iljitsch.com

topics: all · BGP / IPv6 / more · settings · b&w · my business: inet⁶ consult · Twitter · Mastodon · LinkedIn · email · 🇺🇸 🇳🇱

Hi, I'm Iljitsch van Beijnum. This page has all posts about all subjects.

→ What can be learned from BGP hijacks targeting cryptocurrency services?

Interesting blog post on the APNIC blog by Doug Madory:

On 17 August 2022, an attacker was able to steal approximately USD 235,000 in cryptocurrency by employing a BGP hijack against the Celer Bridge, a service that allows users to convert between cryptocurrencies.

In this blog post, I discuss this and previous infrastructure attacks against cryptocurrency services. While these episodes revolve around the theft of cryptocurrency, the underlying attacks hold lessons for securing the BGP routing of any organization that conducts business on the Internet.

Using BGP to steal cryptocurrency is happening with some regularity now...

The important lesson comes at the end: Amazon shouldn't have RPKI ROAs for a /10 and a /11 with a maximum prefix limit of /24.

This way, the attacker, thanks to an ISP that didn't properly filter its customer's BGP announcements, was able to advertise a /24 out of Amazon's address space and have that announcement be labeled "valid" by RPKI route origin validation.

Amazon advertises a /11, and if the maximum prefix length in the ROA for that /11 had been just /11, the attacker wouldn't have been able to "shoplift" just that /24, but they'd have to go head-to-head against Amazon for that entire /11. That would have had a much lower chance of success and much higher chance of being noticed quickly.

(Shameless plug: if all that RPKI and ROA talk is gibberish to you, my new BGP e-book has a section on what RPKI is and how it works.)

Permalink - posted 2022-11-24

New e-book: Internet Routing with BGP

I did it again... I wrote another book.

20 years ago O'Reilly published my first book, titled simply “BGP”. My goal with that book was to write the book that I would have liked to have read when I started my journey with the Border Gateway Protocol, the internet's routing protocol.

Although amazingly, we still use the same version 4 of the BGP protocol as in 1994, a lot has changed. As updating my previous book was not in the cards, I decided to write a completely new book about BGP. It's called “Internet Routing with BGP” and it's now available as an e-book. See the end of the article for details and links.

Read the article - posted 2022-11-18

Internet Routing with BGP, my new e-book, is now available from Amazon, Apple and Google

The book is now available through Amazon in Kindle format, Apple Books in EPUB format and the Google Play Store in PDF and EPUB formats. The price is US$ 9.99 or € 9.99 (or similar in other currencies).

Full article / permalink - posted 2022-11-18

My BGP minilab

When I wrote my first BGP book I painstakingly made the config examples on actual Cisco routers. In my opinion, it's crucial to make sure that configuration examples that go in a book actually work.

So when I started writing my new BGP book, I did the same. But this time, I used open source routing software (FRRouting) running in Docker containers. Basically, those containers are very light-weight virtual machines.

This makes it possible to run a dozen virtual routers that start up and shut down in just a few seconds. So it's very easy to run different examples by starting the required virtual routers with the configuration for that example.

This was super useful when I was writing the book.

So I thought it would also be very useful for people reading the book.

So I'm making the "BGP minilab" with all the config examples from the book available to my readers. Download version 2022-11 of the minilab that goes with the first version of the book here.

You can also run the examples in the minilab if you don't have the book. And you can create your own labs based on these scripts.

The minilab consist of four scripts:

There are Mac/Linux shell script and Windows Powershell versions of each script.

Permalink - posted 2022-11-11

→ Why Egypt became one of the biggest chokepoints for Internet cables

The Asia-Africa-Europe-1 Internet cable travels 15,500 miles along the seafloor, connecting Hong Kong to Marseille, France. As it snakes through the South China Sea and toward Europe, the cable helps provide Internet connections to more than a dozen countries, from India to Greece. When the cable was cut on June 7, millions of people were plunged offline and faced temporary Internet blackouts.

The cable, also known as AAE-1, was severed where it briefly passes across land through Egypt. One other cable was also damaged in the incident, with the cause of the damage unknown.

Interesting article about how Egypt is a choke point for undersea cables between Europe and Asia (and eastern Africa).

Permalink - posted 2022-11-03

Free Range Routing vs Quagga/Cisco

Back in the 1990s, I used Cisco routers. Mostly rather underpowered ones such as the Cisco 2500 series. I later started using the Zebra and then Quagga routing software for the lab part of my training courses.

However, like Zebra before it, Quagga also ran out of steam but was forked by people (and companies) who saw value in the software. The Quagga fork is Free Range Routing a.k.a. FRRouting a.k.a. FRR.

As I was writing my new BGP book, I made configuration examples in Quagga. But about two thirds in, I decided to switch to FRRouting.

Full article / permalink - posted 2022-11-02

older posts - newer posts

Search for:
RSS feed

Archives: 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024