bgp hints - internet routing news, hints and tips

Posted: 2004-04-20

Category: News

Vulnerability issues in TCP affect BGP

Since BGP uses TCP as its transport protocol, it is is vulnerable to all weaknesses of the TCP protocol itself. A recent advisory shows that it is relatively easy for an attacker to reset a BGP session. Several methods exist to protect against this vulnerability, the most common being the TCP MD5 option.

Posted: 2003-12-16

Category: General

Multi-homing to a single provider

Organizations using more than one connection (multi-homing) to the same upstream provider cannot use a dedicated AS number. However, in order to use BGP an AS number is required. RFC 2270 describes a technique to use a dedicated AS number for all customers multi-homed to the same (single) upstream provider.

Updated: 2003-11-06

Category: Tools

Quickly find the announcing AS of an IP address

Sometimes one would like to find the announcing autonomous system (AS) which announces a given IP address. Team Cymru has provided a whois server you can use to do just that. In addition to simple lookups, the server also provides a way for scripts to query a large number of addresses. A similar service is available from the RIPE RIS project.

Posted: 2003-10-26

Category: General

Block unwanted traffic with unicast reverse path filters

To prevent against denial-of-service attacks and other unwanted traffic, one should use filters to accept only traffic with known good source addresses on each entry point of the network. One way to implement these filters is to use unicast reverse path filtering (uRPF) which uses the routing table to verify source addresses.

Posted: 2003-10-02

Category: Book reviews

Book review: Walter Goralski - Juniper and Cisco Routing

Walter Goralski's book Juniper and Cisco Routing: Policy and Protocols for Multivendor IP Networks, provides an introduction to routing protocols and routing policies, and shows how these protocols and policies can be configured on Cisco and Juniper routers.

Posted: 2003-09-25

Category: General

Use communities to control upstream route announcements

BGP communities can be used to tag route advertisements to upstream providers. Based on these tags you can change how the upstream provider treats the prefix, for example, changing the local preference value, suppressing the advertisement to certain peers, or prepending the as-path to certain peers. By controlling your route advertisements, you can influence the traffic routed to your network.

Posted: 2003-09-19

Category: General

Protect BGP sessions with the TCP MD5 option

Since BGP uses TCP as its transport protocol, it is is vulnerable to all weaknesses of the TCP protocol itself. To protect a BGP session, the TCP MD5 option may be used, which is currently the only widely implemented security measure in BGP.

Posted: 2003-09-17

Category: General

Redundancy and load balancing with anycast

Anycast is a way to implement redundancy and load balancing without needing additional hardware or software. In an anycast setup, multiple hosts share the same IP address. This address is announced through a routing protocol, so that packets sent to the anycast address will be routed to the closest host.

Posted: 2003-09-13

Category: Book reviews

Book review: Iljitsch van Beijnum - BGP

Rather than describing the details of the BGP protocol in excruciating detail, Iljitsch van Beijnum's book BGP describes in a hands-on way the context in which BGP is used, how to set up a network based on BGP, and all aspects of running a BGP network on a day-to-day basis.

Posted: 2003-09-09

Category: General

Control route flaps using damping

To minimize the processing load imposed on your router by route flapping, you can use route flap damping, which suppresses unstable prefixes for a while.

Posted: 2003-09-08

Category: General

Use bogon filters but keep them up-to-date

There are several IP address ranges that should not be used on the internet, commonly called bogon addresses. You should filter packets with bogon addresses as well as BGP route updates for bogon address ranges.