back to article BGP borked? Blame the net's big boppers

The Internet's fundamental routing infrastructure, the Border Gateway Protocol (BGP), is so fragile that errors in one to four per cent of ISP route filters can propagate bad routes. So says Czech DDOS-defender Qrator Labs, which carried out a project to try and help the Internet community quantify how much of the threat to …

  1. A Non e-mouse Silver badge

    Azimov's advice

    Lots of fancy words which can be boiled down to: Don't trust the s**t your customer sends you.

  2. MrBlack

    He could have just boiled it down to three laws..

  3. Lee D Silver badge

    Oh look.

    This is unprecedented.

    "Failure to properly sanitise input data".

    "Failure to apply least-privilege principles" (if it's not explicitly allowed, it can't happen).

    "Failure to apply sensible defaults"

    "Failure to check output of own systems matches expectations"

    It's not like those EVER cause problems, is it?

  4. SImon Hobson Silver badge
    Thumb Up

    To be fair, while it does read much like a re-iteration of GIGO - they have actually tried to quantify how much GI is being allowed. Thumbs up for the quantification.

  5. Jellied Eel Silver badge

    Swamp thing

    You make my heart sing, you make everything.. interesting to route. So-

    put IRR filters on all customer links; watch for customers adding “something weird” in their AS-SETs; consider applying IRR filters to peering links; and “constantly monitor BGP”.

    The last bit is probably the easiest, ie 'why is traffic going thataway?'. Rest is largely down to history and the trust model, ie BGP being between peers. Which also ended up being some single homed customers, who often don't need it. Or multi-homed with PI, who may still be wondering about load balancing.

    Or the biggest issue, a lot of routes that don't have route objects, AS-SETs or just refer you to the space holder, who's usually in the US. Where despite the best efforts of the other registries, IRR's haven't proven popular.

  6. Mayday
    Alert

    Back in the day

    Details/memory are murky. I wasn't the boss guy here so don't blame me for the initial cockup.

    Some ISP in Malaysia begun announcing a /15 (??) of ours. Bad bad ISP, and bad for those ASs around them to accept it. Probably a lot of bad all round.

    Everyone running around like headless chooks trying to sort the routing out until such time as we could tell the Malaysian mob to re-enter the right config on their boxes. I (young guy not allowed to talk because I couldn't possibly know any better) suggested that we advertise the /15 as two separate /16s so the more specifics would appear in the tables until such time as we could sort it out.

    It worked until we were able to contact the Malaysian ISP but it goes to show how easy this stuff can happen.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020