On Securing BGP
The US Federal Communications Commission recently asked for comments on securing Internet routing. While I worked on the responses offered by various organizations, I also put in my own response as an individual, which I’ve included below.
I am not providing this answer as a representative of any organization, but rather as an individual with long experience in the global standards and operations communities surrounding the Internet, and with long experience in routing and routing security.
I completely agree with the Notice of Inquiry that “networks are essential to the daily functioning of critical infrastructure [yet they] can be vulnerable to attack” due to insecurities in the BGP protocol. While proposed solutions exist that would increase the security of the BGP routing system, only some of these mechanisms are being widely deployed. This response will consider some of the reasons existing proposals are not deployed and suggest some avenues the Commission might explore to aid the community in developing and deploying solutions.
9: Measuring BGP Security.
At this point, I only know of the systems mentioned in the query for measuring BGP routing security incidents. There have been attempts to build other systems, but none of these systems have been Continue reading
Hedge 127: FR Routing Update
The FR Routing project is a fully featured open-source routing stack, including BGP, OSPF, and IS-Is (among others), supported by a community including NVDIA, Orange, VMWare, and many others. On today’s episode of the Hedge, Tom Ammon and Russ White are joined by Donald Sharp, Alistair Woodman, and Quentin Young to update listeners on projects completed and underway in FR Routing.
Legal and Ethical Aspects of Privacy
My second post on privacy for network engineers is up over at Packet Pushers—
Privacy And Networking Part 2: Legal And Ethical Privacy
Given the arguments from the first article in this series, if privacy should be and is essential—what does the average network engineer do with this information? How does privacy impact network design and operations? To answer this question, we need to look at two other questions. First, what is private information, precisely? The network carries […]
The post Privacy And Networking Part 2: Legal And Ethical Privacy appeared first on Packet Pushers.
Hedge 126: George Michaelson on ISDN
ISDN, while an old technology, is still around in many parts of the world. When will it go away? George Michaelson joins Tom Ammon and Russ White to discuss the end of ISDN. The conversation then veers into old networking technologies, and the importance of ISDN in setting the terms and ideas we use today—ISDN is one of the key technologies around which network engineers built their mental maps of how to build and maintain networks.
Upcoming Training: Network Troubleshooting
I’m teaching a three-hour webinar on troubleshooting on the 22nd of April:
This training focuses on the half-split system of troubleshooting, which is widely used in the electronic and civil engineering domains. The importance of tracing the path of the signal, using models to put the system in context, and the use of a simple troubleshooting “loop” to focus on asking how, what, and why are added to the half-split method to create a complete theory of troubleshooting. Other concepts covered in this course are the difference between permanent and temporary fixes and a review of measuring reliability. The final third of the course contains several practical examples of working through problems to help in applying the theory covered in the first two sections to the real world.
This is offered on Safari Books Online through Pearson. I think that if you register for the course, you can watch a recording later.
Hedge: April Update
You can register for my network troubleshooting course here.
Information about the IEEE Network Softwarification Conference can be found here.
Our upcoming episodes for this month are George Michaelson on the death of ISDN and old networks; an update on the FR Routing project; and Rick Graziani on college and network engineering. Thanks for listening to the Hedge!
Hedge 125: Brooks Westbrook and DC Fabric Design
DC fabric design is more of an art than a science—a lot of factors come into play, such as future growth, lifecycle management, security, and costs. How can network engineers balance these various factors—how do they even know what questions to ask? Brooks Westrbook joins Tom Ammon and Russ White to discuss three- and five-stage DC fabric design, OPEX, CAPEX, and other topics on this episode of the Hedge.
BGP Policies (Part 4)
At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.
In this post, I’ll cover the first of a few ways to give surrounding autonomous systems a hint about where traffic should enter a network. Note this is one of the most vexing problems in BGP policy, so there will be a lot of notes across the next several posts about why some solutions don’t work all that well, or when they will and won’t work.
There are at least three reasons an operator may want to control the point at which traffic enters their network, including:
- Controlling the inbound load on each link. It might be important to balance inbound and outbound load to maintain settlement-free peering, or to equally use all available inbound bandwidth, or to ensure the quality of experience is not impacted by overusing a single link.
- Accounting for Continue reading
Hedge 124: Geoff Huston and the State of BGP
Another year of massive growth in the number and speed of connections to the global Internet—what is the impact on the global routing table? Goeff Huston joins Donald Sharp and Russ White to discuss the current state of the BGP table, the changes in the last several years, where things might go, and what all of this means. This is part two of a two part episode.
Understanding Data Center Fabrics 09: Other Considerations – Video
In the final video of this series on data center fabrics, Russ White walks through a set of considerations you might want to ponder as you design your data center fabric. These considerations include whether to single-home or dual-home a server in a fabric (it depends!), why Russ isn’t a fan of MLAGs in a […]
The post Understanding Data Center Fabrics 09: Other Considerations – Video appeared first on Packet Pushers.
BGP Policies (Part 3)
At the most basic level, there are only three BGP policies: pushing traffic through a specific exit point; pulling traffic through a specific entry point; preventing a remote AS (more than one AS hop away) from transiting your AS to reach a specific destination. In this series I’m going to discuss different reasons for these kinds of policies, and different ways to implement them in interdomain BGP.
There are many reasons an operator might want to select which neighboring AS through which to send traffic towards a given reachable destination (for instance, 100::/64). Each of these examples assumes the AS in question has learned multiple paths towards 100::/64, one from each peer, and must choose one of the two available paths to forward along.
In the following network—
From AS65001’s perspective
Assume AS65001 is some form of content provider, which means it offers some service such as bare metal compute, cloud services, search engines, social media, etc. Customers from AS65006 are connecting to its servers, located on the 100::/64 network, which generates a large amount of traffic returning to the customers.
From the perspective of AS hops, it appears the path from AS65001 to AS65006 is the same length—if this Continue reading
Understanding Data Center Fabrics 08: Advanced Underlay Control Planes – Video
In this video, Russ White examines two advanced options for your underlay control plane: distoptflood and RIFT. He explores the basics of distopflood and RIFT, optimizations in distoptflood, centralized flooding, how RIFT works, and more. You can subscribe to the Packet Pushers’ YouTube channel for more videos as they are published. It’s a diverse a […]
The post Understanding Data Center Fabrics 08: Advanced Underlay Control Planes – Video appeared first on Packet Pushers.
Understanding Data Center Fabrics 07: Link State Protocol In The Underlay – Video
Episode seven continues a discussion of fabric underlays by looking at the use of link-state protocols instead of BGP. Network architect and author Russ White covers: -Which link state protocol (IS-IS or OSPF) to choose -Russ’s reasons for preferring IS-IS -IS-IS efficiencies for packet formats and autoconfiguration -Resource recommendations for learning IS-IS -Scale and flooding […]
The post Understanding Data Center Fabrics 07: Link State Protocol In The Underlay – Video appeared first on Packet Pushers.
Understanding Data Center Fabrics 06: BGP Underlay – Video
The sixth video in this series examines the underlay component of a data center fabric, touches on a theoretical discussion of network layers, and reviews the use of BGP as your underlay protocol. Russ White covers: -The notion of abstractions in a network and how they limit failure domains -Tradeoffs among surface, state, and optimization […]
The post Understanding Data Center Fabrics 06: BGP Underlay – Video appeared first on Packet Pushers.