iljitsch.com

topics: BGP / IPv6 / more · settings · b&w · my business: inet⁶ consult · Twitter · Mastodon · LinkedIn · email · 🇺🇸 🇳🇱

These are all posts about BGP, including those originally published on BGPexpert.com.

Has BGP routing security failed (yet)?

In the thorough style we've come to expect from him, Geoff Huston tries to answer the question Is Secured Routing a Market Failure? Please read about the market aspect (and the limitations imposed on the IETF by big router vendors) in that article. His final conclusion is broader, through:

But mostly it's a failure because it does not deliver. Security solutions that offer only a thin veneer of the appearance of improvement while offering little in the way of improved defence against determined attack are perhaps worse than a placebo.

Full article / permalink - posted 2022-12-13

→ What can be learned from BGP hijacks targeting cryptocurrency services?

Interesting blog post on the APNIC blog by Doug Madory:

On 17 August 2022, an attacker was able to steal approximately USD 235,000 in cryptocurrency by employing a BGP hijack against the Celer Bridge, a service that allows users to convert between cryptocurrencies.

In this blog post, I discuss this and previous infrastructure attacks against cryptocurrency services. While these episodes revolve around the theft of cryptocurrency, the underlying attacks hold lessons for securing the BGP routing of any organization that conducts business on the Internet.

Using BGP to steal cryptocurrency is happening with some regularity now...

The important lesson comes at the end: Amazon shouldn't have RPKI ROAs for a /10 and a /11 with a maximum prefix limit of /24.

This way, the attacker, thanks to an ISP that didn't properly filter its customer's BGP announcements, was able to advertise a /24 out of Amazon's address space and have that announcement be labeled "valid" by RPKI route origin validation.

Amazon advertises a /11, and if the maximum prefix length in the ROA for that /11 had been just /11, the attacker wouldn't have been able to "shoplift" just that /24, but they'd have to go head-to-head against Amazon for that entire /11. That would have had a much lower chance of success and much higher chance of being noticed quickly.

(Shameless plug: if all that RPKI and ROA talk is gibberish to you, my new BGP e-book has a section on what RPKI is and how it works.)

Permalink - posted 2022-11-24

New e-book: Internet Routing with BGP

I did it again... I wrote another book.

20 years ago O'Reilly published my first book, titled simply “BGP”. My goal with that book was to write the book that I would have liked to have read when I started my journey with the Border Gateway Protocol, the internet's routing protocol.

Although amazingly, we still use the same version 4 of the BGP protocol as in 1994, a lot has changed. As updating my previous book was not in the cards, I decided to write a completely new book about BGP. It's called “Internet Routing with BGP” and it's now available as an e-book. See the end of the article for details and links.

Read the article - posted 2022-11-18

My BGP minilab

When I wrote my first BGP book I painstakingly made the config examples on actual Cisco routers. In my opinion, it's crucial to make sure that configuration examples that go in a book actually work.

So when I started writing my new BGP book, I did the same. But this time, I used open source routing software (FRRouting) running in Docker containers. Basically, those containers are very light-weight virtual machines.

This makes it possible to run a dozen virtual routers that start up and shut down in just a few seconds. So it's very easy to run different examples by starting the required virtual routers with the configuration for that example.

This was super useful when I was writing the book.

So I thought it would also be very useful for people reading the book.

So I'm making the "BGP minilab" with all the config examples from the book available to my readers. Download version 2022-11 of the minilab that goes with the first version of the book here.

You can also run the examples in the minilab if you don't have the book. And you can create your own labs based on these scripts.

The minilab consist of four scripts:

There are Mac/Linux shell script and Windows Powershell versions of each script.

Permalink - posted 2022-11-11

→ Why Egypt became one of the biggest chokepoints for Internet cables

The Asia-Africa-Europe-1 Internet cable travels 15,500 miles along the seafloor, connecting Hong Kong to Marseille, France. As it snakes through the South China Sea and toward Europe, the cable helps provide Internet connections to more than a dozen countries, from India to Greece. When the cable was cut on June 7, millions of people were plunged offline and faced temporary Internet blackouts.

The cable, also known as AAE-1, was severed where it briefly passes across land through Egypt. One other cable was also damaged in the incident, with the cause of the damage unknown.

Interesting article about how Egypt is a choke point for undersea cables between Europe and Asia (and eastern Africa).

Permalink - posted 2022-11-03

Free Range Routing vs Quagga/Cisco

Back in the 1990s, I used Cisco routers. Mostly rather underpowered ones such as the Cisco 2500 series. I later started using the Zebra and then Quagga routing software for the lab part of my training courses.

However, like Zebra before it, Quagga also ran out of steam but was forked by people (and companies) who saw value in the software. The Quagga fork is Free Range Routing a.k.a. FRRouting a.k.a. FRR.

As I was writing my new BGP book, I made configuration examples in Quagga. But about two thirds in, I decided to switch to FRRouting.

Full article / permalink - posted 2022-11-02

older posts - newer posts

Search for:
RSS feed

Archives: 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016, 2018, 2019, 2020, 2021, 2022, 2023, 2024