Every now and then a smart person decides to walk away from their competence zone, and start spreading pointless clickbait opinions like BGP is a hot mess.
Like any other technology, BGP is just a tool with its advantages and limitations. And like any other tool, BGP can be used sloppily… and that’s what’s causing the various problems and shenanigans everyone is talking about.
Just in case you might be interested in facts instead of easy-to-digest fiction:
- There’s an RFC out there describing most security mechanisms available in BGP;
- A lot of good people are trying to educate those who care, and improve the way ISPs use these security mechanisms through Mutually Agreed Norms for Routing Security
- As Geoff Huston explained, the whole mess is really a business problem.
- Finally, the people benefitting most from stable routing infrastructure (content providers) are not always the people bearing the operational costs and receiving support calls from customers who couldn’t bother to either get educated or pay a professional to get their BGP up and running.
If you came here for the facts, read the above documents and use them. Here’a TL&DR summary:
- BGP MD5 authentication (and a few other mechanisms) makes sure you’re talking to the peer you’re expected to be talking to. It DOES NOT validate the content of the BGP updates;
- RPKI validates that the AS originating the prefix has the right to do so. It CAN NOT stop someone from receiving a valid prefix, munging AS-path (or other attributes) and propagate made-up transit path to attract traffic;
- The only way to make Internet more secure with current set of BGP tools is to use routing databases to build prefix/AS-path filters and use them extensively on all untrusted BGP connections (with your customers and clueless operators that propagate YouTube prefixes from Pakistan).
Before you tell me it can’t be done: you’re wrong.
And now it’s time for a shameless plug…
I thought that we’re past the “we need to educate people on how to use BGP properly” stage, but I realized a few months ago I’d been badly mistaken, so here’s what we’re planning to do in 2020:
- A series of webinars on how IXPs, CDNs, and Internet peering work, including how to configure your BGP properly;
- A webinar or two on BGP security, including MANRS
- Just for the giggles I’ll update the Upcoming Internet Challenges webinar that I did a decade ago and compare what I’ve been saying in 2010 with 2020 reality (hint: not much has changed).
Will any of these help? Probably not, but one can try, right?
Finally a message to the afore-mentioned experts: you do realize that once someone catches you shouting from Mount Stupid (maybe because your sponsor is interested in the topic you talk about?), they stop trusting your core competence, right? So maybe we should all think twice before trying to generate cheap publicity, it just might backfire… or not - there are plenty of people who manage to become very successful dancing on that particular mountaintop.