Fix To Chinese Internet Traffic Hijack Due In Jan.

alphadogg writes "Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there's no question about the underlying cause of this incident: the lack of built-in security in the Internet's main routing protocol. Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way."

Adding a fix?

[www.sorehands.com]

What is the adage? Throwing code at a problem?

This was a known problem, but they way until it really is exploited to then fix it with something untested and thrown together.

Yep. I feel real good about it and have total confidence in the solution.

Re:Adding a fix?

[KublaiKhan]

If it ain't broke, don't fix it.

It's broke now, so it's time to fix it.

That being said, I rather like this RPKI thing--but I think it can go a -lot- further.

Universal encryption of all network sessions would help with authentication of resources, prevent man-in-the-middle attacks, prevent sidejacking, prevent...well, all manner of things.

Additionally, the internet could only benefit from the enhanced PKI that would need to be deployed to enable this.

Re:Adding a fix?

[InfiniteWisdom]

How do you fail so badly at reading comprehension?

Re:Adding a fix?

[KublaiKhan]

Worked fine before, didn't it?

In all seriousness, yes, this has always been a hole and people have been calling for it to be filled for years--but there was no attention granted to it because there was no big obvious use of it. The people who would have the resources to divert substantial amounts of traffic were, up until now, playing "nice" for the most part.

Now there's a clear and present danger, so now the situation's being addressed.

What's the major lesson here? That large organizations that rule by committee are reactive rather than proactive? Since when is that news?

Re:Adding a fix?

[mysidia]

What is the adage? Throwing code at a problem?

Yeah.. like SSL prevents hackers from hijacking CC details in e-commerce transactions.

RPKI has been in the works for years, and will be in the works for years.

I don't know where the idea "this will be fixed Jan 1" came from. A pilot program for RPKI is no more an immediate fix than the pilot program for DNSSEC was an immediate fix for security issues, and no more than the IPv6 pilot program / 6Bone was an immediate fix for IP address exhaustion.

Finalizing a protocol and having pilot programs at the registries is a far cry from having all the vendors implement the solution, providing a stable proven implementation for network operators, and network operators choosing to upgrade routers to new hardware that can meet the CPU requirements needed by RPKI, and new software to actually provide the implementation.

And then, even once those things are done, after all the money spent upgrading, it still remains for RPKI to be "turned on" and implemented.

Who will go first? Seriously, this fix is not going to be widely deployed in January. Well, January 2020 maybe.

After the pilot, this fix is a good 5 years off bare minimum, probably closer to 10.

Re:Adding a fix?

[baerm]

This was a known problem, but they way(sic) until it really is exploited to then fix it with something untested and thrown together.

It's actually something that people have been working on for quite a long time, many years. It's not a last minute attempt to solve the issue.

What...

[SirThe]

...Chinese internet traffic hijack?

Re:What...

[bsDaemon]

Chinese Telecom perpetrated a specific route 'attack' a few months ago where they advertised via their BGP feed more specific routes (longer netmask prefixes) for a few blocks, thus any other AS who's BGP feed had been updated with the bogus data was selecting the route to China rather than the route to the actual destination. This can either cause minor disruption, or taken advantage of to sniff all the traffic which is incoming towards the affected hosts. Whether China did it for specifically malicious purposes really isn't clear, but its happened by mistake in the past. It's a known issue in the design of the protocol and policies, and doesn't really take an 'exploit' so much as someone advertising a /22 for a block they may or may not own which preempts the legitimate /20.

Re:What...

No, some moron working on China Telecom's Beijing AS posted the iBGP routing table to the eBGP side. It's that simple. It didn't cause too much trouble, really, since the only routers that were fooled by it were nearby routers - like the other edge routers in China, and those in S. Korea, Japan, and surrounding companies (in the network topology, which loosely mirrors real geography). The routers in the US would get two prefix advertisements, notice that one was too far away, and use the right ones.

This is some dipshit's attempt at pushing NPKI as the "solution" to prefix hijacking. The solution is not to send sensitive data unencrypted over the Internet. Period.

Like other internet Upgrades

[Monkeedude1212]

So we're at phase 1, the "Hey, check it out" phase. You can expect this to reach a phase 2, the "actually possible" phase, after IPv6 gets implemented, which will then take years to reach phase 3, the "We should really get on that" phase. Phase 4, the "Okay guys this is actually becoming a problem" phase, comes a couple years later and will no doubt be brought up on slashdot a million times over. Phase 5, is still a theoritcal phase, the "Implementation and execution phase" has not yet been observed but we have reason to believe it might happen one day, if we wish upon enough stars.

Re:Like other internet Upgrades

[SEWilco]

Hey, you have to wait until it's implemented. Right now, the fix is due in Jan, and we have to wait until Jan writes down the code and gets it working right. Once it's working right, we're OK and we can thank Jan.

Re:Like other internet Upgrades

[St.Anne]

What about the "There, fixed it for ya. You're welcome." Phase?

Re:Like other internet Upgrades

No sparky. I understand where you are coming from, but I have a feeling this is more of a quick and dirty 'Git er dun' sort of roll out. You see, such a control --a centralized control-- over the Border Gateway Protocol, could give someone in an office, not a square office but more of a sort of ova^M^M^M roundy sort of office to be able to push a button --a big red button-- so that if they are annoyed by a web site owner --lets call this hypothetical owner Julian Wiki-- they can then say "Hey Mr. Wiki, we don't like what you are putting out on the internet. We don't like it at all and we want you to stop. Now what old Julian is putting out is not illegal or anything, its just embarrassing, very embarrassing to the people in the sort of roundy office. With control of the border gateway protocol in their hands they can run the internet like their own personal botnet --allowing sites they like, and disallowing sites they don't . "Oh, you said a bad thing", followed by "well, we'll fix you! Bzzzzzzzt", and suddenly the site that makes them unhappy is off the internet. It used to be a free internet. Corporate greed and the US Government is doing its best to put a stop to that.

Re:Like other internet Upgrades

[mysidia]

You forgot Phase 6, the "realize it's actually never gonna happen, and admit defeat, or we need a mandatory flag day" phase.

Re:Like other internet Upgrades

[Raptoer]

This is on a completely different level though. The only people that have anything to do with BGP are the ISPs themselves. BGP is only used to route from groups of routers to other groups, where a single organization owns the entire group, and they're sending to the group of another organization.

Re:Like other internet Upgrades

[hairyfeet]

Well then I suppose the more important question would be which Jan is doing the work: Happy Jan, Mad Jan, or Bubbly Jan. Because if it is happy Jan it will be six months late and buggy but nobody will say anything because she is just so damned perky and "yay team!", if it is Mad Jan it will be nine months late and probably a "little off" but her permanent PMS means nobody is brave enough to say anything, and if it is bubbly Jan then it will be a year late and not work worth a damn, but the poor little thing will be so proud of herself for getting it done nobody will want to rain on her parade. Yeah...we're boned.

As for TFA I think if the Chinese military wanted to get nasty they could come up with something a little better than a boned routing table. Personally I'm waiting for the "oopsie, kind of left a hole in the routers we shipped you!" kind of thing, considering most of the hardware that runs the net is built by them. I bet it really wouldn't be hard if they wanted to get nasty to hide a little microcode that could be activated by a certain kind of malformed packet. This in TFA was more of a "who let Goober update the tables?" kind of deal, which we know here as the classic SNAFU.

Could we not just...

[hesaigo999ca]

Is there no way on a local machine to maybe add to a host file a list of non allowed hops or something, where the packets have info as to where they can not be sent, and avoid. I am not sure as I am not very knowledge about networking, as much as I am programming, I would see this as trivial to add to a packet a flag that says it must stay within a hopping locality or sequence?

Re:Could we not just...

[Lennie]

The problem is that their is a lot of routing information shared between routers. If we also need to keep the end-nodes up to date that would not scale. And what would be the use of that ? Because that end-node only has one connection/provider, so the upstream router could tag the traffic if you wanted to do something like that.

The problem obviously is that if you add something, how do you know you can trust that information more then all the information we currently have.

Re:Could we not just...

That's not how the routing on the internet works. You just specify the destination, and the source and just fire that packet away to your next-hop / gateway / router. And then the router, based on what's configured into it by the Humans, makes a decision.

These configurations are semi-automatic, thanks to the BGP (border gateway protocol), but it's still the humans who tell the router what rules to accept from its BGP peers and what rules to send to them (and what to which). So it can be fine-grained pretty easily (once you've embraced the concepts of AS-PATHs, prefixes and such).

So, this is not a software error, this is completely a design or human operator problem.

Re:Could we not just...

[sexybomber]

Well, you can always launch a preemptive strike:

phoenix@olympus:~$ sudo nano /etc/hosts

127.0.0.1 *.cn

Re:Could we not just...

[H0p313ss]

Well, you can always launch a preemptive strike:

phoenix@olympus:~$ sudo nano /etc/hosts

127.0.0.1 *.cn

Great, so you can't see China. I think this is the networking endpoint equivalent of sticking your head in the sand.

Re:Could we not just...

[TheRaven64]

That won't prevent any attacks from China, it will just prevent you from being able to resolve any Chinese domains. You need to use your firewall to drop traffic from Chinese IP addresses to do that. Not sure that will actually help though - my ssh logs show that the IPs for the botnet(s?) that keeps trying to connect to my machine are pretty well distributed around the world.

Re:Could we not just...

[kasperd]

Furthermore packets are something like 1.5k in size max with only something like 0.5k for actual application data

With IPv4 the maximum is around 64KB. However it is not required for everybody to support that large packets. If you send a packet that is too large for the destination or a router on the way it will either be split or an error message is sent back to the sender (which of the two is decided by the sender setting a bit in the header). On of the most frequent mistakes in configuring the network is to throw away packets that are too large without telling the sender.

There need to be some minimum where you are guaranteed that a packet under that size will reach the destination. For IPv4 that size is defined as 68 bytes for individual packets and 576 bytes for the full reassembled packet. Notice that 68 is ridiculously small by today's standards. I think most modern operating systems supports the full 64KB. The maximum size of the individual parts (known as the MTU) is typically 1500 bytes as that is the size supported by Ethernet.

In most cases you want to avoid fragmentation of IP packets because if one part is lost by the network, then the remaining parts cannot be used for anything. Data larger than 1500 bytes is usually send using TCP, which does support retransmitting just the fragments that were lost.

It is possible to let TCP segment the data stream and then let IP fragment each segment, but the only gain is that you don't have to to send TCP headers as frequently. If you have a 68 byte MTU, then the TCP header is a significant part of the MTU, and such fragmentation makes sense. In more typical cases with an MTU of 1KB or more, the 20 bytes for the TCP header are well spent, and you usually try to send packets exactly the size where they don't have to be fragmented further.

A typical packet nowadays is a TCP packet with 20 bytes IPv4 header, 20 bytes TCP header, 12 bytes TCP options and up to 1448 bytes payload.

With IPv6 the limits have been increased. The minimum MTU was increased from 68 bytes to 1280 bytes. The minimum reassembled packet was increased from 576 to 1500 bytes, and the IP header was increased from 20 to 40 bytes. (Even though the size of the addresses was quadrupled, the header size was only doubled because everything else in the header was simplified). With IPv6 the 1280 bytes is large enough that often it is a good idea to just stay within the 1280 bytes to avoid problems with routers that don't support larger packets. It is close enough to 1500 bytes to get good efficiency in most situations, and there is sufficient gap between 1280 and 1500 to allow for a few extra headers in case of tunnelling. That would mean a typical TCP packet has 40 bytes of IPv6 header, 20 bytes of TCP header, 12 bytes of TCP options, and up to 1208 bytes of payload.

The bit in the header, which indicates if the packet should be split or bounced in case it is too large was eliminated with IPv6. In IPv6 the packets are always bounced if they are too large. That also means the header fields for reassembly were removed. The sender can decide to split the packet and include an IPv6 option header, but it still won't be split further by routers on the network.

You can have an option header specifying which route you want the packet to take rather than just a destination. But many networks will just drop the packet if you try to.

Re:Could we not just...

[geminidomino]

Damnit... Ninja'd.

RPKI FTW

[Lennie]

This is really good, now we can verify announcements.

More importantly, in the article it says the RIR's also finish their part so now we can start building filters which actually work ?

Re:RPKI FTW

[mysidia]

More importantly, in the article it says the RIR's also finish their part so now we can start building filters which actually work ?

No, that's still a few years off.

The problem with RPKI is it's all well and good, until you realize there has to be a central authority, and that central authority is vulnerable to influence by governmental and corporate entities.

For example, federal agents sending patriot act security letters demanding to have the encryption keys, needed to forge resource assignments to themselves, or demanding RIRs "cancel such and such resource"

This could make the RIAA and MPAA very happy, as it could provide them an expeditious way of shutting down any network, with a much lighter burden than that required to get a court order.

This Is Different, the Chinese Stealed Our Net!

[eldavojohn]

So we're at phase 1, the "Hey, check it out" phase. You can expect this to reach a phase 2, the "actually possible" phase, after IPv6 gets implemented, which will then take years to reach phase 3, the "We should really get on that" phase. Phase 4, the "Okay guys this is actually becoming a problem" phase, comes a couple years later and will no doubt be brought up on slashdot a million times over. Phase 5, is still a theoritcal phase, the "Implementation and execution phase" has not yet been observed but we have reason to believe it might happen one day, if we wish upon enough stars.

Get politicians and pundits in front of the American cameras screaming "ZOMG Chineze Haz Our Intarwebz!" And you'll be simply amazed at how fast the sloth can move. If only they could have made the IPv4 -> IPv6 transition about nationalism or freedom or democracy or Al-Queda working with the Ruskies to undermine our securitization ... then that would have happened instantly!

Re:This Is Different, the Chinese Stealed Our Net!

[cb88]

Actually ipv6 is less environmentally friendly as it requires bits to be thrown back and forth to get the job done.... just like an 8-bit micro is better for some jobs than a 16 or 32 bit micro as the larger ones inherently consume more power. Oh right... Al Gore... carry on.

Re:This Is Different, the Chinese Stealed Our Net!

[Doc+Ruby]

I dunno, it's obvious that "ZOMG Chineze Hz Our National Budgetz!", but our politicians and pundits are just digging deeper holes instead of cutting the vast and counterproductive military budgets that just create debt China uses to own our national budgets. And it was the Qaeda "working with Iraq" that created over a $TRILLION in debt, much greater than even the entire US debt to China ($860B).

Re:This Is Different, the Chinese Stealed Our Net!

[zach_the_lizard]

Stateless autoconfiguration might get rid of some DHCP servers, saving precious electrons.

Re:This Is Different, the Chinese Stealed Our Net!

[ScentCone]

vast and counterproductive military budgets

Which is a pale shadow of the vast and actually not productive entitlement spending that truly is killing us. The $850 billion of new deficit spending that Obama scored this week is a great example.

Re:This Is Different, the Chinese Stealed Our Net!

[Doc+Ruby]

The $850B isn't "new deficit spending", it's revenue reduction. Of course it contributes to the deficit by depriving us of revenue that could fund spending, but it's not spending.

What do you mean by "entitlement spending"? Be specific.

Re:This Is Different, the Chinese Stealed Our Net!

[AltairDusk]

I assume GP is talking about what are collectively known as "Pork-barrel projects" which are often attached to bills that have nothing to do with the project but are seen as "certain to pass". That's the first thing that comes to my mind when I hear "entitlement spending" at any rate.

Re:This Is Different, the Chinese Stealed Our Net!

[Pharmboy]

Of course it contributes to the deficit by depriving us of revenue that could fund spending, but it's not spending.

Not exactly. It isn't like the $850B disappears, it simply stays in the pockets of those people who would have been experience an actual tax INCREASE over current rates. It isn't even a cut, it is just maintaining the status quo from the last many years. If history tells us anything, it tells us that if you put (or keep) money in people's hands, they will spend it. So the money will still be put into the economy, it is just that you and I decide where it goes instead of Congress.

So the money will contribute to spending, yours and mine.

Re:This Is Different, the Chinese Stealed Our Net!

[Doc+Ruby]

"Pork barrel" projects does not mean "projects arbitrarily attached to other bills". Pork barrel projects might be arbitrarily to the previous purpose of the bill or not. They are the projects included in a bill as required by congressmembers who will not vote for the bill without them included, whether they're arbitrary or not, designating money for that congressmember's interest whether or not the expense supports the previous purpose of it. Sometimes it's "a piece of the action" of the main purpose, sometimes it's just a "favor" demanded by the congressmember who has the power to block passage of the bill.

"Earmarks" is the other buzzword that is more accurately associated with "pork barrel". Nobody is "entitled" to earmarks or pork barrel projects; they are not entitlements.

Re:This Is Different, the Chinese Stealed Our Net!

[kasperd]

Actually ipv6 is less environmentally friendly as it requires bits to be thrown back and forth to get the job done

Just in case somebody could be mislead to think you were serious, let me point out that the total number of fields in the header was reduced by 38% when switching from IPv4 to IPv6. That should allow for less processing power being used by the routers. The size of addresses was quadrupled, but the accumulated size of the other mandatory header fields was reduced by a third, in total that means the header only doubled in size.

Re:This Is Different, the Chinese Stealed Our Net!

[mcgrew]

He's probably referring to what the teabaggers call "entitlement spending"; Social Security, Medicare, which the teabaggers conviniently forget are funded by special taxes paid by those entitled to the benefits, and which the teabaggers incorrectly call "Ponzi Schemes".

Re:This Is Different, the Chinese Stealed Our Net!

[Doc+Ruby]

You're arguing semantics. The new tax cut is repeating a tax cut that Bush got through Congress by using the Congressional technique of "reconciliation", where ordinary majority rules are suspended but the passed bill must expire in 10 years. It's a new tax cut, following an old tax cut.

That old tax cut didn't put enough money into the economy, which instead was faked with an orgy of debt spending by almost everyone: Federal/state/local governments, corporations (especially banks, which went bust), somewhere around 175M credit card debtors, and about 10 million homebuyers who couldn't pay mortgages on homes they shouldn't have bought. 40% of GDP growth 2000-2008 was purely in the financial industry, which is not actual wealth (it's inflation, as is all that credit).

But the main point is that the money has not gone into the pockets of people who spend it in the US economy. Unemployment benefits nearly all go right back into the economy: an estimated $1.64 per dollar of UI moves through the economy. Because unemployed people spend all the money they get on goods right in their neighborhoods. While people who make over $250K a year spend quite a lot on foreign investments and imported goods - something like $0.50 per dollar cumulative effect in the US economy. In the middle are people who also spend a lot of their money on what they need to work, which is the most productive money. Hence the priority of the middle class keeping lower tax rates and the unemployed keeping even a meager income, while rich people are the least useful to give more money to.

Of course, the unemployed are much more expensive to the rest of us when they can't get UI, because they turn to crime (expensive in damages as well as judicial/jail work) and increased health costs. And of course the rich can actually afford to live quite well while paying a higher total percentage of their income in taxes, as their actual needs are met on a tiny fraction of their income (and accumulated wealth), though poorer people bottom out with a higher tax bill. Of course the rich also benefited vastly more from both the credit bubble and its bust, while also being the ones who caused it (by sponsoring deregulation and actually being bankers).

Yet $150B of that $850B is reduced taxes for income over $250K, but only $56B is for UI extensions. The $300B in reduced taxes for income under $250K is shared by everyone, including everyone making over $250K for their first $250K. And there's a lot fewer rich people over $250K, so their share of the $850B is a lot more money per person than for everyone else, money that performs a lot worse in the economy.

Some people's protected incomes have a lot more effect than others'. But then there's government spending (which includes UI), which also has different effects depending on what (and whom) it's spent on. $850B on the military/intel is mostly spent on keeping fairly productive people out of the workforce at mediocre incomes, but also largely spent on weapons never used (like digging and refilling ditches, economically). And then there's the hundreds of $BILLIONS spent on actually destroying things, which of course doesn't produce anything, while increasing costs by turning many people against us, including people among our allies who lose interest in "buying American" because "America isn't cool anymore". There's lots of government spending that just harms the US economy (before even accounting for the interest cost - and uncertainty costs - of the debt it accounts for). But most government spending is worthwhile, to protect and grow Americans' ability to produce what we sell and keep.

We can argue in the semantic circles hammered out by corporate thinktanks for politicians to peddle to corporate media outlets. Or we can look at what we're actually spending on, from whom we're collecting, who benefits and how much. The semantic madhouse has got us into this mess. As have the previous tax rates, that are being extended on the basis that "they're the best way to get u

Re:This Is Different, the Chinese Stealed Our Net!

[Doc+Ruby]

Well, I'm curious what they're talking about. They did refer to tax cuts as spending, so they could mean anything, no matter what the term actually means. So far, who knows?

Re:This Is Different, the Chinese Stealed Our Net!

[ScentCone]

The $850B isn't "new deficit spending", it's revenue reduction

No. You're thinking of the continuation of the tax rates, which "reduces" revenue by $150B. It's the extension of more unemployment benefits for another long stretch that requires the borrowing of $850B in brand new, shiny Chinese debt. That's what Obama was holding out for on the tax deal. The left can whine all they want about holding tax rates where they were - but the killer, as always, is the colossal new entitlement hemorrhaging.

Re:This Is Different, the Chinese Stealed Our Net!

[Doc+Ruby]

The UI benefits for the next 2 years are $56B. The extended reduced tax rates on over $250K income costs $150B. The extended reduced tax rates on the first $250K costs $300B.

Which programs are "entitlement spending"? None of them. Entitlement programs include Social Security, Medicare, and Medicaid, most Veterans' Administration programs, federal employee and military retirement plans, unemployment compensation, food stamps, and agricultural price support programs.

Social Security pays for itself (workers pay to buy government bonds that pay off and are rolled over, but at an interest rate that's smaller than the growth of the economy that's taxed to pay the interest), and will continue to do so for at least another 25 years. Are you talking about (and wanting to cut) Medicare and Medicaid? Food stamps? Veterans services, including their pensions and healthcare? Pensions for Federal employees, who deferred their incomes while working to get it back as a pension later? Agricultural subsidies?

Or some other actual entitlement program?

Or maybe you just didn't really know what an entitlement program really is.

Re:This Is Different, the Chinese Stealed Our Net!

[spitzak]

The $150B is for the over 250K income tax.

I was always told the under 250K income tax is $700B. So there is the $850B there, it is all tax cuts.

The unemployment spending does not appear to be in your total but it is about 50B. The payroll tax cut is also not there and I have heard it is significantly larger expense.

Re:This Is Different, the Chinese Stealed Our Net!

[moonbender]

Will you marry me?!

Re:This Is Different, the Chinese Stealed Our Net!

[BitZtream]

Except that routers really only care about 1 field, the destination address. They SHOULD care about other fields so that thins like DONT_FRAGMENT gets honored, but thats not really going to kill you if you have other ways to ensure packets don't get broken after they've reached the next hop.

So you've effectively made the only field they care about much larger, even taking into account half of it can be/is just the mac address which actually makes things easier.

Firewalls care about the fields in the packet, hosts care, routers don't give a shit unless they are acting as as firewall or some other device being 'more' than a router.

Re:This Is Different, the Chinese Stealed Our Net!

[BitZtream]

Businesses, unlike geeks in moms' basement do things when there is an economic reason to do so, not just 'because we have to one day'.

Theres really no major reason to run head first into the transition, we've been 'running out of addresses this year' for 15 years.

I suspect we'll have flying cars before we stop using IPv4.

Yes, its going to happen eventually, but no, the Internet won't cease to function next week because we ran out of addresses, regardless of how many times someone writes a newspaper or press release about the impending doom.

Re:This Is Different, the Chinese Stealed Our Net!

[amorsen]

Many of the real expensive routers need to care about much more than the destination address. They need to be able to identify flows based on other parts of the packet; otherwise the ISP cannot fulfil their data retention obligations under the law in most parts of the world, these days.

IPv6 has made this a lot harder because the UDP or TCP port number is no longer at a fixed offset from the start of the packet. Instead the router has to parse variable-length extra headers. The same applies to "smart" ethernet cards which are multiqueue or have receive offload. They have exactly the same need.

Re:This Is Different, the Chinese Stealed Our Net!

[kasperd]

Except that routers really only care about 1 field, the destination address.

That is not entirely correct. They have to care about the TTL/Hop limit field as well. If they didn't, then a routing loop would take out the network. Every router has to update this field, and in IPv4 that meant they had to update the header checksum as well. They also have to care about the length of the packet, though you may get away with only caring about the length at the link level. The rest of the header fields can be ignored.

They SHOULD care about other fields so that thins like DONT_FRAGMENT gets honored

I am not aware of any cases where that is ignored. I never saw a case where a packet with the bit set got fragmented. It is a common mistake to drop the packet without sending the proper ICMP message back to the sender. There is several ways this could go wrong, I don't know which of them is predominant. (Never send the ICMP packet, drop the ICMP packet somewhere on the path back, generate an ICMP response that is too large to make it back).

This is the one thing that was simplified the most in IPv6. In IPv4 every router had to look at this bit and use it to find out which of two ways to behave it had to follow. In IPv6 the don't fragment bit does not exist anymore, it is implied to be true. An IPv6 router must always respond with an ICMP packet. Fragmenting the packet is no longer possible. The header fields used for fragmentation were removed. (If desired, the sender can fragment the packet before it enters the network and include an option header with the necessary fields. No router has to look at this option header, only the final recipient needs to look at it).

So you've effectively made the only field they care about much larger, even taking into account half of it can be/is just the mac address which actually makes things easier.

First of all, the addresses were increased in size because they were too small to begin with. However, a router only needs to look at the first half of the destination address except in those cases where the final destination is on a directly attached network.

Ok, so the router now have to consider 64 bits of the address for routing, where it used to be considering only 24 or 32 bits. However the table it has to process is likely going to be much smaller since with IPv6 it will more often be the case that an ISP has a contiguous range of IP addresses, so even that part of the processing may be cheaper with IPv6.

You can use the MAC address to choose an IPv6 address if you want something that doesn't require configuration of individual machines. But there are plenty of other ways an IPv6 address can be configured.

Re:This Is Different, the Chinese Stealed Our Net!

[kasperd]

IPv6 has made this a lot harder because the UDP or TCP port number is no longer at a fixed offset from the start of the packet. Instead the router has to parse variable-length extra headers.

If anybody decides to put functionality in a router that looks at those fields, then they are doing it wrong. It is not the protocol's fault if somebody decides to implement it in a way it wasn't intended to.

The port numbers never were on a fixed offset, not even with IPv4. There could be options in the header, in which case the transport header would start at a different offset. Secondly the port numbers don't even exist in all protocols. There could be tunnelling, in which case there would be another header before the transport header. It is even possible that the transport header was encrypted in that case.

There is a field in the IPv6 header that serves to handle those cases where a router might want to distinguish between different traffic flows between the same set of hosts. It is called the flow label, and that is what a router is supposed to be using in those cases.

Re:This Is Different, the Chinese Stealed Our Net!

[amorsen]

Try reading the flow label discussion currently going on in the appropriate working group. Then come back to me and tell me that the flow label will be useful for anything within the next 5 years.

Looking at port numbers is required for data retention, it is useful for load balancing, and it is essential for modern NIC's. Only the load balancing case can be solved by the flow label, unless the working group manages to mandate that flow labels MUST be delivered unchanged to the other end.

And yes, the port numbers do not always exist, not everything is UDP or TCP or SCTP or RDS... Basically that leaves tunnelled or encrypted traffic and ICMP. Once encryption moves to the NIC, they can do queueing for encrypted flows too, and then the same problem applies.

Saying that router vendors are doing it wrong is entirely unhelpful, because their customers cannot do their jobs without this functionality.

Another measure to lock down wikileaks?

I have to wonder if the motivation for this is coming from our own government. They have now taken down domain names since the DNS service can be controlled in the US, but routing is still pretty flexible, so you can still reach the website.

Would this fix not also result in the ability to lock down routing and lock out the rightful owners of IP addresses?

Re:Another measure to lock down wikileaks?

[Peter+Trepan]

I was going to suggest the same possibility. Mod parent up.

HOSTS use won't work vs. BGP

"Is there no way on a local machine to maybe add to a host file a list of non allowed hops or something, where the packets have info as to where they can not be sent, and avoid. I am not sure as I am not very knowledge about networking, as much as I am programming, I would see this as trivial to add to a packet a flag that says it must stay within a hopping locality or sequence?" - by hesaigo999ca (786966) on Wednesday December 08, @01:10PM (#34489968) Homepage

Specifically on HOSTS files, since I often post about them here? HOSTS files usage won't work vs. BGP exploits!

(Think of BGP as SORT OF like arp is, which you also need for routing).

ISP's use BGP to make routes between one another, and this is not something YOU have any control over... once you get packets in (from who knows where under this type of attack), & send them out again? You have ZERO control now at that point vs. BGP.

BGP READ:

http://en.wikipedia.org/wiki/Border_Gateway_Protocol

That URL's where you can read up more on BGP...

and

ARP READ:

http://en.wikipedia.org/wiki/Address_Resolution_Protocol

That URL's where you can read up more on ARP which is used between routers/gateways...

Why did I put those links up for you?

Well - You stated you're more of a programmer than a network engineer/tech, & I was much the same a decade + 1/2 ago is why...: I KNOW WHERE YOU ARE COMING FROM! Those will help...

(I too was "mostly coder & hardware tech" ONLY, back then circa 1994-1996, until I started doing webservices based coding + client-server work, where you HAD to have @ least SOME understanding of "things networking", & picked up MOST of it on IRC back then)...

Later though? Heh, it ended up getting me work as a network administrator many times even, just because I took some initiative to "grow myself" a BIT more, to be more "well-rounded/all-around" & more "liberal arts", albeit STRICTLY around computing (learn BOTH coding & networking - it's worth it!).

APK

P.S.=> This isn't a first, though I truly DO suspect China did it intentionally (because of the military information being sampled as mentioned in the source articles is why MOSTLY), but iirc, some ISP in Florida USA did it by accident & FLOORED THEMSELVES (sort of funny, but NOT for their customers though I imagine - especially those that depend on the net for their work/livelyhood, education, etc./et al (& even if only in part))... apk

Re:HOSTS use won't work vs. BGP

[metrix007]

who rated this troll +5?

Not the problem, not the solution!

[ckdake]

How is this a fix again? How is security the issue here? It's not like someone snuck onto the internets and did something malicious, a provider with BGP peering agreements sent out bad routes that their peers didn't filter.

The problem is not something that additionally encrypting/signing messages will fix, it's a problem of network operators blindly trusting routes from their providers and passing them along.

The only fix here is for operators to properly filter routes from people they peer with. Period.

Re:Not the problem, not the solution!

[Hatta]

The problem is not something that additionally encrypting/signing messages will fix, it's a problem of network operators blindly trusting routes from their providers and passing them along.

You're right, blind trust is the problem. Cryptographic signatures are how you verify that trust.

Re:Not the problem, not the solution!

[ckdake]

Accepting a bad route from a peer and accepting a cryptographically signed bad route from a peer are the same thing.

Re:Not the problem, not the solution!

[samson13]

I don't think most operators could do a better job. Every ISP I've dealt with has been pretty anal about what routes they accept from me.

This incident happened at the large ISP level and currently they don't have the information required to do better filtering. In this case China Telecom might legitimately be the shortest path for some of this traffic some of the time and there is no way to tell otherwise.

The PKI signed advertisements will provide trust that I have ownership of the resources and would probably solve most of the accidental routing incidents.. i.e. somebody fat fingers a route on some "core" router and it starts advertising it under its own AS. The rest of the Internet will ignore that route because that AS doesn't own it.

What I don't see it solving is the malicious case were the attacker strips the AS path and re-advertises the route. i.e ME-A-B-C-D-BADGUY. Badguy just advertises ME-BADGUY so anybody closer will go their direction. Nobody can tell the difference cause I've signed the advertisment and they won't know that I'm not connected to BADGUY...

unless I sign that my nexthop is A. A then signs that his next hop is B. I could imagine that getting very expensive in the middle. Where the level1 carriers have to sign every route multiple times for every one they connect to.. Ouch.

Excellent News

[Doc+Ruby]

The correct response to exploits that take control of the Internet is to change the Internet so that kind of exploit doesn't work.

The Internet's global community is responding to threats like China's power over it much better than countries are responding to Chinese threats. Maybe because the Internet's developers don't directly depend on China buying their debt.

Hopefully a fix to Safari as well

[HalAtWork]

For some reason, on Safari Mac, the word "Fix" is missing on the tab, both for the Slashdot story and the linked story. The tooltip shows it, the window title shows it, but the tab doesn't. Hopefully a fix for this is forthcoming as well.

Re:Hopefully a fix to Safari as well

[BitZtream]

Your Safari is broken, mine shows it just fine.

Link to one-pager version

[bwintx]

Here.

Not when but IF!

[mrnick]

From the article: "How quickly RPKI will be adopted is unknown." How arrogant is that? Wouldn't it be better to say "It is unknown if RPKI will be adopted or not."

The beauty of the Internet is also its greatest weakness, a lack of centralized control. Who do they think runs the "Internet"? I'd like to apply for that job :)

the irony

The irony is one day we finally plugged all the holes, fixed all the leaks, chalked up all the cracks, only to find "freedom" has moved to China.

It ain't broken

It is working as advertised and some people don't like the Internet working that way -- wayward, without an overlord. This "fix" is the overlord.

is this still happening?

[Finite9]

I just logged into oracles OTN site at 09:30 CET today, it was in english, then I went into their DBA link and got the chinese site. Now, im in europe using an english language OS and i went to oracle.com. Why would I get a chinese site, unless...(tin foil at the ready) THEY THOUGHT I WAS FROM CHINA!! and my traffic was going through a chinese router!!!

Is this still happening silently? Was that 15 minute incident the only incident?

Re:is this still happening?

[Finite9]

and now it's happening to all my colleagues... something is happening for sure.