Jeffrey Haas16h ago

BGP has been a very successful protocol and much of its success is the ability to incrementally deploy new features. However, those same mechanisms create gotchas when extensions leak beyond where they're supposed to be.

A document I've been working on for a while discussing the problem and some of the solutions is up for adoption in IETF. Please take a look at the document and consider contributing to the solution space if you work in BGP networking.

#bgp #ietf

https://www.ietf.org/archive/id/draft-haas-idr-bgp-attribute-escape-04.html

BGP Attribute Escape

BGP-4 [RFC 4271] has been very successful in being extended over the years it has been deployed. A significant part of that success is due to its ability to incrementally add new features to its Path Attributes when they are marked "optional transitive". Implementations that are ignorant of a feature for an unknown Path Attribute that are so marked will propagate BGP routes with such attributes. Unfortunately, this blind propagation of unknown Path Attributes may happen for features that are intended to be used in a limited scope. When such Path Attributes inadvertently are carried beyond that scope, it can lead to things such as unintended disclosure of sensitive information, or cause improper routing. In their worst cases, such propagation may be for malformed Path Attributes and lead to BGP session resets or crashes. This document calls such inadvertent propagation of BGP Path Attributes, "attribute escape". This document further describes some of the scenarios that leads to this behavior and makes recommendations on practices that may limit its impact.

Jeffrey Haas1d ago

RE: https://mastodon.social/@next_hopself/116687933953241790

My hands are sadly not clean here. Updating defaults in widely deployed implementations is painful.

That said, even though it takes a knob for some implementations, best practice is worth following.

#bgp

BfPVDFUe1d ago

My little crossconnect - peering is magic

#bgp

Cloudflare Blog2d ago

Enforcing the First AS in BGP AS_PATHs

https://blog.cloudflare.com/enforce-first-as-bgp/

#Networking #Security #BGP

Enforcing the First AS in BGP AS PATHs

BGP is vulnerable to routing hijacks and path leaks that negatively impact traffic on the Internet. RPKI helps solve some of these problems, but for some forged paths, we need to rely on a simpler mechanism: First AS enforcement in BGP.

The Cloudflare Blog
NLnet Labs3d ago

We've released version 0.6.0 of Rotonda, our BMP and BGP route collection and analysis software.

This version incorporates the freshly released Roto v0.11, our scripting language used in Rotonda filters. Its new `List[T]` and optional types are a natural and ergonomic fit, for example for prefix and ASN lists.

Find the full changelog on Github:
https://github.com/NLnetLabs/rotonda/releases/tag/v0.6.0

And for any discussion or questions, don't hesitate to drop by on our Discourse:
https://community.nlnetlabs.nl/t/rotonda-0-6-0-pollens-released

#bgp #bmp #rustlang

Release 0.6.0 'Pollens!' · NLnetLabs/rotonda

0.6.0 'Pollens!' Released 2026-06-01. This release contains many changes in both the Roto language as well as the Rotonda-specific Roto runtime. In addition to the points described in this changelo...

GitHub
Łukasz Bromirski 4d ago
Am I evil? No, I waste time of evil people so they don't bother you. Tarpit network is growing and will be also visible via my BGP Blackholing feeds. Stay tuned to join The Network: #tarpit #security #bgp
skorpy5d ago

Warum ist die @jadyn und @nominom eigentlich dadrüber verwirrt das ich eine Auto #Flexbox habe neben der „Büro“/Hackspace und Zuhause Flexbox?

#Network #Internet #BGP #SinglemodeUltras

BGPKIT6d ago

🚀 Monocle v1.3.0 is now available.

This release introduces the monocle rib command, a new way to reconstruct #BGP RIB state at arbitrary timestamps.

Most BGP tools show you what happened during an update file. monocle rib shows you the route state as it existed at any moment in time: load the latest RIB dump at or before your target timestamp, replay all overlapping updates, and materialize the final state per peer and prefix.

https://blog.bgpkit.com/monocle-v1-3-0-reconstruct-bgp-rib-state-at-any-timestamp

monocle v1.3.0: Reconstruct BGP RIB State at Any Timestamp - BGPKIT

monocle v1.3.0 introduces the rib command for reconstructing BGP RIB state at arbitrary timestamps.

N-gated Hacker NewsMay 29
🌐🤦‍♂️ Oh, the excitement! A blog post about #BGP feeds that somehow splits the atom by announcing the earth-shattering addition of...wait for it...IPv6! 🎉 Don't worry, if your network implodes, it's all on you—because, really, who wouldn't want to play Russian roulette with their #router for fun? 😂
https://lukasz.bromirski.net/post/bgp-w-labie-3/ #IPv6 #Fun #NetworkIssues #TechHumor #HackerNews #ngated
bgp in the lab #3

after last blog on sharing full bgp feed for IPv4, I got a number of interesting questions. given many of you were asking to have also IPv6 available, I decided to extend the project to cover that as well. disclaimer you’re doing this ON YOUR OWN. i’m not responsible for anything on your end and service itself. so if it crashes your router, makes all traffic to follow different paths, or essentially anything that you can’t control - you’re completely on your own.

lukasz.bromirski.net
Hacker NewsMay 29

Free full BGP feed. IPv4 and IPv6

https://lukasz.bromirski.net/post/bgp-w-labie-3/

#HackerNews #BGP #IPv4 #IPv6 #networking #freefeed

bgp in the lab #3

after last blog on sharing full bgp feed for IPv4, I got a number of interesting questions. given many of you were asking to have also IPv6 available, I decided to extend the project to cover that as well. disclaimer you’re doing this ON YOUR OWN. i’m not responsible for anything on your end and service itself. so if it crashes your router, makes all traffic to follow different paths, or essentially anything that you can’t control - you’re completely on your own.

lukasz.bromirski.net