Fix To Chinese Internet Traffic Hijack Due In Jan. 92
alphadogg writes "Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there's no question about the underlying cause of this incident: the lack of built-in security in the Internet's main routing protocol. Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way."
Adding a fix? (Score:2)
What is the adage? Throwing code at a problem?
This was a known problem, but they way until it really is exploited to then fix it with something untested and thrown together.
Yep. I feel real good about it and have total confidence in the solution.
Re: (Score:1)
It's broke now, so it's time to fix it.
That being said, I rather like this RPKI thing--but I think it can go a -lot- further.
Universal encryption of all network sessions would help with authentication of resources, prevent man-in-the-middle attacks, prevent sidejacking, prevent...well, all manner of things.
Additionally, the internet could only benefit from the enhanced PKI that would need to be deployed to enable this.
Re: (Score:2)
How do you fail so badly at reading comprehension?
Re: (Score:2)
In all seriousness, yes, this has always been a hole and people have been calling for it to be filled for years--but there was no attention granted to it because there was no big obvious use of it. The people who would have the resources to divert substantial amounts of traffic were, up until now, playing "nice" for the most part.
Now there's a clear and present danger, so now the situation's being addressed.
What's the major lesson here? That large organizations that rule by c
Re: (Score:3, Informative)
What is the adage? Throwing code at a problem?
Yeah.. like SSL prevents hackers from hijacking CC details in e-commerce transactions.
RPKI has been in the works for years, and will be in the works for years.
I don't know where the idea "this will be fixed Jan 1" came from. A pilot program for RPKI is no more an immediate fix than the pilot program for DNSSEC was an immediate fix for security issues, and no more than the IPv6 pilot program / 6Bone was an immediate fix for IP address exhaustion.
Finali
Re: (Score:1)
This was a known problem, but they way(sic) until it really is exploited to then fix it with something untested and thrown together.
It's actually something that people have been working on for quite a long time, many years. It's not a last minute attempt to solve the issue.
Re: (Score:1)
Re:What... (Score:5, Informative)
Chinese Telecom perpetrated a specific route 'attack' a few months ago where they advertised via their BGP feed more specific routes (longer netmask prefixes) for a few blocks, thus any other AS who's BGP feed had been updated with the bogus data was selecting the route to China rather than the route to the actual destination. This can either cause minor disruption, or taken advantage of to sniff all the traffic which is incoming towards the affected hosts. Whether China did it for specifically malicious purposes really isn't clear, but its happened by mistake in the past. It's a known issue in the design of the protocol and policies, and doesn't really take an 'exploit' so much as someone advertising a /22 for a block they may or may not own which preempts the legitimate /20.
Re: (Score:2, Insightful)
No, some moron working on China Telecom's Beijing AS posted the iBGP routing table to the eBGP side. It's that simple. It didn't cause too much trouble, really, since the only routers that were fooled by it were nearby routers - like the other edge routers in China, and those in S. Korea, Japan, and surrounding companies (in the network topology, which loosely mirrors real geography). The routers in the US would get two prefix advertisements, notice that one was too far away, and use the right ones.
This is
Like other internet Upgrades (Score:4, Insightful)
So we're at phase 1, the "Hey, check it out" phase. You can expect this to reach a phase 2, the "actually possible" phase, after IPv6 gets implemented, which will then take years to reach phase 3, the "We should really get on that" phase. Phase 4, the "Okay guys this is actually becoming a problem" phase, comes a couple years later and will no doubt be brought up on slashdot a million times over. Phase 5, is still a theoritcal phase, the "Implementation and execution phase" has not yet been observed but we have reason to believe it might happen one day, if we wish upon enough stars.
Re:Like other internet Upgrades (Score:4, Funny)
Re: (Score:2)
Re: (Score:1)
This Is Different, the Chinese Stealed Our Net! (Score:4, Insightful)
So we're at phase 1, the "Hey, check it out" phase. You can expect this to reach a phase 2, the "actually possible" phase, after IPv6 gets implemented, which will then take years to reach phase 3, the "We should really get on that" phase. Phase 4, the "Okay guys this is actually becoming a problem" phase, comes a couple years later and will no doubt be brought up on slashdot a million times over. Phase 5, is still a theoritcal phase, the "Implementation and execution phase" has not yet been observed but we have reason to believe it might happen one day, if we wish upon enough stars.
Get politicians and pundits in front of the American cameras screaming "ZOMG Chineze Haz Our Intarwebz!" And you'll be simply amazed at how fast the sloth can move. If only they could have made the IPv4 -> IPv6 transition about nationalism or freedom or democracy or Al-Queda working with the Ruskies to undermine our securitization ... then that would have happened instantly!
Re: (Score:1)
Re: (Score:2)
Re:This Is Different, the Chinese Stealed Our Net! (Score:4, Informative)
Just in case somebody could be mislead to think you were serious, let me point out that the total number of fields in the header was reduced by 38% when switching from IPv4 to IPv6. That should allow for less processing power being used by the routers. The size of addresses was quadrupled, but the accumulated size of the other mandatory header fields was reduced by a third, in total that means the header only doubled in size.
Re: (Score:1)
Except that routers really only care about 1 field, the destination address. They SHOULD care about other fields so that thins like DONT_FRAGMENT gets honored, but thats not really going to kill you if you have other ways to ensure packets don't get broken after they've reached the next hop.
So you've effectively made the only field they care about much larger, even taking into account half of it can be/is just the mac address which actually makes things easier.
Firewalls care about the fields in the packet,
Re: (Score:2)
Many of the real expensive routers need to care about much more than the destination address. They need to be able to identify flows based on other parts of the packet; otherwise the ISP cannot fulfil their data retention obligations under the law in most parts of the world, these days.
IPv6 has made this a lot harder because the UDP or TCP port number is no longer at a fixed offset from the start of the packet. Instead the router has to parse variable-length extra headers. The same applies to "smart" ethern
Re: (Score:2)
If anybody decides to put functionality in a router that looks at those fields, then they are doing it wrong. It is not the protocol's fault if somebody decides to implement it in a way it wasn't intended to.
The port numbers never were on a fixed offset, not even with IPv4. There could be options in the header, in whi
Re: (Score:2)
Try reading the flow label discussion currently going on in the appropriate working group. Then come back to me and tell me that the flow label will be useful for anything within the next 5 years.
Looking at port numbers is required for data retention, it is useful for load balancing, and it is essential for modern NIC's. Only the load balancing case can be solved by the flow label, unless the working group manages to mandate that flow labels MUST be delivered unchanged to the other end.
And yes, the port num
Re: (Score:2)
That is not entirely correct. They have to care about the TTL/Hop limit field as well. If they didn't, then a routing loop would take out the network. Every router has to update this field, and in IPv4 that meant they had to update the header checksum as well. They also have to care about the length of the packet, though you may get away with only caring about the length at the link level. The rest of the header fields can be ignore
Re: (Score:3)
I dunno, it's obvious that "ZOMG Chineze Hz Our National Budgetz!", but our politicians and pundits are just digging deeper holes instead of cutting the vast and counterproductive military budgets that just create debt China uses to own our national budgets. And it was the Qaeda "working with Iraq" that created over a $TRILLION in debt, much greater than even the entire US debt to China ($860B).
Re: (Score:2)
Which is a pale shadow of the vast and actually not productive entitlement spending that truly is killing us. The $850 billion of new deficit spending that Obama scored this week is a great example.
Re: (Score:2)
The $850B isn't "new deficit spending", it's revenue reduction. Of course it contributes to the deficit by depriving us of revenue that could fund spending, but it's not spending.
What do you mean by "entitlement spending"? Be specific.
Re: (Score:2)
Re: (Score:2)
"Pork barrel" projects does not mean "projects arbitrarily attached to other bills". Pork barrel [wikipedia.org] projects might be arbitrarily to the previous purpose of the bill or not. They are the projects included in a bill as required by congressmembers who will not vote for the bill without them included, whether they're arbitrary or not, designating money for that congressmember's interest whether or not the expense supports the previous purpose of it. Sometimes it's "a piece of the action" of the main purpose, some
Re: (Score:2)
Of course it contributes to the deficit by depriving us of revenue that could fund spending, but it's not spending.
Not exactly. It isn't like the $850B disappears, it simply stays in the pockets of those people who would have been experience an actual tax INCREASE over current rates. It isn't even a cut, it is just maintaining the status quo from the last many years. If history tells us anything, it tells us that if you put (or keep) money in people's hands, they will spend it. So the money will still
Re: (Score:3)
You're arguing semantics. The new tax cut is repeating a tax cut that Bush got through Congress by using the Congressional technique of "reconciliation", where ordinary majority rules are suspended but the passed bill must expire in 10 years. It's a new tax cut, following an old tax cut.
That old tax cut didn't put enough money into the economy, which instead was faked with an orgy of debt spending by almost everyone: Federal/state/local governments, corporations (especially banks, which went bust), somewher
Re: (Score:2)
Will you marry me?!
Re: (Score:2)
He's probably referring to what the teabaggers call "entitlement spending"; Social Security, Medicare, which the teabaggers conviniently forget are funded by special taxes paid by those entitled to the benefits, and which the teabaggers incorrectly call "Ponzi Schemes".
Re: (Score:2)
Well, I'm curious what they're talking about. They did refer to tax cuts as spending, so they could mean anything, no matter what the term actually means. So far, who knows?
Re: (Score:2)
No. You're thinking of the continuation of the tax rates, which "reduces" revenue by $150B. It's the extension of more unemployment benefits for another long stretch that requires the borrowing of $850B in brand new, shiny Chinese debt. That's what Obama was holding out for on the tax deal. The left can whine all they want about holding tax rates where they were - but the killer, as always, is the colossal new entitlement hemorrhaging.
Re: (Score:2)
The UI benefits for the next 2 years are $56B. The extended reduced tax rates on over $250K income costs $150B. The extended reduced tax rates on the first $250K costs $300B.
Which programs are "entitlement spending"? None of them. Entitlement programs [auburn.edu] include Social Security, Medicare, and Medicaid, most Veterans' Administration programs, federal employee and military retirement plans, unemployment compensation, food stamps, and agricultural price support programs.
Social Security pays for itself (workers pa
Re: (Score:2)
The $150B is for the over 250K income tax.
I was always told the under 250K income tax is $700B. So there is the $850B there, it is all tax cuts.
The unemployment spending does not appear to be in your total but it is about 50B. The payroll tax cut is also not there and I have heard it is significantly larger expense.
Re: (Score:1)
Businesses, unlike geeks in moms' basement do things when there is an economic reason to do so, not just 'because we have to one day'.
Theres really no major reason to run head first into the transition, we've been 'running out of addresses this year' for 15 years.
I suspect we'll have flying cars before we stop using IPv4.
Yes, its going to happen eventually, but no, the Internet won't cease to function next week because we ran out of addresses, regardless of how many times someone writes a newspaper or press
Re: (Score:1)
No sparky. I understand where you are coming from, but I have a feeling this is more of a quick and dirty 'Git er dun' sort of roll out. You see, such a control --a centralized control-- over the Border Gateway Protocol, could give someone in an office, not a square office but more of a sort of ova^M^M^M roundy sort of office to be able to push a button --a big red button-- so that if they are annoyed by a web site owner --lets call this hypothetical owner Julian Wiki-- they can then say "Hey Mr. Wiki, we
Re: (Score:1)
You forgot Phase 6, the "realize it's actually never gonna happen, and admit defeat, or we need a mandatory flag day" phase.
Re: (Score:2)
This is on a completely different level though. The only people that have anything to do with BGP are the ISPs themselves. BGP is only used to route from groups of routers to other groups, where a single organization owns the entire group, and they're sending to the group of another organization.
Could we not just... (Score:1)
Is there no way on a local machine to maybe add to a host file a list of non allowed hops or something, where the packets have info as to where they can not be sent, and avoid. I am not sure as I am not very knowledge about networking, as much as I am programming, I would see this as trivial to add to a packet a flag that says it must stay within a hopping locality or sequence?
Re: (Score:3)
The problem is that their is a lot of routing information shared between routers. If we also need to keep the end-nodes up to date that would not scale. And what would be the use of that ? Because that end-node only has one connection/provider, so the upstream router could tag the traffic if you wanted to do something like that.
The problem obviously is that if you add something, how do you know you can trust that information more then all the information we currently have.
Re: (Score:2, Informative)
That's not how the routing on the internet works. You just specify the destination, and the source and just fire that packet away to your next-hop / gateway / router. And then the router, based on what's configured into it by the Humans, makes a decision.
These configurations are semi-automatic, thanks to the BGP (border gateway protocol), but it's still the humans who tell the router what rules to accept from its BGP peers and what rules to send to them (and what to which). So it can be fine-grained pretty
Re:Could we not just... (Score:4, Informative)
With IPv4 the maximum is around 64KB. However it is not required for everybody to support that large packets. If you send a packet that is too large for the destination or a router on the way it will either be split or an error message is sent back to the sender (which of the two is decided by the sender setting a bit in the header). On of the most frequent mistakes in configuring the network is to throw away packets that are too large without telling the sender.
There need to be some minimum where you are guaranteed that a packet under that size will reach the destination. For IPv4 that size is defined as 68 bytes for individual packets and 576 bytes for the full reassembled packet. Notice that 68 is ridiculously small by today's standards. I think most modern operating systems supports the full 64KB. The maximum size of the individual parts (known as the MTU) is typically 1500 bytes as that is the size supported by Ethernet.
In most cases you want to avoid fragmentation of IP packets because if one part is lost by the network, then the remaining parts cannot be used for anything. Data larger than 1500 bytes is usually send using TCP, which does support retransmitting just the fragments that were lost.
It is possible to let TCP segment the data stream and then let IP fragment each segment, but the only gain is that you don't have to to send TCP headers as frequently. If you have a 68 byte MTU, then the TCP header is a significant part of the MTU, and such fragmentation makes sense. In more typical cases with an MTU of 1KB or more, the 20 bytes for the TCP header are well spent, and you usually try to send packets exactly the size where they don't have to be fragmented further.
A typical packet nowadays is a TCP packet with 20 bytes IPv4 header, 20 bytes TCP header, 12 bytes TCP options and up to 1448 bytes payload.
With IPv6 the limits have been increased. The minimum MTU was increased from 68 bytes to 1280 bytes. The minimum reassembled packet was increased from 576 to 1500 bytes, and the IP header was increased from 20 to 40 bytes. (Even though the size of the addresses was quadrupled, the header size was only doubled because everything else in the header was simplified). With IPv6 the 1280 bytes is large enough that often it is a good idea to just stay within the 1280 bytes to avoid problems with routers that don't support larger packets. It is close enough to 1500 bytes to get good efficiency in most situations, and there is sufficient gap between 1280 and 1500 to allow for a few extra headers in case of tunnelling. That would mean a typical TCP packet has 40 bytes of IPv6 header, 20 bytes of TCP header, 12 bytes of TCP options, and up to 1208 bytes of payload.
The bit in the header, which indicates if the packet should be split or bounced in case it is too large was eliminated with IPv6. In IPv6 the packets are always bounced if they are too large. That also means the header fields for reassembly were removed. The sender can decide to split the packet and include an IPv6 option header, but it still won't be split further by routers on the network.
You can have an option header specifying which route you want the packet to take rather than just a destination. But many networks will just drop the packet if you try to.
Re: (Score:2)
Well, you can always launch a preemptive strike:
phoenix@olympus:~$ sudo nano /etc/hosts
127.0.0.1 *.cn
Re: (Score:2)
Well, you can always launch a preemptive strike:
phoenix@olympus:~$ sudo nano /etc/hosts
127.0.0.1 *.cn
Great, so you can't see China. I think this is the networking endpoint equivalent of sticking your head in the sand.
Re: (Score:2)
Damnit... Ninja'd.
Re: (Score:3)
HOSTS use won't work vs. BGP (Score:5, Informative)
"Is there no way on a local machine to maybe add to a host file a list of non allowed hops or something, where the packets have info as to where they can not be sent, and avoid. I am not sure as I am not very knowledge about networking, as much as I am programming, I would see this as trivial to add to a packet a flag that says it must stay within a hopping locality or sequence?" - by hesaigo999ca (786966) on Wednesday December 08, @01:10PM (#34489968) Homepage
Specifically on HOSTS files, since I often post about them here? HOSTS files usage won't work vs. BGP exploits!
(Think of BGP as SORT OF like arp is, which you also need for routing).
ISP's use BGP to make routes between one another, and this is not something YOU have any control over... once you get packets in (from who knows where under this type of attack), & send them out again? You have ZERO control now at that point vs. BGP.
BGP READ:
http://en.wikipedia.org/wiki/Border_Gateway_Protocol [wikipedia.org]
That URL's where you can read up more on BGP...
and
ARP READ:
http://en.wikipedia.org/wiki/Address_Resolution_Protocol [wikipedia.org]
That URL's where you can read up more on ARP which is used between routers/gateways...
Why did I put those links up for you?
Well - You stated you're more of a programmer than a network engineer/tech, & I was much the same a decade + 1/2 ago is why...: I KNOW WHERE YOU ARE COMING FROM! Those will help...
(I too was "mostly coder & hardware tech" ONLY, back then circa 1994-1996, until I started doing webservices based coding + client-server work, where you HAD to have @ least SOME understanding of "things networking", & picked up MOST of it on IRC back then)...
Later though? Heh, it ended up getting me work as a network administrator many times even, just because I took some initiative to "grow myself" a BIT more, to be more "well-rounded/all-around" & more "liberal arts", albeit STRICTLY around computing (learn BOTH coding & networking - it's worth it!).
APK
P.S.=> This isn't a first, though I truly DO suspect China did it intentionally (because of the military information being sampled as mentioned in the source articles is why MOSTLY), but iirc, some ISP in Florida USA did it by accident & FLOORED THEMSELVES (sort of funny, but NOT for their customers though I imagine - especially those that depend on the net for their work/livelyhood, education, etc./et al (& even if only in part))... apk
Re: (Score:2)
who rated this troll +5?
RPKI FTW (Score:2)
This is really good, now we can verify announcements.
More importantly, in the article it says the RIR's also finish their part so now we can start building filters which actually work ?
Re: (Score:3, Interesting)
More importantly, in the article it says the RIR's also finish their part so now we can start building filters which actually work ?
No, that's still a few years off.
The problem with RPKI is it's all well and good, until you realize there has to be a central authority, and that central authority is vulnerable to influence by governmental and corporate entities.
For example, federal agents sending patriot act security letters demanding to have the encryption keys, needed to forge resource assignments to
Another measure to lock down wikileaks? (Score:1)
I have to wonder if the motivation for this is coming from our own government. They have now taken down domain names since the DNS service can be controlled in the US, but routing is still pretty flexible, so you can still reach the website.
Would this fix not also result in the ability to lock down routing and lock out the rightful owners of IP addresses?
Re: (Score:2)
Not the problem, not the solution! (Score:1)
How is this a fix again? How is security the issue here? It's not like someone snuck onto the internets and did something malicious, a provider with BGP peering agreements sent out bad routes that their peers didn't filter.
The problem is not something that additionally encrypting/signing messages will fix, it's a problem of network operators blindly trusting routes from their providers and passing them along.
The only fix here is for operators to properly filter routes from people they peer with. Period.
Re: (Score:2)
The problem is not something that additionally encrypting/signing messages will fix, it's a problem of network operators blindly trusting routes from their providers and passing them along.
You're right, blind trust is the problem. Cryptographic signatures are how you verify that trust.
Re: (Score:3, Interesting)
Accepting a bad route from a peer and accepting a cryptographically signed bad route from a peer are the same thing.
Re: (Score:2)
I don't think most operators could do a better job. Every ISP I've dealt with has been pretty anal about what routes they accept from me.
This incident happened at the large ISP level and currently they don't have the information required to do better filtering. In this case China Telecom might legitimately be the shortest path for some of this traffic some of the time and there is no way to tell otherwise.
The PKI signed advertisements will provide trust that I have ownership of the resources and would proba
Excellent News (Score:2)
The correct response to exploits that take control of the Internet is to change the Internet so that kind of exploit doesn't work.
The Internet's global community is responding to threats like China's power over it much better than countries are responding to Chinese threats. Maybe because the Internet's developers don't directly depend on China buying their debt.
Hopefully a fix to Safari as well (Score:2)
Re: (Score:1)
Your Safari is broken, mine shows it just fine.
Link to one-pager version (Score:1)
Not when but IF! (Score:2)
From the article: "How quickly RPKI will be adopted is unknown." How arrogant is that? Wouldn't it be better to say "It is unknown if RPKI will be adopted or not."
The beauty of the Internet is also its greatest weakness, a lack of centralized control. Who do they think runs the "Internet"? I'd like to apply for that job :)
the irony (Score:1)
The irony is one day we finally plugged all the holes, fixed all the leaks, chalked up all the cracks, only to find "freedom" has moved to China.
It ain't broken (Score:1)
It is working as advertised and some people don't like the Internet working that way -- wayward, without an overlord. This "fix" is the overlord.
is this still happening? (Score:1)
I just logged into oracles OTN site at 09:30 CET today, it was in english, then I went into their DBA link and got the chinese site. Now, im in europe using an english language OS and i went to oracle.com. Why would I get a chinese site, unless...(tin foil at the ready) THEY THOUGHT I WAS FROM CHINA!! and my traffic was going through a chinese router!!!
Is this still happening silently? Was that 15 minute incident the only incident?
Re: (Score:1)
and now it's happening to all my colleagues... something is happening for sure.