Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Routing, Looming Disaster?

Posted by CmdrTaco on from the fear-the-packets dept.

wiredmikey writes "The Internet's leading architects have considered the rapid growth and fragmentation of core routing tables one of the most significant threats to the long-term stability and scalability of the Internet. In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom. In the technical world, this is typically called a prefix hijack, and it happened due to a couple of wrong tweaks made at China Telecom. Whether this was intentional or not is unknown, but such routing accidents are all too common online. While BGP is the de-facto protocol for inter-domain routing on the Internet, actual routing occurs without checking whether the originator of the route is authorized to do so. The global routing system itself is made up of autonomous systems (AS) which are simply loosely interconnected routing domains. Each autonomous system decides, unilaterally, and even arbitrarily, to trust everything it hears from any other AS, to use that information without validation, and to further transmit that information to its other peers..."

6 of 109 comments (clear)

  1. It's called a filter by Tolaris · · Score: 5, Informative

    No, each ISP chooses what routes to accept from what peers. It's called a filter. Smart ISP use routing databases like RIPE to verify what they'll accept and reject automatically. Others do it by hand. Dumb ones accept updates from peers without filtering. It's this last group that needs to update their practices.

    1. Re:It's called a filter by phyrexianshaw.ca · · Score: 4, Interesting

      That's not entirely true.

      though you choose what MAJOR prefixes you accept routing information for, nobody cares about the /8's.

      If I had say a /24 assigned to me, and I decided to have it routed to my building in Toronto, but then decided to move a /28 to a location in Dallas, what would be the easiest way to go about that?

      if I had enough other locations to assign /28's to, I could simply retrieve an AS number and advertise each /28 to the parents at each location. this would then trail up to the largest area that my /24 exists under, and the traffic would be routed locally to each location.

      sure, many ISP's that you deal with in North America may have policies regarding what exact prefixes you advertise at each peering location, but at some point you become large enough to be "trusted". once you start carrying your own traffic internally is often the breaking point.

      say I decided to lease some dark fiber between my two locations: then suddenly my rates may be cheaper than the existing path the ISP is taking between the two. (HIGHLY unlikely, unless your IT department has WAY too much money and you've got a few ISP's interested in sharing a portion of your pipe, though it can seriously reduce the cost of some 100Mbit customer facing links in some cases)
      this then leads to an interesting predicament: how does one know what prefixes will be advertised over that pipe? sure, each ISP sharing the connection MAY decide to restrict advertisements: but few have the capacity to do so for many of the smaller /24's or /28's that exist. keep in mind that each /16 has 256-/24's which in turn each have 32 /28's each.
      customers don't buy /16's (regularly) they buy a /27-/30. this means that the /8 you oversee as an ISP may have as many as 4,194,000+ /30 prefixes to account for.

  2. Oh, bullshit... by autocracy · · Score: 5, Informative

    Anybody who touches BGP needs to understand route filtering.

      * Would I trust everything I see from Sprint? Yes.
      * Would I trust anything except what I expect from the local ISP I route to? No.
      * Would I expect Sprint to execute the same filtering as above? Yes.

    BGP nodes should always have filters on their connections that describe what is allowed to be accepted. Every failure I can think of... and I'm sure most notable ones that have happened... have been caused by failure to properly filter incoming routes.

    --
    SIG: HUP
  3. Imminent death of Internet predicted... by EriktheGreen · · Score: 5, Insightful

    It's always amusing when a new pundit discovers exactly how the Internet actually works.

    Until they gain enough technical knowledge to be dangerous, they assume that the Internet is just as Hollywood portrays... A rock-solid utility run by the Government that only PhDs and arcanely skilled teenage geniuses can control or understand.

    Then they discover just how "fragile" it is, and start telling the people who've been making it work all along that they need to straighten up and fly right, or else a major disaster is going to happen. Good thing they told us.

    It's sad that they can't just say "Oh, I guess I didn't understand.". Instead they have to "take charge" of things because otherwise they'd have to accept their own irrelevance, or even (gasp) accept that despite their new-found expertise, they *still* don't really understand.

    So straighten up, Cisco... it's obvious to this guy you don't know what you're doing. Fix that BGP thing and do it NOW, you hear him?

  4. Re:15% by genkaos · · Score: 4, Informative

    Actually it was 15% of the internet's prefixes, not 15% of traffic.

  5. Re:15% by Unequivocal · · Score: 4, Insightful

    From what I've read so far on this, the 15% number is a red herring. The real problem was that China was able to route traffic for domains/networks which it had nothing to do with including dell.com and some US DoD networks. Volume wasn't the main issue (though surely it was causing problems in terms of latency and throughput) -- the main issue was that China was seeing packets that it shouldn't have.

    Now we all know that no one routes traffic over the public internet that it doesn't assume bad actors will see. Right?