããã«ã次ã®è«ççãªã¹ããã㯠ROA ã®äœ¿çšãæŸæ£ããããšã§ããã å®éãæ©èœããªããã¯ãããžãŒããªãå¿ èŠãªã®ã§ãããã?
èããå€ããææãæ¥ãã®ã¯ãªãã§ãã? ããããã¹ãŠã®çå®ã§ã¯ãªãããã§ãã ROA 㯠BGP ã§ã®ããã«ãŒæŽ»åããä¿è·ããŸãããã å¶çºçãªãã©ãã£ãã¯ãã€ãžã£ãã¯ããä¿è·ããŸãããšãã°ãäžè¬çã«ãªãã€ã€ãã BGP ã®éçãªãŒã¯ã«ãããã®ã§ãã ãŸããIRR ããŒã¹ã®ãã£ã«ã¿ãŒãšã¯ç°ãªããROV ã¯ã¯ã©ã€ã¢ã³ããšã®ã€ã³ã¿ãŒãã§ã€ã¹ã ãã§ãªãããã¢ãäžæµãããã€ããŒãšã®ã€ã³ã¿ãŒãã§ã€ã¹ã§ã䜿çšã§ããŸãã ã€ãŸããRPKI ã®å°å ¥ã«äŒŽããBGP ããã¢ããªãªãªãªä¿¡é ŒãåŸã ã«å€±ããã€ã€ãããŸãã
çŸåšãROA ã«åºã¥ãã«ãŒãã®ãã§ãã¯ã¯äž»èŠäŒæ¥ã«ãã£ãŠåŸã ã«å®è£ ãããŠããã欧å·æ倧æã® IX ã¯ãã§ã«èª€ã£ãã«ãŒããç Žæ£ããŠããŸããTier-1 éä¿¡äºæ¥è ã®äžã§ãããã¢ãªã³ã° ããŒãããŒãšã®ã€ã³ã¿ãŒãã§ã€ã¹ã§ãã£ã«ã¿ãŒãæå¹ã«ãã AT&T ã«æ³šç®ãã䟡å€ããããŸãã æ倧æã®ã³ã³ãã³ããããã€ããŒããã®ãããžã§ã¯ãã«ã¢ãããŒãããŠããã ãããŠãæ°åã®äžèŠæš¡ã®äº€éäºæ¥è ããã§ã«èª°ã«ãç¥ãããã«ã²ã£ãããšå°å ¥ããŠããã ãªããããã®éä¿¡äºæ¥è ã¯ãã¹ãŠ RPKI ãå®è£ ããŠããã®ã§ãããã? çãã¯ç°¡åã§ããéä¿¡ãã©ãã£ãã¯ãä»äººã®ééãããå®ãããã§ãã ãã®ãããYandex ã¯ãã·ã¢é£éŠã§ãããã¯ãŒã¯ã®ãšããžã« ROV ãå°å ¥ããæåã®äŒæ¥ã® XNUMX ã€ã§ãã
次ã«äœãèµ·ããã®ã ãããïŒ
ãã©ãã£ãã¯äº€æãã€ã³ããšãã©ã€ããŒã ãã¢ãªã³ã°ãåããã€ã³ã¿ãŒãã§ã€ã¹ã§ã«ãŒãã£ã³ã°æ å ±ã確èªã§ããããã«ãªããŸããã è¿ãå°æ¥ãäžæµã®ãã©ãã£ã㯠ãããã€ããŒã§ãæ€èšŒãå¯èœã«ãªãäºå®ã§ãã
ããã¯ããªãã«ãšã£ãŠã©ã®ãããªéãããããããŸãã? ãããã¯ãŒã¯ãš Yandex ã®éã®ãã©ãã£ã㯠ã«ãŒãã£ã³ã°ã®ã»ãã¥ãªãã£ã匷åãããå Žåã¯ã次ã®ããšããå§ãããŸãã
- ã¢ãã¬ã¹ç©ºéã«çœ²åããŸã
RIPEããŒã¿ã«å - ç°¡åã§ãå¹³åã㊠5 ïœ 10 åããããŸãã ããã«ããã誰ããæå³ããã«ããªãã®ã¢ãã¬ã¹ç©ºéãçãã å Žåã«ãç§ãã¡ã®æ¥ç¶ãä¿è·ãããŸã (ããã¯é ããæ©ããå¿ ãèµ·ãããŸã)ã - ãªãŒãã³ãœãŒã¹ RPKI ãã£ãã·ã¥ã® XNUMX ã€ãã€ã³ã¹ããŒã«ããŸã (
çããããªããŒã¿ãŒ ,ã«ãŒãã£ããŒã¿ãŒ )ããããã¯ãŒã¯å¢çã§ã®ã«ãŒã ãã§ãã¯ãæå¹ã«ããŸããããã«ã¯ããã«æéãããããŸããããã¯ãæè¡çãªåé¡ã¯çºçããŸããã
Yandex ã¯ãæ°ãã RPKI ãªããžã§ã¯ãã«åºã¥ããã£ã«ã¿ãªã³ã° ã·ã¹ãã ã®éçºããµããŒãããŠããŸãã
ASPA ã«ã€ããŠã¯ãXNUMX ãæåŸã® Next Hop ã«ã³ãã¡ã¬ã³ã¹ã§è©³ããã話ããŸãã NetflixãFacebookãDropboxãJuniperãMellanoxãYandex ã®ååãããã§è¬æŒããŸãã ãããã¯ãŒã¯ã¹ã¿ãã¯ãšãã®å°æ¥ã®éçºã«èå³ãããæ¹ã¯ããã²ãè¶ããã ããã
åºæïŒ habr.com