Table of contents (for this page):
If you could use some help with BGP, have a look at my business web site: inet6consult.com.
BGP routing coursesThere are currently no training courses planned.
Interdomain Routing & IPv6 News
In the thorough style we've come to expect from him, Geoff Huston tries to answer the question Is Secured Routing a Market Failure? Please read about the market aspect (and the limitations imposed on the IETF by big router vendors) in that article. His final conclusion is broader, through:
But mostly it's a failure because it does not deliver. Security solutions that offer only a thin veneer of the appearance of improvement while offering little in the way of improved defence against determined attack are perhaps worse than a placebo.
20 years ago I went to my first IETF meeting and there I learned about S-BGP and soBGP. It would take another almost ten years for RPKI to be standardized and fifteen years for the BGPSEC specification (which is largely S-BGP with the RPKI functionality removed) to be published. RPKI is gaining some traction but hasn't been able to stop at least some determined attackers. There are no production level implementations of BGPSEC after five years.
So why is that? True, if people would be prepared to pay extra for secure routing, we'd have it by now.
But I think the bigger issue is failure to understand the problem.
Looking at the valley-free model, we can observe that the right hand part of the network hierarchy is trusted by the sender of the routing updates / receiver of the packets, while the left hand side is trusted by the receiver of the routing updates / sender of the packets.
This hierarchy is pretty flat, so there's usually only a handful of networks on each side. So telling the world that those are networks you trust should be something we can do reasonably efficiently. Then, the only thing is to make sure that there are no network hops in the path that aren't trusted by either side.
Earlier this year, RFC 9234 "Route Leak Prevention and Detection Using Roles in UPDATE and OPEN Messages" was published. This adds some information to BGP that lets it detect paths that aren't valley-free. The nice thing about this mechanism is that it protects two networks that implement the mechanism against mistakes made by networks that don't implement the mechanism.
We still need better mechanisms to thwart determined, purposeful attackers, but the good news is that we've made life a lot harder for those already. So even though we're not there yet when it comes to secured routing, it's not so much that we've failed, but that we are taking too much time to succeed.
Interesting blog post on the APNIC blog by Doug Madory:
On 17 August 2022, an attacker was able to steal approximately USD 235,000 in cryptocurrency by employing a BGP hijack against the Celer Bridge, a service that allows users to convert between cryptocurrencies.
Using BGP to steal cryptocurrency is happening with some regularity now...
The important lesson comes at the end: Amazon shouldn't have RPKI ROAs for a /10 and a /11 with a maximum prefix limit of /24.
This way, the attacker, thanks to an ISP that didn't properly filter its customer's BGP announcements, was able to advertise a /24 out of Amazon's address space and have that announcement be labeled "valid" by RPKI route origin validation.
Amazon advertises a /11, and if the maximum prefix length in the ROA for that /11 had been just /11, the attacker wouldn't have been able to "shoplift" just that /24, but they'd have to go head-to-head against Amazon for that entire /11. That would have had a much lower chance of success and much higher chance of being noticed quickly.
(Shameless plug: if all that RPKI and ROA talk is gibberish to you, my new BGP e-book has a section on what RPKI is and how it works.)
I did it again... I wrote another book.
20 years ago O'Reilly published my first book, titled simply “BGP”. My goal with that book was to write the book that I would have liked to have read when I started my journey with the Border Gateway Protocol, the internet's routing protocol.
Although amazingly, we still use the same version 4 of the BGP protocol as in 1994, a lot has changed. As updating my previous book was not in the cards, I decided to write a completely new book about BGP. It's called “Internet Routing with BGP” and it's now available as an e-book. See the end of the article for details and links.
What is BGP and what does it do?
The super short version is that BGP lets routers make IP packets finder their way across the internet. You need BGP to be able to use connections to two or more ISPs.
What makes BGP so fascinating: scale and business
There are several other routing protocols, and on a technical level, BGP is not the most interesting or even the most complex one. I think (and have written about how) OSPF is a strong contender in that race.
One thing that makes BGP fascinating is that it connects together something like a million routers in about 100,000 networks from different organizations. All these routers talk to each other in real time. Actions by one have consequences for all the others.
But the real 🤯-moment comes when you realize that if you're an ISP, BGP runs your business. For instance, BGP's hot potato routing means that traffic is handed off to the next network as soon as possible. The implication is that the receiving network has to carry the traffic most of the distance. Which is why internet service for consumers is relatively expensive (vast majority of traffic is incoming and thus high long distance costs) while hosting services are relatively cheap (mostly outgoing traffic so low long distance costs).
Valleys are costly
As BGP runs a service provider's business, it's important that BGP knows about the business relationship between two networks that connect together. In the figure below, networks 600 and 700 at the bottom are customers of networks 30, 40 and 50. Those are in turn customers of networks 1 and 2. The arrows show in which direction the money flows.
Valley-free and thus valid paths
The blue ellipse shows the part of the internet that gets paid to handle traffic to and from network 600. The pink ellipse shows the part of the internet that gets paid to handle traffic to and from network 700. Network 1 gets paid by both. Some networks have a peer relationship, where they exchange traffic without money changing hands. (Shown as arcs here.)
This means that all the green paths in sub-figures 2 to 5 are valid paths between 600 and 700, where all the service providers involved get paid. The path in 2 is the shortest, so that is the best one. But what if 700 is not a customer of 40:
Invalid paths with valleys
There are still several paths possible through network 40, but as 40 is paid by neither 600 nor 700, handling traffic between those network would be giving away service for free. So BGP needs to know about the business relationships between connecting networks in order to avoid the red, invalid paths.
Interestingly, all the invalid paths have a “valley”, while none of the valid paths have such a valley. The valleys happen when traffic moves up the service provider hierarchy, then starts moving down or sideways, but then doesn't continue to move down, but instead moves up or sideways again. These valleys indicate that someone doesn't get paid. Note that the earlier green path number four is still a valid path here.
In practice, paths that aren't valley-free indicate that someone made a mistake with their BGP setup, causing a “route leak”. Those leaks attract traffic that then usually doesn't make it to the intended recipient. Or perhaps only after the leaker eavesdropped on it.
So, please BGP: no valleys.
A bit more about the book
I believe this is one of the first books that covers the RPKI BGP security mechanism, with several examples showing how to apply RPKI and how it works. Most of the book shows configuration examples and the resulting output and then discussing what happens when and why.
The book is available from Amazon (Kindle format), from Apple (EPUB format / Apple Books) or from Google (PDF and EPUB formats). You can also get a site license directly from me (PDF and EPUB formats). And you can get sample chapters if you follow that link. If you want to see the example configurations in action (before or after getting the book), download the BGP minilab. This contains scripts and router configurations to run the examples on your own computer under Docker.
And after slowing down the past few years for pandemic reasons, I'll be doing my BGP training courses again in the near future, based on the new book.
When I wrote my first BGP book I painstakingly made the config examples on actual Cisco routers. In my opinion, it's crucial to make sure that configuration examples that go in a book actually work.
So when I started writing my new BGP book, I did the same. But this time, I used open source routing software (FRRouting) running in Docker containers. Basically, those containers are very light-weight virtual machines.
This makes it possible to run a dozen virtual routers that start up and shut down in just a few seconds. So it's very easy to run different examples by starting the required virtual routers with the configuration for that example.
This was super useful when I was writing the book.
So I thought it would also be very useful for people reading the book.
So I'm making the "BGP minilab" with all the config examples from the book available to my readers. Download version 2022-11 of the minilab that goes with the first version of the book here.
You can also run the examples in the minilab if you don't have the book. And you can create your own labs based on these scripts.
The minilab consist of four scripts:
There are Mac/Linux shell script and Windows Powershell versions of each script.
My Books: "BGP" and "Running IPv6"On this page you can find more information about my book "BGP". Or you can jump immediately to chapter 6, "Traffic Engineering", (approx. 150kB) that O'Reilly has put online as a sample chapter. Information about the Japanese translation can be found here.
More information about my second book, "Running IPv6", is available here.
BGP SecurityBGP has some security holes. This sounds very bad, and of course it isn't good, but don't be overly alarmed. There are basically two problems: sessions can be hijacked, and it is possible to inject incorrect information into the BGP tables for someone who can either hijack a session or someone who has a legitimate BGP session.
Session hijacking is hard to do for someone who can't see the TCP sequence number for the TCP session the BGP protocol runs over, and if there are good anti-spoofing filters it is even impossible. And of course using the TCP MD5 password option (RFC 2385) makes all of this nearly impossible even for someone who can sniff the BGP traffic.
Nearly all ISPs filter BGP information from customers, so in most cases it isn't possible to successfully inject false information. However, filtering on peering sessions between ISPs isn't as widespread, although some networks do this. A rogue ISP could do some real damage here.
There are now two efforts underway to better secure BGP:
The IETF RPSEC (routing protocol security) working group is active in this area.
What is BGPexpert.com?BGPexpert.com is a website dedicated to Internet routing issues. What we want is for packets to find their way from one end of the globe to another, and make the jobs of the people that make this happen a little easier.
Ok, but what is BGP?Have a look at the "what is BGP" page. There is also a list of BGP and interdomain routing terms on this page.
BGP and MultihomingIf you are not an ISP, your main reason to be interested in BGP will probably be to multihome. By connecting to two or more ISPs at the same time, you are "multihomed" and you no longer have to depend on a single ISP for your network connectivity.
This sounds simple enough, but as always, there is a catch. For regular customers, it's the Internet Service Provider who makes sure the rest of the Internet knows where packets have to be sent to reach their customer. If you are multihomed, you can't let your ISP do this, because then you would have to depend on a single ISP again. This is where the BGP protocol comes in: this is the protocol used to carry this information from ISP to ISP. By announcing reachability information for your network to two ISPs, you can make sure everybody still knows how to reach you if one of those ISPs has an outage.
For those of you interested in multihoming in IPv6 (which is pretty much impossible at the moment), have a look at the "IPv6 multihoming solutions" page.
Are you a BGP expert? Take the test to find out!
These questions are somewhat Cisco-centric. We now also have another set of questions and answers for self-study purposes.
You are visiting bgpexpert.com over IPv4. Your address is 18.104.22.168.