I'm currently evaluating the best approach for having my AS announced with my
owned (not rented) IPv4 addresses, and I've observed that hosting providers
have different preferences for handling BGP sessions. For example, one provider
requires that the BGP session be managed on the same server running the Tor
relays, while another handles the announcement with my AS entirely on their
side. This inconsistency makes it challenging to determine the most effective
approach.
I'm seeking guidance on the following points (or others you think are helpful):
-
When given the option: Should I manage the BGP session myself, or is it
preferable to delegate it to the upstream provider whenever possible?
-
When required to manage BGP myself:
-
To conserve CPU/RAM resources for Tor, is it advisable to only use a default
route (0.0.0.0/24) rather than a full routing table, relying on the upstream
provider for full routing?
-
Under what circumstances should I implement multi-homed strategies myself
versus allowing the upstream provider to manage them?
-
Are there best practices for route filtering or failover management?
-
What are your experiences regarding the compute and memory requirements for
these configurations?
-
What are some preferred monitoring solutions? bgpmon.net doesn't seem free...
Helpful read and suggestions at the end from this 6 year old article from
nusenu, but couldn't find too much beyond this:
https://nusenu.medium.com/how-vulnerable-is-the-tor-network-to-bgp-hijacking-attacks-56d3b2ebfd92
I'm already using ROA and RPKI via ARIN for each /24 and limit max length to
/24 to help as well.
"The Tor exit fraction located in /24 prefixes is much higher than the guard
capacity. So hijacks against exit capacity might be harder than attacks against
guard capacity." - Seems also good to have /24 prefixes for guards, not just
exits.
Thanks!
_______________________________________________
tor-relays mailing list -- [email protected]
To unsubscribe send an email to [email protected]
