Category: BGP

BGP Labs: Protect EBGP Sessions

I published another BGP labs exercise a few days ago. You can use it to practice EBGP session protection, including Generalized TTL Security Mechanism (GTSM) and TCP MD5 checksums1.

I would strongly recommend to run BGP labs with netlab, but if you like extra work, feel free to use any system you like including physical hardware.

  1. I would love to add TCP-AO to the mix, but it’s not yet supported by the Linux kernel, and so cannot be used in Cumulus Linux or FRR containers. ↩︎

add comment

Case Study: BGP Routing Policy

Talking about BGP routing policy mechanisms is nice, but it’s even better to see how real Internet Service Providers use those tools to implement real-life BGP routing policy.

Getting that information is incredibly hard as everyone considers their setup a secret sauce. Fortunately, there are a few exceptions; Pim van Pelt described the BGP Routing Policy of IPng Networks in great details. The article is even more interesting as he’s using Bird2 configuration language that looks almost like a programming language (as compared to the ancient route-maps used by vendors focused on “industry-standard” CLI).

Have fun!

add comment

BGP Labs: Simple Routing Policy Tools

The first set of BGP labs covered the basics, the next four will help you master simple routing policy tools (BGP weights, AS-path filters, prefix filters) using real-life examples:

The labs are best used with netlab (it supports BGP on almost 20 different devices), but you could use any system you like (including GNS3 and CML/VIRL). If you’re stubborn enough it’s possible to make them work with the physical gear, but don’t ask me for help. For more details, read the Installation and Setup documentation.

add comment

BGP Labs: The Basics

The first BGP labs are online. They cover the basic stuff (one has to start with the basics, right?):

The labs are supposed to be run on virtual devices, but if you’re stubborn enough it’s possible to make them work with the physical gear. In theory, you could use any system you like to set up the virtual lab (including GNS3 and CML/VIRL), but your life will be way easier if you use netlab – it supports BGP on almost 20 different devices. For more details, read the Installation and Setup documentation.

add comment

New Project: BGP Hands-On Labs

Approximately 30 years ago I managed to persuade the powers-that-be within Cisco’s European training organization that they needed a deep-dive BGP course, resulting in a 3 (later 5) day Advanced BGP Configuration and Troubleshooting (ABCT) course1. I was delivering that course for close to a decade, and gradually built a decent story explaining the reasoning and use cases behind most of (then available) BGP features, from simple EBGP sessions to BGP route reflectors and communities2.

Now imagine having more than a dozen hands-on labs that go with the “BGP from rookie to hero” story available for any platform of your choice3. I plan to make that work (eventually) as an open-source project that you’ll be able to download and run free-of-charge.

read more see 3 comments

Worth Reading: Another BGP Session Reset Bug

Emile Aben is describing an interesting behavior observed in the Wild West of the global Internet: someone started announcing BGP paths with an unknown attribute, which (regardless of RFC 7606) triggered some BGP session resets.

One would have hoped we learned something from the August 2010 incident (supposedly caused by a friend of mine 😜), but it looks like some things never change. For more details, watch the Network Security Fallacies and Internet Routing Security webinar.

add comment

Please Respond: MANRS Customer Survey

Andrei Robachevsky asked me to spread the word about the new MANRS+ customer survey:

MANRS is conducting a survey for organizations that contract connectivity providers to learn more about if and how routing security fits into their broader supply chain security strategy. If this is your organization, or if it is your customers, we welcome you to take or share the survey at

I hope you immediately clicked on the link and completed the survey. If you’re still here wondering what’s going on, here’s some more information from Andrei:

read more add comment

Classification of BGP Route Leaks (RFC 7908)

While preparing the Internet Routing Security webinar, I stumbled upon RFC 7908, containing an excellent taxonomy of BGP route leaks. I never checked whether it covers every possible scenario1, but I found it a handy resource when organizing my thoughts.

Let’s walk through the various leak types the authors identified using the following sample topology:

read more add comment

Default EBGP Policy (RFC 8212)

One of the most common causes of Internet routing leaks is an undereducated end-customer configuring EBGP sessions with two (or more) upstream ISPs.

Without basic-level BGP knowledge or further guidance from the service providers, the customer network engineer1 might start a BGP routing process and configure two EBGP sessions, similar to the following industry-standard CLI2 configuration:

read more see 1 comments

Service Insertion with BGP FlowSpec

Nicola Modena had an interesting presentation describing how you can use BGP FlowSpec for traffic steering and service insertion during the recent ITNOG 7 event (more about the event in a few days).

One of the slides explained how to use three different aspects of BGP (FlowSpec, MPLS/VPN and multipathing), prompting me to claim the presentation title should be “BGP is the answer, what was the question?” 😉 Hope you’ll enjoy the PDF version of the presentation as much as we did the live one.

add comment

Modifying BGP Behavior with xBGP API

When I reposted a link to xBGP: Faster Innovation in Routing Protocols paper, someone immediately replied

Quite interesting, but it feels like this could become the proverbial 15th standard.

xBGP is an API that allows BGP users to implement routing policies (route selection, filtering, or propagation) that use attributes or mechanisms defined in newer IETF RFCs or drafts, so the proverbial 15th standard is not that far off the mark. However, we must remember that what we call BGP is more than just a set of competing standards.

read more add comment