iljitsch.com

topics: BGP / IPv6 / more · settings · b&w · my business: inet⁶ consult · Twitter · Mastodon · LinkedIn · email · 🇺🇸 🇳🇱

These are all posts about BGP, including those originally published on BGPexpert.com.

→ Enforcing First AS in BGP

The BGP RFCs state that external BGP peers should insert their own AS into the AS PATH advertised to eBGP peers. Some peers strip their AS, generally for commercial gain. Juniper and Cisco have opposite default behaviors for handling this. Make sure you set bgp enforce-first-as on Juniper routers. Caveats apply.

The annoying part here is that you want to disable this check for internet exchange route servers, but keep it enabled for everything else for security reasons. But that's not universally possible, as on some routers this is a global setting, rather than a per-neighbor one.

Permalink - posted 2023-10-08

BGP handling of obscure errors

I read Ben Cartwright Cox' (extensive) blog post Grave flaws in BGP Error handling and then saw his talk about the same topic at NLNOG on Youtube.

Here's the story.

Full article / permalink - posted 2023-10-02

Should the datacenter be in the middle?

The other day, I landed on this article: In Focus: Subsea Network Architecture: IXPs. The article takes some time to arrive at the point that undersea internet exchanges would be a good idea. The most eyecatching part is a variation on this image:

But should the datacenter and/or internet exhange in the middle between multiple users?

Full article / permalink - posted 2023-09-07

Has BGP routing security failed (yet)?

In the thorough style we've come to expect from him, Geoff Huston tries to answer the question Is Secured Routing a Market Failure? Please read about the market aspect (and the limitations imposed on the IETF by big router vendors) in that article. His final conclusion is broader, through:

But mostly it's a failure because it does not deliver. Security solutions that offer only a thin veneer of the appearance of improvement while offering little in the way of improved defence against determined attack are perhaps worse than a placebo.

Full article / permalink - posted 2022-12-13

→ What can be learned from BGP hijacks targeting cryptocurrency services?

Interesting blog post on the APNIC blog by Doug Madory:

On 17 August 2022, an attacker was able to steal approximately USD 235,000 in cryptocurrency by employing a BGP hijack against the Celer Bridge, a service that allows users to convert between cryptocurrencies.

In this blog post, I discuss this and previous infrastructure attacks against cryptocurrency services. While these episodes revolve around the theft of cryptocurrency, the underlying attacks hold lessons for securing the BGP routing of any organization that conducts business on the Internet.

Using BGP to steal cryptocurrency is happening with some regularity now...

The important lesson comes at the end: Amazon shouldn't have RPKI ROAs for a /10 and a /11 with a maximum prefix limit of /24.

This way, the attacker, thanks to an ISP that didn't properly filter its customer's BGP announcements, was able to advertise a /24 out of Amazon's address space and have that announcement be labeled "valid" by RPKI route origin validation.

Amazon advertises a /11, and if the maximum prefix length in the ROA for that /11 had been just /11, the attacker wouldn't have been able to "shoplift" just that /24, but they'd have to go head-to-head against Amazon for that entire /11. That would have had a much lower chance of success and much higher chance of being noticed quickly.

(Shameless plug: if all that RPKI and ROA talk is gibberish to you, my new BGP e-book has a section on what RPKI is and how it works.)

Permalink - posted 2022-11-24

New e-book: Internet Routing with BGP

I did it again... I wrote another book.

20 years ago O'Reilly published my first book, titled simply “BGP”. My goal with that book was to write the book that I would have liked to have read when I started my journey with the Border Gateway Protocol, the internet's routing protocol.

Although amazingly, we still use the same version 4 of the BGP protocol as in 1994, a lot has changed. As updating my previous book was not in the cards, I decided to write a completely new book about BGP. It's called “Internet Routing with BGP” and it's now available as an e-book. See the end of the article for details and links.

Read the article - posted 2022-11-18

older posts

Search for:
RSS feed

Archives: 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016, 2018, 2019, 2020, 2021, 2022, 2023