Implementation of Anti-Spoofing and Asymmetric Routing on Linux Routers.
Hi guys, We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel. To disable source address validation, we added the following lines to the /etc/sysctl.conf file: echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example: 10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP The solutions I can think of are as follows: Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft. Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing). However, these implementations can be complex. Does anyone have experience using Linux as a BGP router? Thanks, *Brandon Zhi* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
Why not use bgpq4 or similar to generate the prefix-filters from IRR data? Works like a charm for prefix filter lists < 5000 aggregated prefixes per AS as long as your peers maintain their IRR data (which is a MANRS requirement 😉). Additional benefit is you can use the same prefix filter lists for route filtering and supports multiple router vendors. Kind regards, Antoin Verschuren Senior Manager Network Security M + 31 6 15682664 Liberty Global Technology Services B.V. Boeing Avenue 53 1119 PE Schiphol-Rijk The Netherlands www.libertyglobal.com<http://www.libertyglobal.com/> From: Manrs-community <manrs-community-bounces@elists.manrs.org> On Behalf Of Brandon Zhi Sent: Thursday 14 September 2023 14:30 To: Manrs-community@elists.manrs.org Subject: [manrs-community] Implementation of Anti-Spoofing and Asymmetric Routing on Linux Routers. Hi guys, We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel. To disable source address validation, we added the following lines to the /etc/sysctl.conf file: echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example: 10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP The solutions I can think of are as follows: Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft. Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing). However, these implementations can be complex. Does anyone have experience using Linux as a BGP router? Thanks, Brandon Zhi HUIZE LTD www.huize.asia <https://huize.asia/> | www.ixp.su<https://www.ixp.su/> | Twitter [https://ci3.googleusercontent.com/mail-sig/AIorK4w5mVhfW4gNpNNG4wjzSr6YXLPGs...] This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
yeah, it is better to compare with getting prefixes from the BGP session. On the other hand, the BGP software only imports the best route into the kernel, which results in the inability to implement asymmetric routing even if loose mode is turned on. Sometimes it doesn't work if I set rp_filter=2. *Brandon Zhi* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. On Fri, 15 Sept 2023 at 17:16, Verschuren, Antoin < averschuren@libertyglobal.com> wrote:
Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
Why not use bgpq4 or similar to generate the prefix-filters from IRR data? Works like a charm for prefix filter lists < 5000 aggregated prefixes per AS as long as your peers maintain their IRR data (which is a MANRS requirement 😉).
Additional benefit is you can use the same prefix filter lists for route filtering and supports multiple router vendors.
Kind regards,
*Antoin Verschuren* Senior Manager Network Security
*M* + 31 6 15682664
*Liberty Global Technology Services B.V.*
Boeing Avenue 53
1119 PE Schiphol-Rijk
The Netherlands
www.libertyglobal.com
*From:* Manrs-community <manrs-community-bounces@elists.manrs.org> *On Behalf Of *Brandon Zhi *Sent:* Thursday 14 September 2023 14:30 *To:* Manrs-community@elists.manrs.org *Subject:* [manrs-community] Implementation of Anti-Spoofing and Asymmetric Routing on Linux Routers.
Hi guys,
We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.
To disable source address validation, we added the following lines to the /etc/sysctl.conf file:
echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:
10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP
The solutions I can think of are as follows:
Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).
However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?
Thanks,
*Brandon Zhi*
HUIZE LTD
www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
Hi Using x86 routers and Mellanox switches running Debian 12 and FRR 9. In both cases we disable rp_filter. On x86 (IPT routers) we use nftables to implement anti-spoofing. Pretty basic - drop all packets that leave our network if source address is not in our IP ranges. On Mellanox (peering routers) we use tc rules (hardware path). Here we drop packets we receive on the fibre network facing interfaces, based on which subnets are routed there. tc syntax involves more rules to write and maintain (vs nft). You could probably use tc in both cases. -- Regards, Joe Atomic Access - we make fibre epic! www.atomicaccess.co.za - 021 300 5046 "The new needs friends." -- Anton Ego www.facebook.com/AtomicAccess www.instagram.com/AtomicAccess
On 14 Sep 2023, at 14:30, Brandon Zhi <Brandon@huize.asia> wrote:
Hi guys,
We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.
To disable source address validation, we added the following lines to the /etc/sysctl.conf file:
echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:
10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP
The solutions I can think of are as follows:
Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).
However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?
Thanks, Brandon Zhi HUIZE LTD www.huize.asia | www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
Hello, What is an IP address? — Best Regards. Alperen T. AYDIN C-Level Executive T: 0850 888 2 507 F: 0242 922 0 725 E: info@kapteyan.com.tr <mailto:info@kapteyan.com.tr> Kapteyan Bilişim Teknolojileri AŞ Tarım Mh. Perge Bulvarı Cd. Perge Plaza İş Merkezi C Blok No: 13/106 Muratpaşa / ANTALYA www.kapteyan.com.tr <http://www.kapteyan.com.tr/> <https://twitter.com/kapteyancomtr> <https://www.facebook.com/kapteyancomtr/> <https://instagram.com/kapteyanteknoloji>
On 15 Sep 2023, at 16:23, Joe Botha <joe@atomic.ac> wrote:
Hi
Using x86 routers and Mellanox switches running Debian 12 and FRR 9.
In both cases we disable rp_filter.
On x86 (IPT routers) we use nftables to implement anti-spoofing. Pretty basic - drop all packets that leave our network if source address is not in our IP ranges.
On Mellanox (peering routers) we use tc rules (hardware path). Here we drop packets we receive on the fibre network facing interfaces, based on which subnets are routed there. tc syntax involves more rules to write and maintain (vs nft).
You could probably use tc in both cases.
-- Regards, Joe
Atomic Access - we make fibre epic! www.atomicaccess.co.za - 021 300 5046
<Atomic-Logo.png>
"The new needs friends." -- Anton Ego www.facebook.com/AtomicAccess www.instagram.com/AtomicAccess
On 14 Sep 2023, at 14:30, Brandon Zhi <Brandon@huize.asia> wrote:
Hi guys,
We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.
To disable source address validation, we added the following lines to the /etc/sysctl.conf file:
echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:
10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP
The solutions I can think of are as follows:
Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).
However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?
Thanks, Brandon Zhi HUIZE LTD www.huize.asia | www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
Hi all, Thank you for your suggestions. I have been studying how to add the prefixes received from BGP to tc rules to whitelist them. At present, I have not found any relevant tutorials. It would be better if there were relevant tutorials. Best, *Brandon Zhi* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. On Fri, 15 Sept 2023 at 21:36, Kapteyan Bilişim Teknolojileri AŞ < info@kapteyan.com.tr> wrote:
Hello,
What is an IP address?
—
Best Regards.
*Alperen T. AYDIN* C-Level Executive
T: 0850 888 2 507 F: 0242 922 0 725 E: info@kapteyan.com.tr
*Kapteyan Bilişim Teknolojileri AŞ* Tarım Mh. Perge Bulvarı Cd. Perge Plaza İş Merkezi C Blok No: 13/106 Muratpaşa / ANTALYA
*www.kapteyan.com.tr <http://www.kapteyan.com.tr/>*
* <https://twitter.com/kapteyancomtr> <https://www.facebook.com/kapteyancomtr/> <https://instagram.com/kapteyanteknoloji>*
On 15 Sep 2023, at 16:23, Joe Botha <joe@atomic.ac> wrote:
Hi
Using x86 routers and Mellanox switches running Debian 12 and FRR 9.
In both cases we disable rp_filter.
On x86 (IPT routers) we use nftables to implement anti-spoofing. Pretty basic - drop all packets that leave our network if source address is not in our IP ranges.
On Mellanox (peering routers) we use tc rules (hardware path). Here we drop packets we receive on the fibre network facing interfaces, based on which subnets are routed there. tc syntax involves more rules to write and maintain (vs nft).
You could probably use tc in both cases.
-- Regards, Joe
Atomic Access - we make fibre epic! www.atomicaccess.co.za - 021 300 5046
<Atomic-Logo.png>
"The new needs friends." -- Anton Ego www.facebook.com/AtomicAccess www.instagram.com/AtomicAccess
On 14 Sep 2023, at 14:30, Brandon Zhi <Brandon@huize.asia> wrote:
Hi guys,
We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.
To disable source address validation, we added the following lines to the /etc/sysctl.conf file:
echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:
10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP
The solutions I can think of are as follows:
Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).
However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?
Thanks, Brandon Zhi HUIZE LTD www.huize.asia | www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
Hi Why do you need to use BGP? You know your own prefixes right? All traffic leaving your network must have source address in your prefix ranges. -- Regards, Joe Atomic Access - we make fibre epic! www.atomicaccess.co.za - 021 300 5046 "The new needs friends." -- Anton Ego www.facebook.com/AtomicAccess www.instagram.com/AtomicAccess
On 25 Sep 2023, at 18:09, Brandon Zhi <Brandon@huize.asia> wrote:
Hi all,
Thank you for your suggestions. I have been studying how to add the prefixes received from BGP to tc rules to whitelist them.
At present, I have not found any relevant tutorials. It would be better if there were relevant tutorials.
Best, Brandon Zhi HUIZE LTD www.huize.asia | www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
On Fri, 15 Sept 2023 at 21:36, Kapteyan Bilişim Teknolojileri AŞ <info@kapteyan.com.tr> wrote: Hello,
What is an IP address? — Best Regards. Alperen T. AYDIN C-Level Executive T: 0850 888 2 507 F: 0242 922 0 725 E: info@kapteyan.com.tr Kapteyan Bilişim Teknolojileri AŞ Tarım Mh. Perge Bulvarı Cd. Perge Plaza İş Merkezi C Blok No: 13/106 Muratpaşa / ANTALYA www.kapteyan.com.tr
On 15 Sep 2023, at 16:23, Joe Botha <joe@atomic.ac> wrote:
Hi
Using x86 routers and Mellanox switches running Debian 12 and FRR 9.
In both cases we disable rp_filter.
On x86 (IPT routers) we use nftables to implement anti-spoofing. Pretty basic - drop all packets that leave our network if source address is not in our IP ranges.
On Mellanox (peering routers) we use tc rules (hardware path). Here we drop packets we receive on the fibre network facing interfaces, based on which subnets are routed there. tc syntax involves more rules to write and maintain (vs nft).
You could probably use tc in both cases.
-- Regards, Joe
Atomic Access - we make fibre epic! www.atomicaccess.co.za - 021 300 5046
<Atomic-Logo.png>
"The new needs friends." -- Anton Ego www.facebook.com/AtomicAccess www.instagram.com/AtomicAccess
On 14 Sep 2023, at 14:30, Brandon Zhi <Brandon@huize.asia> wrote:
Hi guys,
We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.
To disable source address validation, we added the following lines to the /etc/sysctl.conf file:
echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:
10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP
The solutions I can think of are as follows:
Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).
However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?
Thanks, Brandon Zhi HUIZE LTD www.huize.asia | www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
Hi joe, We also provide IP Transit and we have our iBGP session between each node. If we only allowed our own prefixes range, iBGP would not work. Best regards, *Brandon Zhi* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. On Tue, 26 Sept 2023 at 00:18, Joe Botha <joe@atomic.ac> wrote:
Hi
Why do you need to use BGP? You know your own prefixes right?
All traffic leaving your network must have source address in your prefix ranges.
-- Regards, Joe
Atomic Access - we make fibre epic! www.atomicaccess.co.za - 021 300 5046
"The new needs friends." -- Anton Ego www.facebook.com/AtomicAccess www.instagram.com/AtomicAccess
On 25 Sep 2023, at 18:09, Brandon Zhi <Brandon@huize.asia> wrote:
Hi all,
Thank you for your suggestions. I have been studying how to add the prefixes received from BGP to tc rules to whitelist them.
At present, I have not found any relevant tutorials. It would be better if there were relevant tutorials.
Best, Brandon Zhi HUIZE LTD www.huize.asia | www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
On Fri, 15 Sept 2023 at 21:36, Kapteyan Bilişim Teknolojileri AŞ < info@kapteyan.com.tr> wrote: Hello,
What is an IP address? — Best Regards. Alperen T. AYDIN C-Level Executive T: 0850 888 2 507 F: 0242 922 0 725 E: info@kapteyan.com.tr Kapteyan Bilişim Teknolojileri AŞ Tarım Mh. Perge Bulvarı Cd. Perge Plaza İş Merkezi C Blok No: 13/106 Muratpaşa / ANTALYA www.kapteyan.com.tr
On 15 Sep 2023, at 16:23, Joe Botha <joe@atomic.ac> wrote:
Hi
Using x86 routers and Mellanox switches running Debian 12 and FRR 9.
In both cases we disable rp_filter.
On x86 (IPT routers) we use nftables to implement anti-spoofing. Pretty basic - drop all packets that leave our network if source address is not in our IP ranges.
On Mellanox (peering routers) we use tc rules (hardware path). Here we drop packets we receive on the fibre network facing interfaces, based on which subnets are routed there. tc syntax involves more rules to write and maintain (vs nft).
You could probably use tc in both cases.
-- Regards, Joe
Atomic Access - we make fibre epic! www.atomicaccess.co.za - 021 300 5046
<Atomic-Logo.png>
"The new needs friends." -- Anton Ego www.facebook.com/AtomicAccess www.instagram.com/AtomicAccess
On 14 Sep 2023, at 14:30, Brandon Zhi <Brandon@huize.asia> wrote:
Hi guys,
We are currently researching the use of Bird and Debian 11 as a router. Typically, for implementing asymmetric routing, we would disable source address validation on the Linux network interfaces because Bird only imports the preferred BGP routes into the kernel.
To disable source address validation, we added the following lines to the /etc/sysctl.conf file:
echo "net.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
However, this causes the Linux router to no longer inspect inbound traffic, making it susceptible to spoofing attacks. For example:
10:03:26.838383 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 905: 122.50.0.17.3036 > 39.156.66.10.80: Flags [SE], seq 198995835:198996686, win 60981, length 851: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.0.152.32073 > 39.156.66.10.80: Flags [S], seq 2101939968:2101940861, win 62208, length 893: HTTP 10:03:26.838392 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 21709, win 0, length 0 10:03:26.838399 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.0.72.62493 > 124.220.216.71.80: Flags [SE], seq 4095570527:4095571381, win 62133, length 854: HTTP 10:03:26.838400 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 54: 81.161.230.95.80 > 157.245.124.144.80: Flags [R.], seq 0, ack 5445, win 0, length 0 10:03:26.838406 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 908: 122.50.1.104.54896 > 39.156.66.10.80: Flags [SE], seq 3597707872:3597708726, win 61211, length 854: HTTP 10:03:26.838414 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 936: 122.50.2.72.7733 > 39.156.66.10.80: Flags [SE], seq 506840124:506841006, win 62528, length 882: HTTP 10:03:26.838421 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 944: 122.50.2.135.47620 > 39.156.66.10.80: Flags [SE], seq 3120826456:3120827346, win 61210, length 890: HTTP 10:03:26.838429 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 947: 122.50.2.178.34590 > 39.156.66.10.80: Flags [SE], seq 2266895668:2266896561, win 62280, length 893: HTTP 10:03:26.838438 a2:9f:60:36:20:5b > 00:00:5e:00:01:01, ethertype IPv4 (0x0800), length 907: 122.50.0.244.59325 > 39.156.66.10.80: Flags [SE], seq 3887931453:3887932306, win 64335, length 853: HTTP
The solutions I can think of are as follows:
Obtain all routes from BGP, e.g., from AS1 and AS2, via different network interfaces. Then, convert these addresses into a whitelist and filter inbound traffic on the network interfaces based on prefixes using nft.
Import all routes into the Linux kernel, similar to ECMP (Equal-Cost Multipath Routing).
However, these implementations can be complex. Does anyone have experience using Linux as a BGP router?
Thanks, Brandon Zhi HUIZE LTD www.huize.asia | www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. -- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
-- Manrs-community mailing list Manrs-community@elists.manrs.org https://elists.manrs.org/mailman/listinfo/manrs-community
participants (4)
-
Brandon Zhi -
Joe Botha -
Kapteyan Bilişim Teknolojileri AŞ -
Verschuren, Antoin