Domain: bgpmon.net
Stories and comments across the archive that link to bgpmon.net.
Comments · 12
-
Russians
-
Re:How...
-
Re:How...
-
Or it could have just been an outage...
Not to let facts get in the way of a good conspiracy, but there was a fairly widespread outage around the same time that may well have been the reason, since they did say they were disabling it due service problems with their upstream provider.
-
Re:Locator/Identifier Separation Protocol (LISP)
Thanks for replying to my post instead of keeping the non-brilliance of my ideas to yourself. My biggest concern when writing that post was that I was talking to myself. I'll attempt to address your concerns one by one.
You're... welcome?
Just about all ISPs and backbone carriers carry full tables and many large organisations do as well for multihoming purposes.
Then I misunderstood you. I thought you were repeating what others have said earlier, claiming each router carries a complete copy of all the routes on the Internet, which of course isn't true.
Now that we have that cleared up, I'll snip out parts I don't need to reply to.
Your bitcoinesque solution for IPv6 allocation would make things worse.
It seemed like a technical solution to avoid the politics of Internet governance. I admit it wasn't well thought out, however I am curious how it would make things worse by allowing a small block of IPv6 addresses to be allocated in a decentralized way and adding cryptographic integrity along the way.
Plus, networks transit other networks all the time, meaning one network can advertise a prefix they don't own, legitimately.
I should have been more specific; I was suggesting originating advertisements would be signed as opposed to transient advertisements.
You are asking for DomainKeys but with routes. That is too computationally expensive right now and would require too many lookups and time. Perhaps somewhere down the line when the big iron routers catch up with CPU resources vs line speed.
Routers that speak BGP are on the ISP and backbone level,
Medium to large organisations also use BGP to advertise their address space to their ISP(s).
Not to your home router.
and are physically secured.
Originating BGP route advertisement signing is not intended to supplant physical security measures.
I'm aware of the difference between remote access, console access, and physical access, and hardware vs software.
Your home router doesn't speak BGP, and if it did, your ISP's router would ignore it.
None of this would really be necessary for a home user as their ISP would be doing all of this on their behalf.
That's what I just said...
To announce rogue routes, one needs to hack into the ISP and backbone peering routers -- which happened recently, but is rare.
To announce rogue routes, one only needs an ISP that doesn't filter incoming BGP advertisements properly. It seems apparent as the Internet grows there will be more and more BGP peerings and as a consequence of that not all of them will be competent or aboveboard with their implementations.
You're just restating what I said. I guess I wasn't clear, but I'm also assuming a best practice (or as near as possible) implementation, because there's no use talking about security if people are going to leave the front door open, right? It's not even a discussion at that point.
The Resource Public Key Infrastructure (RPKI) is a step in the right direction, however seems to be mainly for preventing mis-configurations from causing outages. Someone with malicious intent need only use AS path prepending to bypass this protection.
Again, anyone with access to the routers can do this right now. Any organization that doesn't shut its front door can have this happen. This can be solved through best practices. This isn't e-mail. Even if you got people on board for this, it would take a protocol revision AND all new hardware for everyone. It's not going to happen anytime soon.
Don't take it personally. Your offered solution for route signing (whether you wrote them or not) just isn't feasible right now.
-
Re:Locator/Identifier Separation Protocol (LISP)Thanks for replying to my post instead of keeping the non-brilliance of my ideas to yourself. My biggest concern when writing that post was that I was talking to myself. I'll attempt to address your concerns one by one.
No one router has a "full table" of all the routes. The routing protocols and the engineers work to make sure the tables are as close to lean as possible.
Just about all ISPs and backbone carriers carry full tables and many large organisations do as well for multihoming purposes. Global BGP tables are currently around 513,191 routes and this is what facilitated the issues mentioned in the article. One ISP made a mistake and started advertising more specific prefixes for blocks that were already summarized and this pushed the number of global routes beyond the limits of some older hardware. I would suggest reading about the Default Free Zone.
Your offered solution isn't necessary.
LISP is not something that I invented, it's something the IETF is working on to solve a perceived problem.(RFC6830) Some IETF contributors came to the conclusion the Internet routing system was not scaling well with the "explosive growth of new sites" and multihoming that many organisations now do. Problem Statement From all indications, the growth of the Internet does not appear to be slowing down, but accelerating. It seems like a prudent choice to evaluate different ideas as possible solutions to the issue of Internet scalability.
Your bitcoinesque solution for IPv6 allocation would make things worse.
It seemed like a technical solution to avoid the politics of Internet governance. I admit it wasn't well thought out, however I am curious how it would make things worse by allowing a small block of IPv6 addresses to be allocated in a decentralized way and adding cryptographic integrity along the way.
Plus, networks transit other networks all the time, meaning one network can advertise a prefix they don't own, legitimately.
I should have been more specific; I was suggesting originating advertisements would be signed as opposed to transient advertisements.
Routers that speak BGP are on the ISP and backbone level,
Medium to large organisations also use BGP to advertise their address space to their ISP(s).
and are physically secured.
Originating BGP route advertisement signing is not intended to supplant physical security measures.
Your home router doesn't speak BGP, and if it did, your ISP's router would ignore it.
None of this would really be necessary for a home user as their ISP would be doing all of this on their behalf.
To announce rogue routes, one needs to hack into the ISP and backbone peering routers -- which happened recently, but is rare.
To announce rogue routes, one only needs an ISP that doesn't filter incoming BGP advertisements properly. It seems apparent as the Internet grows there will be more and more BGP peerings and as a consequence of that not all of them will be competent or aboveboard with their implementations.
The Resource Public Key Infrastructure (RPKI) is a step in the right direction, however seems to be mainly for preventing mis-configurations from causing outages. Someone with malicious intent need only use AS path prepending to bypass this protection. -
Re:IPv6 faster in Romania
I actually expected Czech Republic to do well, I know the ISPs there worked hard on it. I didn't know about Romania. Anyway...
Maybe they have very little ISPs in comparison, but even the Vatican City State has 2 ISP networks.
Here is the list of ISPs in Romania:
https://www.ripe.net/membership/indices/RO.html
Romania has 37 IPv6 "prefixes":
-
Don't forget about BGP hijacking
Realize that the "area their organization controls" can be vastly increased, like China Telecom showed. http://bgpmon.net/blog/?p=282
-
Re:DNS not inherent
+1 Right on the Money
I commented upthread, so my marvelous modpoints go unused here. Alas.
If you want to talk about fracturing teh intarwebs, these scenarios, and this incident, and this routing-based DDOS, are the ones to discuss. Not multiple DNS roots.
-
Re:Killing DNS
It may be one of the ways. The majority of their outage is via modified bgp entries (border gateway protocol) so that the routes themselves are gone.
http://bgpmon.net/blog/?p=450
http://computerworld.co.nz/news.nsf/telecommunications/how-egypt-pulled-its-internet-plug
http://blogs.wsj.com/tech-europe/2011/01/28/how-egypt-cut-itself-off-from-the-net/DNS alternative would be easier to fix (alternative dns server, distributed hosts files, whatever)
-
BGPMon Analysis
There is a quick look BGP level analysis available from BGPMon. Except for Noor Data Networks, the number of announced address blocks is way down. This means that most Egyptian IP addresses are now not reachable from the rest of the world.
Here is BGPMon on the dating of the outage :
At this point egypt.gov.eg is offline. This network, 81.21.104.0/24 was withdrawn at January 27th at 22:28 UTC . Another example is www.ahram.org.eg an Egyptian news paper. This network 196.219.246.0/24, became unreachable at the exact same time, January 27th at 22:28 UTC.
I think that it is safe to assume that this outage is related to the big protests planned for tomorrow.
-
Re:Blacklist 'em
This should be a good chunk of them. There's probably quite a few other AS #s for China as well: http://www.bgpmon.net/ASinfo.php?AS=4134