Month: May 2014

BGP dampening – punishment for unstable BGP prefixes

BGP prefix flapping can be caused by different issues in network. Basically every unstable network where links are unreliably and are going up and down here and there can cause BGP prefix flapping. Every prefix flap will cause some networks to became unreachable. BGP process will then need to recalculate best-path in order to hopefully find other way to get towards unreachable network.

Impact on the network can be enormous as one network prefix missing can mean that huge number of other networks will change the path on which they are reachable. In the situation of prefix flap we have the prefix going up and down all the time. After every status change all those efforts of finding new best-path are done, and when the prefix comes back, everything is calculated again and becomes like before. We have a way to cut the impact of flapping prefixes.

By implementing BGP prefix dampening. When configured, dampening will punish those prefixes that are changing state from reachable to unreachable few time in determined time period. After every flap BGP will give to that prefix a defined penalty of 1000 by default. The penalty points will immediately start to be reduced exponentially but if the prefix flaps more times in little time period he will surely collect enough point to reach Suppress Limit and BGP will at that point mark the prefix as damped. It means that it will immediately suppress the advertisement of the prefix until the penalty points do not fall below Reuse Limit which is 1000 by default. Suppress limit is 2000 by default and yes, there will be needed for prefix to flap three times in order to be suppressed by default (you need to count that the first penalty will be 1000, next one also 1000, but the first one will fall at least by 1 to 999 before second flap occurs.)

| Continue Reading.. |

Source-based routing in IPv4 and IPv6 networks

In my current studies, I did some work about security inside networking data paths. In my recent work, I tried to get some experiments done that needed to use source based routing in order to be completed. Like most of the scientific work that tries to get from paper to experiment and then to something useful, it failed at the very beginning. If I can be more precise and improve a bit the appearance of my failure here. I can do it by explaining what happened and what did I came across while researching my idea. It’s something as simple as this:

Source based routing, by the suggestion of IETF needs to be disabled by default on networking devices. At least it should be as the feature itself is recognised as a major security threat and IETF itself is trying to get rid of it.

Of course that can be considered like a stop sign in an experiment where you are relying solely on source based routing to get your thing running.   (:

When you look at the networking technology these days that’s probably IP protocol that you are talking about. Okay maybe you are new age junkie and you are probably speaking about IPv6 protocol. Either way, the very first and main principle of routing packet across data network is based on the destination IP address routing/decision making. Router is making decision on where will he send some packet based more or less solely on destination IP address. It is doing so by reading his locally built routing table of destination subnets. From that table router gets the info out of which interface will he sent the packet that is destined for some address.

| Continue Reading.. |