BGP Monitor: Upstream Leak testing is out
BGP Monitor tests in Kentik Synthetic Monitoring came out including tests for the following elements:
- Reachability: % of BGP Vantage Point threshold to determine whether prefixes are visible “enough” through the public internet
- Allowed Origin: whether detected originators are part of an allowed-list (manually specified, or via RPKI) - this is commonly referred to as “Origin Hijack Monitoring”
The health of a BGP Monitor test was then the worse of these two tests, across all prefixes registered in the test, with the specificity that “Allowed Origin” could only be healthy or critical.
The “Allowed ASNs” test has now been renamed “Origin Hijack detection” to match what the industry is calling it.
Additionally, we have added “Upstream Leak Detection” - here’s the practical use for it:
In a normal situation, you only want your Upstream IP Transit Providers to announce your prefixes to the rest of the world: under no circumstance do you usually want your peers to announce your prefixes to the rest of the world as if they were your transit provider. They should keep these routes to themselves, and only use them to go from their network to yours (announcing them to their peers will break that partition).
Enters #4 step of the updated BGP Monitor test where you can now enter the ASNs of your “official” Upstream Transit Providers and we will inspect the 1st hop in the AS Path of all announcements of these prefixes (and of their more specific children).
Remember that with all BGP Announcements collected from the BGP Vantage Points, come an
AS_PATH that gives the following information:
<vantage_point_ASN> …. various ASNs … <UPSTREAM_ASN> <Origin_ASN(yours)>
<UPSTREAM_ASN> is not part of your allowed list of Transit Providers for any of the prefixes (and their more specifics), the entire BGP Monitor test will be flagged as critical for “Upstream Leak”.
For further reference, the diagram below details Origin Hijack vs Upstream Leak