Engineers Ponder Easier Fix To Internet Problem 75
Posted
by
Soulskill
from the have-you-tried-turning-it-off-and-then-on-again dept.
from the have-you-tried-turning-it-off-and-then-on-again dept.
itwbennett writes "The problem: Border Gateway Protocol (BGP) enables routers to communicate about the best path to other networks, but routers don't verify the route 'announcements.' When routing problems erupt, 'it's very difficult to tell if this is fat fingering on a router or malicious,' said Joe Gersch, chief operating officer for Secure64, a company that makes Domain Name System (DNS) server software. In a well-known incident, Pakistan Telecom made an error with BGP after Pakistan's government ordered in 2008 that ISPs block YouTube, which ended up knocking Google's service offline. A solution exists, but it's complex, and deployment has been slow. Now experts have found an easier way."
The big fix... (Score:4, Interesting)
The solution is to have routers verify that the IP address blocks announced by others routers actually belong to their networks. One method, Resource Public Key Infrastructure (RPKI), uses a system of cryptographic certificates that verify an IP address block indeed belongs to a certain network.
Well duh! You would have thought this was the case already. Why are we worrying about state sponsored cyber attacks if we leave a hole this big wide open?
Can any network gurus out there tell me if this problem still hangs around after ipv6? Does it get bigger?
Re:The big fix... (Score:4, Interesting)
Poisoned router tables will indeed "infect" other routers, radiating out until the correct route has a preferred weighting to the toxic route.
A wonderful example of this occurred in 1995 in England, when Manchester University's computer centre decided that it WAS America. (Now, I know they tend to have an ego problem there, but this was impressive.) Because redirecting traffic to Manchester required fewer hops and utilized greater bandwidth to any other route to America, you can guess what happened next. It took quite some time for the engineers to clean up the mess, because the newly discovered Northwest Corridor^wWormhole had been discovered by so many routers and the information was being gossiped around. Just as with humans, once gossip starts it is very hard to stop - even when the source admits it was false.
There's not a lot you can do in a case like that. Once an authenticated router starts having delusions due to buggy software/hardware, there's not much any other router can do to determine that it truly is a delusion. Multipath helps (if you support dividing traffic between multiple routes, according to viability, you'll only lose a percentage of traffic, not all of it) but you'd need active path monitoring to go any further. Which would reduce bandwidth (which is already excessively limited) and increase complexity (the primary cause of hallucinating hardware).