The Status of Routing Reform — How Fragile is the Internet? - Slashdot

Slashdot

The Status of Routing Reform — How Fragile is the Internet? 139

Posted by timothy on Sunday May 09 2010, @10:53PM
from the hopefully-comcast-is-not-the-standard-bearer dept.

crimeandpunishment points out the Associated Press's look (as carried by SkunkPost) "at an issue the government has been aware of for more than 20 years, but still isn't fixed and continues to cause Internet outages: a flaw in the routing system that sends data from carrier to carrier. Most outages are innocent and fixed quickly, but there's growing concern the next one could be devastating. A general manager at Renesys Corporation, which tracks the performance of Internet data routes, says, 'It amazes me every day when I get into work and find it's working.'"

This discussion has been archived. No new comments can be posted.

The Status of Routing Reform — How Fragile is the Internet?

Search 139 Comments Log In/Create an Account

Comments Filter:

Two words.. (Score:3, Informative)

by Anonymous Coward writes: on Sunday May 09 2010, @11:09PM (#32151380)

BGP Filtering. There, fixed that for you.

Share
twitter facebook
Route filtering (Score:5, Informative)

by Anonymous Coward writes: on Sunday May 09 2010, @11:32PM (#32151504)

Route filtering, USE IT!
Especially when peering with Pakistani/Chinese/etc ISPs.
This is why RIRs such as RIPE/ARIN/APNIC have their information publicly available.
So you know which addresses belong to who.
Only accept routes from your BGP peers that you know belong to them.
This also (in addition to hijack prevention) prevents a clueless NOC monkey from another autonomous system from messing up your whole network by announcing a default route.

Share
twitter facebook
Re:Use phone to manually change routes? (Score:3, Informative)

by Charliemopps (1157495) writes: on Sunday May 09 2010, @11:39PM (#32151538)

Not when every ISP out there is voiping everything out of soft switches. There is no "Old school phone system" any more. It all VOIPS eventually. Any major data outage WILL affect voice as long as it's on a lower layer... i.e. DNS problems shouldn't cause a problem but routing issues certainly will.

Parent Share
twitter facebook
Re:The Internet is not going to end (Score:2, Informative)

by Aeternitas827 (1256210) * writes: on Sunday May 09 2010, @11:41PM (#32151546)

But there are only 13 internet root servers . . . .
13 root DNS servers...this is a different protocol altogether. I don't pretend to understand real well--VLSM/CIDR confuse the hell out of me, and that's where I gave up trying to understand the nuts and bolts--but there's a very large number of systems whose routes would need to be compromised, and quickly, to make this have an effect that is visible to end users--and even that would be short lived. As the parent put it:
This "hijacking" happens all the time, people immediately see it and fix it and nobody notices.

Parent Share
twitter facebook
Re:Use phone to manually change routes? (Score:4, Informative)

by scdeimos (632778) writes: on Monday May 10 2010, @12:02AM (#32151660)

Unfortunately you can't make that assumption any more.
Even national telcos, such as Telstra in Australia, are routing all of their landline and mobile voice and data telecommunications over IP networks (and have done so since 2007 [computerworld.com.au]).

Parent Share
twitter facebook
Re:Strength is weakness (Score:5, Informative)

by mysidia (191772) writes: on Monday May 10 2010, @12:52AM (#32151868)

And that is a big reason why the Internet exterior gateway protocol is not RIP or any other IGP.
A premise of the RIP and other IGP protocols is routers talking to each other trust each other.
With BGP, the premise is the opposite... routers speaking the protocol implement policies against each other: policies regarding what routes they propagate or originate outbound, policies regarding what routes they accept, and policies regarding what incoming routes they propagate.
So networks that don't trust each other only accept appropriate routes from their peer based on AS-path and Prefix-list filters.
Basically almost all networks should treat their peers as untrusted, and list out prefixes of end users.
It doesn't start to get hairy, until you need to peer with a provider (instead of an end-user) and accept all prefixes from them, because you want their customer prefixes, or you want to buy transit from them.
As for ISPs and providers though... failing to filter downstream announces is the exception to the rule.

Parent Share
twitter facebook
Oh crap, this can get worse than net neutrality (Score:2, Informative)

by Captain Linger (869777) writes: on Monday May 10 2010, @01:42AM (#32152012)

Route filtering. Trust me, if the 12 occasionally scattered folk I work with every day can manage block leaks of inappropriate routes within 15-60 minutes, so can everyone else, and they typically do...generally they're properly filtered to begin with. The open nature of the internet and diversity amongst transit carriers is precisely what contains these leaks to segmented populations rather than causing a massive nationwide failure. The fact that largely Internet standards have been left to technocratic, Balkanized organizations rather than via Congress is what keeps everyone playing nice. The "next one" may be "a big one", but anyone running a truly important network should and will have diverse carriers...anyone critical to the US infrastructure should and does generally run over dark fiber that would not be affected. Not seeing the call to action here, but I have very little faith in the media to actually competently understand and relate this one. HangingChad, exactly: "I got a bad feeling about this"

Share
twitter facebook
Re:between this and that dnssec thing... (Score:3, Informative)

by mrrudge (1120279) writes: on Monday May 10 2010, @04:58AM (#32152826) Homepage

That's possibly not a great argument to bring up amidst an internet community likely to contain a large amount of people who's hard work stopped the millennium bug being a massive problem.

Parent Share
twitter facebook
Filtering works, for those that configure it (Score:2, Informative)

by gavving (1689168) writes: on Monday May 10 2010, @08:16AM (#32153640)

As someone who's accidentally announced the entire Internet routing table to an ISP when setting up a dual-homed configuration, I can confirm that good upstream ISPs do BGP filtering. I was trying to troubleshoot what was going on, and the Tech on the other end was helpful enough to tell me that I was sending him the full route table. Fortunately they had filters in place to stop them from going out any further and impacting anything. But I had it clearly demonstrated to me how important filters are on both ends of the connections.

Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

1051 commentsRand Paul Has a Quick Fix For TSA: Pull the Plug
911 commentsMandatory Brake-Override Proposed For All Cars
737 commentsGimp 2.8 Finally Released
707 commentsIcons That Don't Make Sense Anymore
699 commentsDiesel-Like Engine Could Boost Fuel Economy By 50%

Your happiness is intertwined with your outlook on life.