Recently, I was looking through some networking certification material. A very large part of it was about OSPF. That's fair, OSPF is probably the most widely used routing protocol in IP networks. But the poor students were submitted to a relentless sequence of increasingly baroquely named features: stub areas, not-so-stubby-areas, totally stubby areas, culminating in totally not-so-stubby areas.
Can we please get rid of some of that legacy? And if not from the standard documents or the router implementations, then at least from the certification requirements and training materials?Read the article - posted 2022-05-12
For my training courses, I always check the current size of the IPv4 and IPv6 BGP tables over at the CIDR Report so I can tell the participants what table size capacity to look for when shopping for routers.
Currently, the IPv4 table is at 925k, readying itself for scaling the 1M summit late next year. The IPv6 table is 160k prefixes.
The IPv4 table grew at about 10% per year in the 2010s and 6% last year. At this rate, it'll be at 1.43 million at the beginning of 2030.
The IPv6 table, on the other hand, had been growing at some 31% per year between 2015 and 2020, but last year it grew 37%. At that rate, the IPv6 table will reach 1.7 million prefixes by 2030! Even at a somewhat slower growth rate of 34% the IPv6 table will overtake the IPv4 table before the decade is out.
Of course it's hard to predict 7.5 years into the future, but stranger things have happened.
Also, at this rate, you'll need a router that can handle more than 2 million prefixes five years from now. Which pretty much means that if you are buying a router today that has to be able to hold the full global IPv4 and IPv6 tables, it should already be able to handle more than 2M prefixes in order to have a five year economic lifespan.Read the article - posted 2022-06-30
20 years ago this month, my book BGP: building reliable networks with the Border Gateway Protocol was published by O'Reilly.
My 20 author copies of the book arrived a bit later:
Read the article - posted 2022-09-29
Click the link for more details.
Back in the 1990s, I used Cisco routers. Mostly rather underpowered ones such as the Cisco 2500 series. I later started using the Zebra and then Quagga routing software for the lab part of my training courses.
As I was writing my new BGP book, I made configuration examples in Quagga. But about two thirds in, I decided to switch to FRRouting.Read the article - posted 2022-11-02
The Asia-Africa-Europe-1 Internet cable travels 15,500 miles along the seafloor, connecting Hong Kong to Marseille, France. As it snakes through the South China Sea and toward Europe, the cable helps provide Internet connections to more than a dozen countries, from India to Greece. When the cable was cut on June 7, millions of people were plunged offline and faced temporary Internet blackouts.
The cable, also known as AAE-1, was severed where it briefly passes across land through Egypt. One other cable was also damaged in the incident, with the cause of the damage unknown.
Interesting article about how Egypt is a choke point for undersea cables between Europe and Asia (and eastern Africa).
Read the article - posted 2022-11-03
When I wrote my first BGP book I painstakingly made the config examples on actual Cisco routers. In my opinion, it's crucial to make sure that configuration examples that go in a book actually work.
So when I started writing my new BGP book, I did the same. But this time, I used open source routing software (FRRouting) running in Docker containers. Basically, those containers are very light-weight virtual machines.
This makes it possible to run a dozen virtual routers that start up and shut down in just a few seconds. So it's very easy to run different examples by starting the required virtual routers with the configuration for that example.
This was super useful when I was writing the book.
So I thought it would also be very useful for people reading the book.
So I'm making the "BGP minilab" with all the config examples from the book available to my readers. Download version 2022-11 of the minilab that goes with the first version of the book here.
You can also run the examples in the minilab if you don't have the book. And you can create your own labs based on these scripts.
The minilab consist of four scripts:
There are Mac/Linux shell script and Windows Powershell versions of each script.Permalink - posted 2022-11-11
I did it again... I wrote another book.
20 years ago O'Reilly published my first book, titled simply “BGP”. My goal with that book was to write the book that I would have liked to have read when I started my journey with the Border Gateway Protocol, the internet's routing protocol.
Although amazingly, we still use the same version 4 of the BGP protocol as in 1994, a lot has changed. As updating my previous book was not in the cards, I decided to write a completely new book about BGP. It's called “Internet Routing with BGP” and it's now available as an e-book. See the end of the article for details and links.Read the article - posted 2022-11-18
Interesting blog post on the APNIC blog by Doug Madory:
On 17 August 2022, an attacker was able to steal approximately USD 235,000 in cryptocurrency by employing a BGP hijack against the Celer Bridge, a service that allows users to convert between cryptocurrencies.
In this blog post, I discuss this and previous infrastructure attacks against cryptocurrency services. While these episodes revolve around the theft of cryptocurrency, the underlying attacks hold lessons for securing the BGP routing of any organization that conducts business on the Internet.
Using BGP to steal cryptocurrency is happening with some regularity now...
The important lesson comes at the end: Amazon shouldn't have RPKI ROAs for a /10 and a /11 with a maximum prefix limit of /24.
This way, the attacker, thanks to an ISP that didn't properly filter its customer's BGP announcements, was able to advertise a /24 out of Amazon's address space and have that announcement be labeled "valid" by RPKI route origin validation.
Amazon advertises a /11, and if the maximum prefix length in the ROA for that /11 had been just /11, the attacker wouldn't have been able to "shoplift" just that /24, but they'd have to go head-to-head against Amazon for that entire /11. That would have had a much lower chance of success and much higher chance of being noticed quickly.
(Shameless plug: if all that RPKI and ROA talk is gibberish to you, my new BGP e-book has a section on what RPKI is and how it works.)
Read the article - posted 2022-11-24
In the thorough style we've come to expect from him, Geoff Huston tries to answer the question Is Secured Routing a Market Failure? Please read about the market aspect (and the limitations imposed on the IETF by big router vendors) in that article. His final conclusion is broader, through:
But mostly it's a failure because it does not deliver. Security solutions that offer only a thin veneer of the appearance of improvement while offering little in the way of improved defence against determined attack are perhaps worse than a placebo.Read the article - posted 2022-12-13