Internet Routing, Looming Disaster? 109
wiredmikey writes "The Internet's leading architects have considered the rapid growth and fragmentation of core routing tables one of the most significant threats to the long-term stability and scalability of the Internet. In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom. In the technical world, this is typically called a prefix hijack, and it happened due to a couple of wrong tweaks made at China Telecom. Whether this was intentional or not is unknown, but such routing accidents are all too common online. While BGP is the de-facto protocol for inter-domain routing on the Internet, actual routing occurs without checking whether the originator of the route is authorized to do so. The global routing system itself is made up of autonomous systems (AS) which are simply loosely interconnected routing domains. Each autonomous system decides, unilaterally, and even arbitrarily, to trust everything it hears from any other AS, to use that information without validation, and to further transmit that information to its other peers..."
Re:Authentication (Score:2, Interesting)
So... what you're saying is we should all start using that nifty authentication feature several routing protocols support, because it would make routing more secure? I suppose the better question is, why haven't we done it?
The better question is actually, "what are they pushing". So they're outputting almost unbelievable FUD that everyone actually in the business laughs out loud at. The purpose of doing this is ....
That is the crucial part missing from the summary.
My guess is the usual big gov statist corporatist B.S., because its possible to make money off that, but its just a guess.
Re:It's called a filter (Score:5, Interesting)
though you choose what MAJOR prefixes you accept routing information for, nobody cares about the
If I had say a
if I had enough other locations to assign
sure, many ISP's that you deal with in North America may have policies regarding what exact prefixes you advertise at each peering location, but at some point you become large enough to be "trusted". once you start carrying your own traffic internally is often the breaking point.
say I decided to lease some dark fiber between my two locations: then suddenly my rates may be cheaper than the existing path the ISP is taking between the two. (HIGHLY unlikely, unless your IT department has WAY too much money and you've got a few ISP's interested in sharing a portion of your pipe, though it can seriously reduce the cost of some 100Mbit customer facing links in some cases)
this then leads to an interesting predicament: how does one know what prefixes will be advertised over that pipe? sure, each ISP sharing the connection MAY decide to restrict advertisements: but few have the capacity to do so for many of the smaller
customers don't buy
Re:It's called a filter (Score:4, Interesting)
Not exactly. Most ISPs filter their customers announcements that way, but its highly impractical to implement such filters when peering with other ISPs.
The solution boils down to:
1. Temporary filter installed for errant routes
2. Peering POC at source ISP gets a stern lecture and a depeering threat
3. Peering is so valuable (and so costly to lose) that peering POC smacks around the person who allowed the leak in the first place.
4. Mistake repeats because the staff who originally allowed it are incompetent
5. Source ISP gets depeered so he has to pay for all his Internet traffic via a connection that actually is filtered
6. Source ISP fires the fool who screwed up in the first place, cancels the customer contract (if it was customer originated).
7. Source ISP most likely never recovers and ends up being bought out while in or near bankruptcy.
Okay, so steps 4 onward are an artful exaggeration. But seriously, senior network engineers get really bent out of shape when a peer slips them a bum route.