Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Routing, Looming Disaster?

Posted by CmdrTaco on from the fear-the-packets dept.

wiredmikey writes "The Internet's leading architects have considered the rapid growth and fragmentation of core routing tables one of the most significant threats to the long-term stability and scalability of the Internet. In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom. In the technical world, this is typically called a prefix hijack, and it happened due to a couple of wrong tweaks made at China Telecom. Whether this was intentional or not is unknown, but such routing accidents are all too common online. While BGP is the de-facto protocol for inter-domain routing on the Internet, actual routing occurs without checking whether the originator of the route is authorized to do so. The global routing system itself is made up of autonomous systems (AS) which are simply loosely interconnected routing domains. Each autonomous system decides, unilaterally, and even arbitrarily, to trust everything it hears from any other AS, to use that information without validation, and to further transmit that information to its other peers..."

15 of 109 comments (clear)

  1. It's called a filter by Tolaris · · Score: 5, Informative

    No, each ISP chooses what routes to accept from what peers. It's called a filter. Smart ISP use routing databases like RIPE to verify what they'll accept and reject automatically. Others do it by hand. Dumb ones accept updates from peers without filtering. It's this last group that needs to update their practices.

    1. Re:It's called a filter by phyrexianshaw.ca · · Score: 4, Interesting

      That's not entirely true.

      though you choose what MAJOR prefixes you accept routing information for, nobody cares about the /8's.

      If I had say a /24 assigned to me, and I decided to have it routed to my building in Toronto, but then decided to move a /28 to a location in Dallas, what would be the easiest way to go about that?

      if I had enough other locations to assign /28's to, I could simply retrieve an AS number and advertise each /28 to the parents at each location. this would then trail up to the largest area that my /24 exists under, and the traffic would be routed locally to each location.

      sure, many ISP's that you deal with in North America may have policies regarding what exact prefixes you advertise at each peering location, but at some point you become large enough to be "trusted". once you start carrying your own traffic internally is often the breaking point.

      say I decided to lease some dark fiber between my two locations: then suddenly my rates may be cheaper than the existing path the ISP is taking between the two. (HIGHLY unlikely, unless your IT department has WAY too much money and you've got a few ISP's interested in sharing a portion of your pipe, though it can seriously reduce the cost of some 100Mbit customer facing links in some cases)
      this then leads to an interesting predicament: how does one know what prefixes will be advertised over that pipe? sure, each ISP sharing the connection MAY decide to restrict advertisements: but few have the capacity to do so for many of the smaller /24's or /28's that exist. keep in mind that each /16 has 256-/24's which in turn each have 32 /28's each.
      customers don't buy /16's (regularly) they buy a /27-/30. this means that the /8 you oversee as an ISP may have as many as 4,194,000+ /30 prefixes to account for.

    2. Re:It's called a filter by Spazmania · · Score: 3, Interesting

      Not exactly. Most ISPs filter their customers announcements that way, but its highly impractical to implement such filters when peering with other ISPs.

      The solution boils down to:

      1. Temporary filter installed for errant routes
      2. Peering POC at source ISP gets a stern lecture and a depeering threat
      3. Peering is so valuable (and so costly to lose) that peering POC smacks around the person who allowed the leak in the first place.
      4. Mistake repeats because the staff who originally allowed it are incompetent
      5. Source ISP gets depeered so he has to pay for all his Internet traffic via a connection that actually is filtered
      6. Source ISP fires the fool who screwed up in the first place, cancels the customer contract (if it was customer originated).
      7. Source ISP most likely never recovers and ends up being bought out while in or near bankruptcy.

      Okay, so steps 4 onward are an artful exaggeration. But seriously, senior network engineers get really bent out of shape when a peer slips them a bum route.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  2. Oh, bullshit... by autocracy · · Score: 5, Informative

    Anybody who touches BGP needs to understand route filtering.

      * Would I trust everything I see from Sprint? Yes.
      * Would I trust anything except what I expect from the local ISP I route to? No.
      * Would I expect Sprint to execute the same filtering as above? Yes.

    BGP nodes should always have filters on their connections that describe what is allowed to be accepted. Every failure I can think of... and I'm sure most notable ones that have happened... have been caused by failure to properly filter incoming routes.

    --
    SIG: HUP
    1. Re:Oh, bullshit... by vuke69 · · Score: 3, Insightful

      In a nutshell, that's pretty much the problem and the solution.

      Tier 1 providers pretty much have no choice but to accept any update from other Tier 1s because they could each legitimately have routes to pretty much any network. It is also each of their responsibilities to make sure they don't get any bunk routes from downstream. One weak link, the chain breaks and, and everyone suffers. Obviously you wouldn't (shouldn't) be accepting a zero bit mask route from anyone; but besides the basic idiot proofing, you have to put a lot of faith in your peers, and their ability/diligence.

      --
      Time is an illusion. Lunchtime doubly so. ~ Douglas Adams
  3. Re:...news? by wiredmikey · · Score: 3, Insightful

    It's not so much news as it is insight. If you're an experienced network expert it may not be surprising, but too many people in the tech world still don't have a clue on some of the challenges, dangers, problems that are happening currently and that we face moving forward with the overall internet infrastructure.

  4. Imminent death of Internet predicted... by EriktheGreen · · Score: 5, Insightful

    It's always amusing when a new pundit discovers exactly how the Internet actually works.

    Until they gain enough technical knowledge to be dangerous, they assume that the Internet is just as Hollywood portrays... A rock-solid utility run by the Government that only PhDs and arcanely skilled teenage geniuses can control or understand.

    Then they discover just how "fragile" it is, and start telling the people who've been making it work all along that they need to straighten up and fly right, or else a major disaster is going to happen. Good thing they told us.

    It's sad that they can't just say "Oh, I guess I didn't understand.". Instead they have to "take charge" of things because otherwise they'd have to accept their own irrelevance, or even (gasp) accept that despite their new-found expertise, they *still* don't really understand.

    So straighten up, Cisco... it's obvious to this guy you don't know what you're doing. Fix that BGP thing and do it NOW, you hear him?

  5. Re:15% by genkaos · · Score: 4, Informative

    Actually it was 15% of the internet's prefixes, not 15% of traffic.

  6. Re:...news? by phyrexianshaw.ca · · Score: 3, Funny

    So it's "omfg, we non-technical people just learned how BGP works! it's scary!"

    seeing something like this coming from an AP site, or Fox, I would have just brushed it aside and ignored it. but really? slashdot?


    Owner: "you mean I can hijack someone else's traffic!!? omfg!!"
    *pays to have someone implement it*
    Owner: "WHY DOESN'T IT WORK!!?"
    Tech: "I have no idea.. it should! I read an article on /. about china doing it!"
    *phone rings*
    ISP: "you seem to have a configuration issue on your equipment, you're trying to advertise routes that belong to someone else. you'll have to get that fixed before we continue routing your prefixes to you. "
    Owner: "omg, [isp] called me.. undo it all..."

  7. Re:Authentication by bhcompy · · Score: 3, Insightful

    Overhead. What might take a few milliseconds now takes a few more milliseconds. Not a problem on your little Belkin router, but when you're routing thousands of packets a second, it adds up. You can be sure there are many interests non-technical in nature that would be against raising their latency, even by milliseconds. Particularly, Wall Street.

  8. why not, worked great for the banking system by Anonymous Coward · · Score: 3, Funny

    "would i trust everything i see from bear stearns?"

    yes

    "would i trust everything i see from lehman brothers?"

    yes

    oh wait..

  9. Re:15% by Unequivocal · · Score: 4, Insightful

    From what I've read so far on this, the 15% number is a red herring. The real problem was that China was able to route traffic for domains/networks which it had nothing to do with including dell.com and some US DoD networks. Volume wasn't the main issue (though surely it was causing problems in terms of latency and throughput) -- the main issue was that China was seeing packets that it shouldn't have.

    Now we all know that no one routes traffic over the public internet that it doesn't assume bad actors will see. Right?

  10. Wait a second.... by SirThe · · Score: 3, Informative

    In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom.

    Wasn't there an article yesterday about how this wasn't true?

  11. Re:15% by camperdave · · Score: 3, Funny

    Now we all know that no one routes traffic over the public internet that it doesn't assume bad actors will see. Right?

    Keanu sees my packets?

    --
    When our name is on the back of your car, we're behind you all the way!
  12. Re:...news? by anti-NAT · · Score: 3, Informative

    "If you're an experienced network expert it may not be surprising, ..."

    and they're the people at ISPs who're running it (I used to be one of them). Running the Internet backbone is self regulating, because everybody who does it also has a vested interest in policing it. This article is FUD. The clueless tech people can continue to remain clueless.

    --
    The Internet's nature is peer to peer - 20050301_cs_profs.pdf