Facts and Fiction: BGP Is a Hot Mess

Every now and then a smart person decides to walk away from their competence zone, and start spreading pointless clickbait opinions like BGP is a hot mess.

Like any other technology, BGP is just a tool with its advantages and limitations. And like any other tool, BGP can be used sloppily… and that’s what’s causing the various problems and shenanigans everyone is talking about.

Just in case you might be interested in facts instead of easy-to-digest fiction:

If you came here for the facts, read the above documents and use them. Here’a TL&DR summary:

  • BGP MD5 authentication (and a few other mechanisms) makes sure you’re talking to the peer you’re expected to be talking to. It DOES NOT validate the content of the BGP updates;
  • RPKI validates that the AS originating the prefix has the right to do so. It CAN NOT stop someone from receiving a valid prefix, munging AS-path (or other attributes) and propagate made-up transit path to attract traffic;
  • The only way to make Internet more secure with current set of BGP tools is to use routing databases to build prefix/AS-path filters and use them extensively on all untrusted BGP connections (with your customers and clueless operators that propagate YouTube prefixes from Pakistan).

Before you tell me it can’t be done: you’re wrong.

And now it’s time for a shameless plug…

I thought that we’re past the “we need to educate people on how to use BGP properly” stage, but I realized a few months ago I’d been badly mistaken, so here’s what we’re planning to do in 2020:

  • A series of webinars on how IXPs, CDNs, and Internet peering work, including how to configure your BGP properly;
  • A webinar or two on BGP security, including MANRS
  • Just for the giggles I’ll update the Upcoming Internet Challenges webinar that I did a decade ago and compare what I’ve been saying in 2010 with 2020 reality (hint: not much has changed).

Will any of these help? Probably not, but one can try, right?

Finally a message to the afore-mentioned experts: you do realize that once someone catches you shouting from Mount Stupid (maybe because your sponsor is interested in the topic you talk about?), they stop trusting your core competence, right? So maybe we should all think twice before trying to generate cheap publicity, it just might backfire… or not - there are plenty of people who manage to become very successful dancing on that particular mountaintop.

Blog posts in this series

5 comments:

  1. This post is ++.

    Supporters of the "BGP is a hot mess" mantra of thinking are just incapable of understanding how a technology that has existed for 25 years and is still the backbone of a global network is still functioning just fine.
  2. I agree that many of the implementations are because the view from what is required from business is assumed. Maybe do a series on the business of the Internet and how to map business requirements to functional technical specifications.
    Many vendors have "BGP tools" that translate a technical specification into a business requirement which didn't exist before...
  3. A fool with a tool is still a fool and there is no substitute to that problem.

    A Network Artist
  4. Time and again in IT we see where blame is misdirected. When we embrace excuses and allow others to abdicate responsibility for which they were hired we end up with dire results. How many times do we see poor leadership blame a vendor or technology because the people operating it, do not understand what they are doing?

    It is easy to blame Amazon for the exposed S3 bucket or a routing protocol for Internet instabilities. Ultimately people should be held to account. Thank you for continuing to promote expertise in our field.
  5. Great post. I am curious if many have read The Internet Peering Playbook as well. Then there is your wise occasional posts about best practice vs general practice points to consider when discussing what constitutes a "hot mess"
Add comment
Sidebar