The Status of Routing Reform — How Fragile is the Internet? 139
crimeandpunishment points out the Associated Press's look (as carried by SkunkPost) "at an issue the government has been aware of for more than 20 years, but still isn't fixed and continues to cause Internet outages: a flaw in the routing system that sends data from carrier to carrier. Most outages are innocent and fixed quickly, but there's growing concern the next one could be devastating. A general manager at Renesys Corporation, which tracks the performance of Internet data routes, says, 'It amazes me every day when I get into work and find it's working.'"
Two words.. (Score:3, Informative)
BGP Filtering. There, fixed that for you.
Route filtering (Score:5, Informative)
Route filtering, USE IT!
Especially when peering with Pakistani/Chinese/etc ISPs.
This is why RIRs such as RIPE/ARIN/APNIC have their information publicly available.
So you know which addresses belong to who.
Only accept routes from your BGP peers that you know belong to them.
This also (in addition to hijack prevention) prevents a clueless NOC monkey from another autonomous system from messing up your whole network by announcing a default route.
Re:Use phone to manually change routes? (Score:3, Informative)
Re:The Internet is not going to end (Score:2, Informative)
But there are only 13 internet root servers . . . .
13 root DNS servers...this is a different protocol altogether. I don't pretend to understand real well--VLSM/CIDR confuse the hell out of me, and that's where I gave up trying to understand the nuts and bolts--but there's a very large number of systems whose routes would need to be compromised, and quickly, to make this have an effect that is visible to end users--and even that would be short lived. As the parent put it:
This "hijacking" happens all the time, people immediately see it and fix it and nobody notices.
Re:Use phone to manually change routes? (Score:4, Informative)
Unfortunately you can't make that assumption any more.
Even national telcos, such as Telstra in Australia, are routing all of their landline and mobile voice and data telecommunications over IP networks (and have done so since 2007 [computerworld.com.au]).
Re:Strength is weakness (Score:5, Informative)
And that is a big reason why the Internet exterior gateway protocol is not RIP or any other IGP.
A premise of the RIP and other IGP protocols is routers talking to each other trust each other.
With BGP, the premise is the opposite... routers speaking the protocol implement policies against each other: policies regarding what routes they propagate or originate outbound, policies regarding what routes they accept, and policies regarding what incoming routes they propagate.
So networks that don't trust each other only accept appropriate routes from their peer based on AS-path and Prefix-list filters.
Basically almost all networks should treat their peers as untrusted, and list out prefixes of end users.
It doesn't start to get hairy, until you need to peer with a provider (instead of an end-user) and accept all prefixes from them, because you want their customer prefixes, or you want to buy transit from them.
As for ISPs and providers though... failing to filter downstream announces is the exception to the rule.
Oh crap, this can get worse than net neutrality (Score:2, Informative)
Re:between this and that dnssec thing... (Score:3, Informative)
Filtering works, for those that configure it (Score:2, Informative)
As someone who's accidentally announced the entire Internet routing table to an ISP when setting up a dual-homed configuration, I can confirm that good upstream ISPs do BGP filtering. I was trying to troubleshoot what was going on, and the Tech on the other end was helpful enough to tell me that I was sending him the full route table. Fortunately they had filters in place to stop them from going out any further and impacting anything. But I had it clearly demonstrated to me how important filters are on both ends of the connections.