Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Status of Routing Reform — How Fragile is the Internet?

Posted by timothy on from the hopefully-comcast-is-not-the-standard-bearer dept.

crimeandpunishment points out the Associated Press's look (as carried by SkunkPost) "at an issue the government has been aware of for more than 20 years, but still isn't fixed and continues to cause Internet outages: a flaw in the routing system that sends data from carrier to carrier. Most outages are innocent and fixed quickly, but there's growing concern the next one could be devastating. A general manager at Renesys Corporation, which tracks the performance of Internet data routes, says, 'It amazes me every day when I get into work and find it's working.'"

2 of 139 comments (clear)

  1. Route filtering by Anonymous Coward · · Score: 5, Informative

    Route filtering, USE IT!
    Especially when peering with Pakistani/Chinese/etc ISPs.
    This is why RIRs such as RIPE/ARIN/APNIC have their information publicly available.
    So you know which addresses belong to who.
    Only accept routes from your BGP peers that you know belong to them.
    This also (in addition to hijack prevention) prevents a clueless NOC monkey from another autonomous system from messing up your whole network by announcing a default route.

  2. Re:Strength is weakness by mysidia · · Score: 5, Informative

    And that is a big reason why the Internet exterior gateway protocol is not RIP or any other IGP.

    A premise of the RIP and other IGP protocols is routers talking to each other trust each other.

    With BGP, the premise is the opposite... routers speaking the protocol implement policies against each other: policies regarding what routes they propagate or originate outbound, policies regarding what routes they accept, and policies regarding what incoming routes they propagate.

    So networks that don't trust each other only accept appropriate routes from their peer based on AS-path and Prefix-list filters.

    Basically almost all networks should treat their peers as untrusted, and list out prefixes of end users.

    It doesn't start to get hairy, until you need to peer with a provider (instead of an end-user) and accept all prefixes from them, because you want their customer prefixes, or you want to buy transit from them.

    As for ISPs and providers though... failing to filter downstream announces is the exception to the rule.