▼
Last week, I suggested it's time fix those BGP route leaks. I live by the words everybody complains about the weather, but nobody does anything about it, so as such I wrote an Internet-Draft with the protocol changes necessary:
draft-van-beijnum-sidrops-pathrpki-00
I think we can stop these route leaks with a relatively modest change to RPKI: by combining the ASes the origin trusts and the ASes the operator of an RPKI relying party server trusts, we have a list of all the ASes that may legitimately appear in the AS path as seen from this particular vantage point.
I believe deployment will be relatively easy, as it works for the two ASes at both ends even if ASes in the middle don't participate.
There is path filter example code in the appendix to show that this part is easy. 😀
You can see that filter code in action here:
http://bgpexpert.com/pathrpki/
I'm looking forward to hearing feedback. I've started discussions on the RIPE routing-wg mailinglist and the IETF sidrops working group mailinglist. Also feel free to mail me directly or talk to me on Twitter.
Permalink - posted 2019-06-20
Last week, there was a large route leak that involved Swiss hosting company Safe Host and China Telecom. The route leak made internet traffic for European telecoms operators KPN, Swisscom and Bouygues Telecom, among others, flow through Safe Host and China Telecom against the wishes of the telecom operators involved. See this Ars Technica story for more details.
In this post, I'm going to explain how the interaction between the technical and business aspects of internet routing have made this issue so difficult to fix. At the end I'll briefly describe a proposal that I think can actually make that happen.
Read the article - posted 2019-06-13
Geoff Huston has written a post on the APNIC blog congratulating BGP with its 30th birthday. BGP version 1 was published as RFC 1105 in June of 1989. Five years later, the BGP version 4 was published as RFC 1654. And we're still using BGP-4 today, 25 years later! Lots of things, including IPv6 support, were added later in backward compatible ways.
As usual, Geoff's story is comprehensive with lots of interesting details. For instance:
From time to time we see proposals to use geo-based addressing schemes and gain aggregation efficiencies through routing these geo-summaries rather than fine-grained prefixes.
Sorry about that. 😀 I still think it could work, though.
Well worth a read.
Permalink - posted 2019-06-10
Slides from the presentation about BGP security that I did with Lucas van den Berg and Martin Hein for NL-ix in Copenhagen, 19 April 2018.
Permalink - posted 2018-04-19
This Thursday I'll be at the NL-ix BGP security update event in Copenhagen, talking about BGP security topics, especially RPKI and BGPsec. I remember the first time I went to the IETF in 2002, where I heard about S-BGP and soBGP. And now last September that finally resulted in the publication of the BGPsec RFC (RFC 8205).
It's not too late to register, so I hope to see you there! Be sure to come say hi.
Permalink - posted 2018-04-15
older posts
- newer posts
