Huawei NetStream (Netflow) RFC Compability ? Part 2

Those who read Part 1 of this post know that  on Huawei routers for netstream packet sequence numbers to increase sequantially as defined in  RFC3954 "ip netstream export sequence-mode packet"must be exclusively configured. However a problem still exists: 

On Huawei routers with VRP5, no matter the device is configured with flow or packet mode, sequence numbers are independent for data and data template packets with current software design which results in for a netflow analyzer to misinterpret netflow data as there are missing flows. 

On Huawei routers with VRP8  the situation is a bit worse cause even the packet mode command "ip netstream export sequence-mode packet" do not exist. 

The solution for both sequence numbers to increase sequantially and for data and data template packets to have dependent flow numbers is to install V8R9C10 version. Other than that if you use VRP6 based software, you could increase data template frequency as in below configuration by changing refresh interval to 50minutes and every 30 packets  to get affected less: 

  [HUAWEI] system-view
 [~HUAWEI] ip netstream export template option timeout-rate 50
 [~HUAWEI] ip netstream export template option refresh-rate 30

A Script to Control Quagga BGPD Daemon, Implementing Anycast DNS Server

One way to implement Anycast DNS Server throughout the internet is to use BGP protocol and to announce your DNS IP block from multiple locations so that redundancy and low-latency targets are achieved. There are many ways to design such a infrastructure; you could use hardware routers, you could use load-Balancers in front of your servers etc. I would like to share a script here for the sceanario where Quagga BGPD daemon is used as a software router either on the DNS server or any other server purely as a router:

Using python dnspython library, it is easy to perform checks of a DNS servers ability to respond to different type of DNS queries. Based on the DNS servers answer you could stop, start Quagga BGPD daemon.

You could check the examples on http://www.dnspython.org/examples.html to understand how dnspython is used. A simple A type request is as below:

test_domain = "www.test.com"
server_to_test = ["127.0.0.1"] 

answers = anycast_server1.query(test_domain, "A")
anycast_server1 = dns.resolver.Resolver()
anycast_server1.timeout=1.0
anycast_server1.lifetime=1.0
anycast_server1.nameservers = server_to_test
for data in answers: 
 print data

If DNS and BGPD daemon is on the same server, script should forward the query to local server: 127.0.0.1. Below is the script i wrote to check local server with an A type DNS request, and based on the answer act either to start or stop the BGPD daemon. You could download the latest version of the script from https://github.com/ercintorun/dns-check-quagga-act.

# -*- coding: utf-8 -*-
import dns.resolver, psutil, commands, time, logging, datetime

###VARIABLES 
script_run_time = 60 
test_domain = "www.test.com"
server_to_test = ["127.0.0.1"] 

#############
#############
#############
###logging file folder and logging level config
logging.basicConfig(filename='/var/log/dnsscript.log', filemode='a', level=logging.INFO,
                    format='%(asctime)s [%(name)s] %(levelname)s (%(threadName)-10s): %(message)s')

###define dns servers, parameters
anycast_server1 = dns.resolver.Resolver()
anycast_server1.timeout=1.0
anycast_server1.lifetime=1.0
anycast_server1.nameservers = server_to_test 
   
###time to run the script
starttime = time.time()
timeout = time.time()+ script_run_time

###kill process function 
def kill_process(PROCNAME):
 for proc in psutil.process_iter():
  if proc.name() == PROCNAME:
   proc.kill()

###start a loop with an amount of script_run_time value

while True:
 time.sleep(0.8)
 if time.time()> timeout:
  break
 else:
###get all daemon names into list
  daemon_list=[]
  for proc in psutil.process_iter():
   daemon_list.append(proc.name())
###start the control
  if "bgpd" not in daemon_list: 
   try:
    answers = anycast_server1.query(test_domain, "A")
    commands.getoutput ("/etc/init.d/bgpd restart")
    logging.warning("DNS successful, BGP daemon is down, bgpd restarted")
    time.sleep(2) #give bgp 2 second to get up again
   except dns.resolver.NXDOMAIN:
    logging.warning("DNS exception: No such domain, BGP daemon is already down, no change done")
   except dns.resolver.Timeout:
    logging.warning("DNS exception: Timed out while resolving, BGP daemon is already down, no change done ") 
   except dns.exception.DNSException:
    logging.warning("DNS exception: Unhandled exception, BGP daemon is already down, no change done") 
  else:
   try:
    answers = anycast_server1.query(test_domain, "A")
    for data in answers: 
     resolved = data
    logging.info("DNS successful, nothing has been changed, last resolved ip is: "+str(data))
   except dns.resolver.NXDOMAIN:
    kill_process("bgpd")
    logging.warning("DNS exception: No such domain, BGP daemon terminated")
   except dns.resolver.Timeout:
    kill_process("bgpd")
    logging.warning("DNS exception: Timed out while resolving, BGP daemon terminated")
   except dns.exception.DNSException:
    kill_process("bgpd")
    logging.warning("DNS exception: Unhandled exception, BGP daemon terminated")

If you examine the script you could see that it works for 60 seconds. If you add this script to crontab with 1 minute interval it will check DNS server 60-70 times per minute (on local server) continiously. I've used psutil library to fetch active daemons list on Linux to check whether BGPD daemon is active or not. Script,

• If DNS successful and BGPD is active does nothing 
• If DNS successful and BGPD is passive, restarts BGPD using "commands" libary 
• IF DNS unsuccessful and BGPD is active, stops BGPD 
• IF DNS unsuccessful and BGPD is passive, does nothing

Also you could see that the script logs its actions for each query to "/var/log/dnsscript.log". If you would like to decrease log size, you could change "level=logging.INFO" to "level=logging.WARNING" to not to log no-action-taken checks.

Validating BGP Announcements by Automating Filter Generation with Python: Part2

At first part of the post, i wrote that some tools use “whois”  client to query RIR databases. So it is possible to use a “whois cli tool” to gather the necessary data of your interest.

Whois

You can find whois flags for RIPE on http://www.ripe.net/data-tools/support/documentation/queries-ref-card  to elaborate the whois queries.  Lets pull routes of an AS34984 in Linux command Line:

root@test:~# whois -h whois.ripe.net -i or as34984 | grep route:
route:          151.250.0.0/16
…output omitted

In order to get route data as a variable, to play with, you still need to need to parse the related part of the data from  the output. A better approach, which i generally prefer , is to use a native library, so that your script won’t depend on  a tool,  as a result it would be executable both  on Windows, or or Linux/Mac.  For a native client library check  https://pypi.python.org/pypi/WhoisClient

Restful Web Services API

Even with a native library, you will still need to parse the output data. There is a better way, which is getting the data in a format like XML, YAML, JSON etc  so that it is easier to get related parts systematically.  Fortunately RIPE/ARIN has a RESTFul Web Services API  which is a REST interface to their WhoIS Database which are invoked via http requests. Here are the documentation links:

• RIPE: https://labs.ripe.net/ripe-database/database-api/api-documentation https://labs.ripe.net/ripe-database/database-api/api-introduction

For ARIN documentation check: 

• ARIN: https://www.arin.net/resources/whoisrws/whois_api.html#whoisrws https://www.nanog.org/meetings/nanog48/presentations/Wednesday/Kosters_Update_N48.pdf

Querying RIPE  Web API and Processing  XML Input With Python

By looking at the documentation, it can be seen that for AS5400, which is BritishTelecom, url

http://rest.db.ripe.net/search.xml?query-string=as5400&inverse-attribute=origin  could be used to get all routes that has an origin of AS5400. The ony thing to get prefixes for another AS is to change the “as5400” value in the url itelf. If you open the url in your web browser you will see an xml output like below: 

So if we could open this url in python, and get the output, then parse it as xml, everything will be ok. To do so, lets examine the code i wrote, part by part:

Examining the code: 

At first part of the code we need to import libraries, which are: urllib, urllib2 and xml.etree.ElementTree   (you may also use lxml instead of xml.etree.ElementTree)

import urllib,urllib2
try:
    import xml.etree.cElementTree as ET
except ImportError:
    import xml.etree.ElementTree as ET

We determined how to create a URL to pull prefixes that is originated from an AS. Creating an AS variable is logical so that in further usages you can change the AS number or get the value as an input.

as_to_pull_prefixes = "AS5400"
url = "http://rest.db.ripe.net/search.xml?query-string=%s&inverse-attribute=origin" % as_to_pull_prefixes

As url is ready we need to open the url and assign the output to a string variable:

fp = urllib2.urlopen (url)
response = fp.read()

Then we need to parse XML from string into an element:

tree = ET.fromstring(response)
fp.close()

Last part is to get the prefix values from the xml output, which we turned into an element by using xml.etree.ElementTree. First we need to determine the hierarchy so that we can write a path argument. Having a look at the xml output, the hierarchy should be:

• inside <objects> 
• inside <object> that has a type value of  "route" (for ipv4 prefixes) 
• inside <primary-key>
• every <attribute> which has a name value of "route" 

To write such a path argument, you may wanted to have a look at https://docs.python.org/2/library/xml.etree.elementtree.html#elementtree-xpath. Here is the code:

interested =  tree.findall("./objects/object[@type='route']/primary-key/attribute[@name='route']")

Our job is still not done yet, cause inside the tree we created, which is "interested" variable, we need to take the values of "value": Here is the last piece of the code:

for child in interested:
    print child.get('value')

Trying It Out 

Here is the output when i executed the script:

To download the script, click here, or copy-paste the full code below:

import urllib,urllib2
try:
    import xml.etree.cElementTree as ET
except ImportError:
    import xml.etree.ElementTree as ET
###
###Variables which changes per request
as_to_pull_prefixes = "AS5400"
url = "http://rest.db.ripe.net/search.xml?query-string=%s&inverse-attribute=origin" % as_to_pull_prefixes
###
###Pull Info From IRR(RIPE)and assign it to a variable as string
fp = urllib2.urlopen (url)
response = fp.read()
###
###parse xml from  from string into an element 
tree = ET.fromstring(response)
fp.close()
###
###get interested data from element 
interested =  tree.findall("./objects/object[@type='route']/primary-key/attribute[@name='route']")
for child in interested:
    print child.get('value')
###############
##for more info on how to select interested data from xml
##https://docs.python.org/2/library/xml.etree.elementtree.html#elementtree-xpath
###############

Validating BGP Announcements by Automating Filter Generation with Python: Part1

Securing Internet Routing infrastructure has been a hot topic for a long time as hijack events occurs again and again either mistakenly or on purpose. Operators use different  techniques to validate BGP announcements. I will try to explain creating an ip/as prefix-list  by pulling information from a RIR database, in our case RIPE, using python. But first, lets take a look at other methods in Part1: 

RPKI

Probabily  the best  way to prevent BGP/IP hijacks is to use RPKI infrastructure, , which is a  PKI framework (trust anchor mechanism). Unfortunately the method needs legitamate AS/IP owners to register their sources. needless to say that no one is registering their sources, as a result the method is still not applicable. By 21.01.2015 the current validation states for all IPv4 prefixes is only %5.59, You can check validation states from http://rpki.surfnet.nl/ipcomp.html.

RPSL 

For RPKI is not applicable, we need another way to validate the BGP announcements, where IRR RPSL database entries comes into play. RPSL is a language commonly used by ISPs to describe their routing policies. ISP's could store their routing policies either on their own server or on open public whois databases including RIPE, RADB, APNIC etc.  RIPE (RIR for Europe) transformed its database to RPSL format in 2001.  Example entries in RIPE database are:

as-set:          AS-FUNET descr:           Macro with all ASes exported by FUNET members:         AS1741 members:         AS1739 members:         AS565 members:         AS15496 members:         AS30754 members:         AS39098 members:         AS39857 members:         AS39662 tech-c:          FH437-RIPE admin-c:         FA1183-RIPE mnt-by:          AS1741-MNT source:          RIPE # Filtered	As-set object which was created by FUNET, and includes their members
aut-num:         AS5400 as-name:         BT descr:           British Telecommunications plc org:             ORG-CNS3-RIPE import:          from AS1741 action pref=20; accept AS-FUNET	British Telecoms RPSL entry which accepts the informations in AS-FUNET  as-set entry.
Route−set: AS4763:RS−ROUTES:AS681 descr:     prefix filter for AS681 members:   130.216.0.0/16, 130.217.0.0/16, 132.181.0.0/16, 138.75.0.0/16, 139.80.0.0/16, 140.200.0.0/16, 156.62.0.0/16, 192.73.21.0/24 tech−c:    JA39 mnt−by:    MAINT−TELSTRA−NZ changed:   jabley@patho.gen.nz 19991118 source:    RADB	Route-set sample

Using these databases it is possible to get infos for AS-SETs, AS entries, route objects etc. We know that RPKI validation states are really low, so what about the RPSL entries?  Unfortunately Inter Route Registries are not that accurate also. BGPmon analysis which is done at 2010, shows that only %46 of the global routing table entries has a  matching route-object. 

If  you wanted to update a BGP import policy automatically then you should force the facing AS owner to update their IRR entries (route-objects, as-sets…). Some providers area also very strict in the IRR usage , so  why shouldn’t you ? 

Getting  Info From RIR Databases

Tools

There are many great tools that are ready for use which does the whois queries behind, which some of are: 

• IRR Toolset
• IRR Power Tools
• NETİ:IRR
• Bgpq3
• Md
• P2BGPTool

Lets take a loot at one of these tools, namely  Bgpq3, before writing our own python script: 

Bgpq3 Installation and Usage

Download compressed bgpq3 file from http://snar.spb.ru/prog/bgpq3/ , extract and install it (below steps for Ubuntu):

admin@ubuntu:~# wget http://snar.spb.ru/prog/bgpq3/bgpq3-0.1.21.tgz 
admin@ubuntu:~#  tar -xvzf bgpq3-0.1.21.tgz 
admin@ubuntu:~#  cd bgpq3-0.1.21/
admin@ubuntu:~/bgpq3-0.1.21# ./configure
admin@ubuntu:~/bgpq3-0.1.21# sudo make && sudo make install

After installing we could create a prefix-list from command line using the tool. Below is a sample for creating Junos prefix list for as-set: AS-FUNET

You may check bgpq3 man page for  more parameters (cisco, juniper, as-path, ipv4, ipv6)

Definitely command line tools are useful  but if you wanted get data from command line output in  python script it means that you need to parse the data.  There are better ways which you may continue reading in Part 2. 

Huawei NetStream (Netflow) RFC Compability ?

Netflow, which has become a de-facto industry standard, is a network protocol developed by Cisco for collecting IP information and monitoring network traffic. Other vendors also support other alternative flow protocols like: 

•  Juniper® (Jflow)
•  3Com/HP® , Dell® , and Netgear® (s-flow)
•  Huawei® (NetStream)
•  Alcatel-Lucent® (Cflow)
•  Ericsson® (Rflow)

By analizing the flow data you can draw a map of your traffic, sources and destinations, determine the normal flow values thus analyze ddos attacks, and much more. 

A sample configuration for Huawei is:

ip netstream export version 9
ip netstream sampler fix-packets 1000 inbound
ip netstream sampler fix-packets 1000 outbound
ip netstream export source 
ip netstream export host  9996
ip netstream export template timeout-rate 1
ip netstream timeout active 1
ip netstream timeout inactive 5
ip netstream tcp-flag enable
ip netstream mpls-aware label-and-ip

interface 
 ip netstream inbound
 ip netstream sampler fix-packets 1000 inbound

slot 
 ip netstream sampler to slot self

In production, based on the configuration above, we realized that packet sequence numbers, from a NE40X series router, does not increase sequentially as defined in RFC3954:

“
   Sequence Number
         Incremental sequence counter of all Export Packets sent from
         the current Observation Domain by the Exporter.  This value
         MUST be cumulative, and SHOULD be used by the Collector to
         identify whether any Export Packets have been missed. were .....

Instead the sequence numbers were increasing by former flow record (21, 9 21, 16,21 ...) count,

NetStream V9:
1          0.000000      1.1.1.256     82.3.3.256        CFLOW           1326   SEQ:510215546       total: 21 (v9) records
3          0.100533       1.1.1.256      82.3.3.256        CFLOW           606    SEQ:510215567       total: 9 (v9) records
4          0.163794       1.1.1.256      82.3.3.256        CFLOW           1326   SEQ:510215576       total: 21 (v9) records
5          0.264529       1.1.1.256      82.3.3.256        CFLOW           1026   SEQ:510215597       total: 16 (v9) records
6          0.327319       1.1.1.256      82.3.3.256        CFLOW           1326   SEQ:510215613       total: 21 (v9) records

which can be formalized as:

• "SEQ2=SEQ1+counter"

In VRP, for Netstream to be compatible with RFC, sequence-mode configuration must be configured exclusively as it is not the default behavior.

  system-view
 [HUAWEI] slot x
 [HUAWEI-slot-x] ip netstream export sequence-mode packet

As sequence numbers are followed by SourceID in collectors, using "cflow.source_id==4" filter in wireshark (for this specific case) we verified that the problem is gone.

If you examine the capture carefully, you might see that there still is a little problem which is: even the sequence ID is the same, there is an extra packet which's flow number is not lined up.

If you are working with a Huawei router, be careful that many features that you expect it to work in default, must be exclusively configured.  I will share these commands in another post, hopefully.

You could contiue reading Part 2:

Controlling Junos with Python & PyEZ, Part 2: Getting Info, RPC on Demand

At first part of this post, i've tried to explain how to install PyEZ module on Windows, and how to get the device name. Surely the power of python, PyEZ framework and XML API of Junos is not limited with that, so let's get into detail.

RPC on Demand

For any command you can execute on Junos CLI, you can invoke it's RPC equivalent. To determine an RPC equivalent of a command, you use the | display xml rpc mechanism as illustrated:

etorun@as34984-lg> show route 1.0.0.0 | display xml rpc 
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3R8/junos">
    <rpc>
        <get-route-information>
                <destination>1.0.0.0</destination>
        </get-route-information>
         </rpc>
        <cli>
            <banner></banner>
        </cli>
    </rpc-reply

The content between the "<rpc>...</rpc>" is the XML RPC command, in this case "get_route_information". Be careful you need to swap dashes (-) to underscores(_) 

show_route_output = testdevice.rpc.get_route_information(destination="1.0.0.0")

If you wanted search active route for 1.0.0.0 in inet.0 table, then you need to add parameters to the same command, but the command you need to execute to get the rpc equivalent does not change.

etorun@as34984-lg> show route 1.0.0.0 table inet.0 active-path | display xml rpc 
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3R8/junos">
    <rpc>
        <get-route-information>
                <destination>1.0.0.0</destination>
                <table>inet.0</table>
                <active-path/>
        </get-route-information>
         </rpc>
        <cli>
            <banner></banner>
        </cli>
    </rpc-reply>

However you need to add these extra parameters to python equivalent

show_route_output = testdevice.rpc.get_route_information(destination="1.0.0.0", table="inet.0", active_path=True) 

The "active-path" parameter does not take any value, so just assign it to True

To determine the  RPC response use the | display xml mechanism

etorun@as34984-lg> show route 1.0.0.0 table inet.0 active-path | display xml        
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3R8/junos">
    <route-information xmlns="http://xml.juniper.net/junos/12.3R8/junos-routing">
        <route-table>
            <table-name>inet.0</table-name>
            <destination-count>584861</destination-count>
            <total-route-count>1169721</total-route-count>
            <active-route-count>577542</active-route-count>
            <holddown-route-count>2</holddown-route-count>
            <hidden-route-count>14636</hidden-route-count>
            <rt junos:style="brief">
                <rt-destination>1.0.0.0/24</rt-destination>
                <rt-entry>
                    <active-tag>*</active-tag>
                    <current-active/>
                    <last-active/>
                    <protocol-name>BGP</protocol-name>
                    <preference>170</preference>
                    <age junos:seconds="791658">1w2d 03:54:18</age>
                    <med>0</med>
                    <local-preference>190</local-preference>
                    <learned-from>92.44.0.248</learned-from>
                    <as-path>15169 I
                    </as-path>
                    <validation-state>unverified</validation-state>
                    <nh>
                        <selected-next-hop/>
                        <to>213.14.125.85</to>
                        <via>ge-1/0/3.100</via>
                    </nh>
                </rt-entry>
            </rt>
        </route-table>
    </route-information>
    <cli>
        <banner></banner>
    </cli>
</rpc-reply>

Trying It Out

Imagine you need to take the active as-path value of 1.0.0.0/24. Then the python script should be:

from jnpr.junos import Device
from jnpr.junos import Device
router = Device(user='admin', host='10.0.0.1', password='logmein')
router.open()
# invoke the RPC equivalent to "show route 1.0.0.0 table inet.0 active-path"
show_route_output = router.rpc.get_route_information(destination="1.0.0.0", table="inet.0", active_path=True) 
# use XPath expressions to extract the data from the Junos/XML response# the :show_route_output: variable is an lxml Element object
print "the as-path value is: %s" % show_route_output.findtext('route-table/rt/rt-entry/as-path')
router.close()

Here is the output when i run the .py file from windows powershell:

If you wanted to have a look, I did benefit from RPC On Demand page of Juniper Tech Wiki when writing this post.

Controlling Junos with Python & PyEZ, Part 1: Installation

You can manage or automate routers by using python. Having an XML API is the benefit of using a Juniper router as it is easier than other routers to manage it with python. Moreover Juniper wrote a Python library, which is actually a "micro-framework", called PyEZ and it makes easier for non-proggramers to manage a Junos OS router. 

Features: 

I am taking the exact explanation from the "juniper tech wiki":

Junos PyEZ is designed to provide the same capabilities as a user would have on the Junos OS CLI, but in an environment built for automation tasks. These capabilities include, but are not limited to:

• Provide "facts" about the device such as software version, serial number, and so on
• Retrieve the "operational" or "run-state" information (think "show" commands) using Tables/Views
• Retrieve the configuration using Tables/Views
• Make unstructured configuration changes with "snippets" and "templates"
• Make structured configuration changes with modeled abstractions
• Provide common utilities for tasks such as secure copy of files and software updates

Installation Python, PIP and PyEZ (Windows) 

To use PyEz, you must be using a python version 2.7 or later. I am not getting  into details of installing Python on to Windows as it is as easy as installing an .exe file. You may download the latest build from python.org/downloads. When installing python select "pip" and "setuptools" to get installed. Also to register the version which you are installing select "" as seen in the capture below:

You may need to reload Windows inorder for python to work. If PIP is not installed and you do not wanted to install python from scratch then you have the option to only install PIP. (PIP is a package itself which install packages.). Download get-pip.py,  save it as a .py file then, run it from the command prompt "python get-pip.py".

Behind the scenes PyEZ uses lxml, ncclient, paramiko, pycrypto, jinja2, PyYAML, netaddr, ecdsa and markupsafe python packages.  For ease of installation, we will use PyPI, which is a Python package repository. But before  you need to check if  Microsoft Visual C++ Compiler for Python 2.7 is installed on your PC and if not install it before executing the command "pip install junos-eznc" command in powershell/cmd.

Configuring Router 

For PyEz to work, ssh and netconf must be enabled on router which means you must be using "domestic" version of Junos. Basic configuration to enable ssh and netconf: 

Trial 

If everything is right, then you should be able to connect to a router using PyEZ and get some outputs. Here is a basic script which gets version info from a router:

from jnpr.junos import Device

dev = Device(host='10.33.198.221',user='admin',password='password')
dev.open()

print dev.facts['version']
print dev.cli("show configuration system services)

dev.close()

Here is the output:

For more you should visit Junipers PyEZ TechWiki page. You may also have a look at Juniper Python TeckWiki page. 

Happy New Year!!