[menog] Massive route leak impacts major parts of the Internet, including Cloudflare

Job Snijders job at ntt.net
Tue Jun 25 15:23:00 UTC 2019


Dear all,

I've compiled a list of study resource references that can perhaps be
a starting point for anyone interested to improve the security of
their BGP perimeter:

presentation: Architecting robust routing policies
pdf: https://ripe77.ripe.net/presentations/59-RIPE77_Snijders_Routing_Policy_Architecture.pdf
video: https://ripe77.ripe.net/archive/video/Job_Snijders-B._BGP_Policy_Update-20181017-140440.mp4

presentation: Practical Everyday BGP filtering "Peerlocking"
pdf: http://instituut.net/~job/NANOG67_NTT_peerlocking_JobSnijders.pdf
video: https://www.youtube.com/watch?v=CSLpWBrHy10

RFC 8212 ("EBGP default deny") and why we should ask our vendors like
Cisco IOS, IOS XE, NX-OS, Juniper, Arista, Brocade, etc... to be
compliant with this RFC:
slides 2-14: http://largebgpcommunities.net/presentations/ITNOG3-Job_Snijders_Recent_BGP_Innovations.pdf
skip to the rfc8212 part: https://youtu.be/V6Wsq66-f40?t=854
compliance tracker: http://github.com/bgp/RFC8212

The NLNOG Day in Fall 2018 has a wealth of RPKI related presentations
and testimonies: https://nlnog.net/nlnog-day-2018/

Finally, there is the NLNOG BGP Filter Guide: http://bgpfilterguide.nlnog.net/
If you spot errors or have suggestions, please submit them via github
https://github.com/nlnog/bgpfilterguide

Please let me or the group know should you require further information,
I love talking about this topic ;-)

Kind regards,

Job

On Tue, Jun 25, 2019 at 5:17 PM Hisham Ibrahim <hmi at ripe.net> wrote:
>
> Dear all,
>
> Yesterday a small company in Northern Pennsylvania became a preferred path of many Internet routes through Verizon (AS701), a major Internet transit provider.
>
> The details of this  of the outage can be read here.
>
> https://radar.qrator.net/blog/how-difficult-is-to-disrupt-a-service-nowadays
>
> Cloudflare, one of those effected, also published more on the issue and how it impacted their operations.
>
> https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/?fbclid=IwAR11RUJU-jY-PbGMH1WjIdbR6WhqkSDcWlQR5pFU5sKsVJwPpUrTyfwJJIw
>
> Solution: if you have not already considered RPKI then you probably should.
>
> https://www.ripe.net/manage-ips-and-asns/resource-management/certification
>
> If you are interested in understanding more about hot to deploy RPKI please let us know.
>
> Regards
> Hisham
>
> _______________________________________________
> Menog mailing list
> Menog at lists.menog.org
> http://lists.menog.org/mailman/listinfo/menog


More information about the Menog mailing list