One of my projects lately has been building an anycast CDN for authoritative DNS and HTTP caching. Back in August I wrote about the first deployment of the project (https://blog.natesales.net/building-an-anycast-cdn/), but it's been a few months and I've made some big changes so I figured it's…
Ever since I started an Autonomous System on the internet a few years ago, I've dealt with the monotonous task of configuring new neighbor sessions. Don't get me wrong, peering is a great thing and I always enjoy turning up new peers - but manually writing the config each time…
A few months ago I wrote about the CDN that I've been building to learn about anycast routing (link). Almost everything about the CDN has changed as I've completely rewritten the system. One of the challenges faced by the new platform is I wanted to give HTTP a try over…
The fundamental part of BGP is it's best path selection algorithm. BGP follows a strict order of route selection. WeightLocal preferenceOriginAS path lengthOrigin codeMEDeBGP/iBGPIGP metric to BGP next hopOldest pathRouter IDNeighbor addressWeightWeight is an attribute specific to Cisco, and takes highest priority on their routers. Higher weight means higher…
Aside from flowspec (Which incidentally was the cause of last week's internet outage), BGP communities are the primary means of adding information to routes for the purpose of traffic engineering, DDoS mitigation, or anything else that you might want to signal in a network. They're really very simple in theory;…
In simple terms, anycast is just a route with multiple next-hops. More generally it's the routing method that allows a single IP address to be routed to multiple endpoints. While seemingly basic enough, it allows for some really interesting network use cases. It's also hard to experiment with in a…
One of the big problems with the internet is that not everyone follows the RFCs. Worse still, purely running a RFC-compliant BGP daemon does nothing to prevent route leaks. BGP is an inherently trusting protocol that can cause huge issues for others on the internet if you configure it wrong.…
RPKI (Resource Public Key Infrastructure) is the primary response to the issue of BGP hijacks on the internet. It works by cryptographically verifying that a network is authorized to announce a given route. Internet Exchange Points (IXPs) are typically assigned globally unique prefixes in order to keep members in the…