Internet Routing, Looming Disaster?

wiredmikey writes "The Internet's leading architects have considered the rapid growth and fragmentation of core routing tables one of the most significant threats to the long-term stability and scalability of the Internet. In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom. In the technical world, this is typically called a prefix hijack, and it happened due to a couple of wrong tweaks made at China Telecom. Whether this was intentional or not is unknown, but such routing accidents are all too common online. While BGP is the de-facto protocol for inter-domain routing on the Internet, actual routing occurs without checking whether the originator of the route is authorized to do so. The global routing system itself is made up of autonomous systems (AS) which are simply loosely interconnected routing domains. Each autonomous system decides, unilaterally, and even arbitrarily, to trust everything it hears from any other AS, to use that information without validation, and to further transmit that information to its other peers..."

...news?

[phyrexianshaw.ca]

And this is news because?

This is how the BGP internet functions. the last proposed solution was to centralize the BGP trust tables, which is likely a WORSE solution.

if you can't trust your peers: go work in another kitchen.

Re:...news?

[wiredmikey]

It's not so much news as it is insight. If you're an experienced network expert it may not be surprising, but too many people in the tech world still don't have a clue on some of the challenges, dangers, problems that are happening currently and that we face moving forward with the overall internet infrastructure.

Re:

[vlm]

challenges, dangers, problems that are happening currently

Its FUD not insight. Those problems were solved years / decades ago.

The fact that the folks at the far left tail of the cluefullness bell curve will always find a way to shoot themselves in their feet, is not exactly an insight into this business or even generally into human nature.

FUDs usually used to gain control or make money not educate.

maybe something not intended to it

[LostMyBeaver]

I actually implemented BGP in our equipment (I mean wrote the protocol implementation) and since I'm advertising as opposed to handling heavy routing, the title of the article got me thinking a little.

By now, the top traffic routers are probably facing such a massive problem with fragmentation of address pools, that it has to be getting nearly impossible to perform any form of routing without enormous tables.

I'm speculating now.

These days if you (as an ISP) need a new /24 for your customers, it's very likel

Re:...news?

[phyrexianshaw.ca]

So it's "omfg, we non-technical people just learned how BGP works! it's scary!"

seeing something like this coming from an AP site, or Fox, I would have just brushed it aside and ignored it. but really? slashdot?


Owner: "you mean I can hijack someone else's traffic!!? omfg!!"
*pays to have someone implement it*
Owner: "WHY DOESN'T IT WORK!!?"
Tech: "I have no idea.. it should! I read an article on /. about china doing it!"
*phone rings*
ISP: "you seem to have a configuration issue on your equipment, you're trying to advertise routes that belong to someone else. you'll have to get that fixed before we continue routing your prefixes to you. "
Owner: "omg, [isp] called me.. undo it all..."

Re:

[Anonymous Coward]

Tech to owner: you mean just fix it?
Owner. NO NO NO OMG OMG OMG Take it all out, turn it all off, cut all the wire. Cut the electricity to all of it and shotgun the machinery. We have to stop NOW! IT all BorKen!

Re:...news?

[anti-NAT]

"If you're an experienced network expert it may not be surprising, ..."

and they're the people at ISPs who're running it (I used to be one of them). Running the Internet backbone is self regulating, because everybody who does it also has a vested interest in policing it. This article is FUD. The clueless tech people can continue to remain clueless.

Re:

[protektor]

I used to run an ISP. I started back a bit after the national science foundation stopped paying for the majority of the backbone. I have seen this happen many many times over the years. Some ISP or backbone provider will be working on a router and fat finger their routing tables, and then suddenly all kinds of traffic is re-routed and then they instantly notice a huge upswing in traffic, or rarely don't notice until they get a phone call, and then its "oh crap I have to fix that quick". Most of the time peo

Re:

[star99]

I too have noticed that in IT if you screw up something - fix it fast no-one knows but ability to experiment and recognize the mistake - correct it up is something which should be learnt

It's called a filter

[Tolaris]

No, each ISP chooses what routes to accept from what peers. It's called a filter. Smart ISP use routing databases like RIPE to verify what they'll accept and reject automatically. Others do it by hand. Dumb ones accept updates from peers without filtering. It's this last group that needs to update their practices.

Re:It's called a filter

[phyrexianshaw.ca]

That's not entirely true.

though you choose what MAJOR prefixes you accept routing information for, nobody cares about the /8's.

If I had say a /24 assigned to me, and I decided to have it routed to my building in Toronto, but then decided to move a /28 to a location in Dallas, what would be the easiest way to go about that?

if I had enough other locations to assign /28's to, I could simply retrieve an AS number and advertise each /28 to the parents at each location. this would then trail up to the largest area that my /24 exists under, and the traffic would be routed locally to each location.

sure, many ISP's that you deal with in North America may have policies regarding what exact prefixes you advertise at each peering location, but at some point you become large enough to be "trusted". once you start carrying your own traffic internally is often the breaking point.

say I decided to lease some dark fiber between my two locations: then suddenly my rates may be cheaper than the existing path the ISP is taking between the two. (HIGHLY unlikely, unless your IT department has WAY too much money and you've got a few ISP's interested in sharing a portion of your pipe, though it can seriously reduce the cost of some 100Mbit customer facing links in some cases)
this then leads to an interesting predicament: how does one know what prefixes will be advertised over that pipe? sure, each ISP sharing the connection MAY decide to restrict advertisements: but few have the capacity to do so for many of the smaller /24's or /28's that exist. keep in mind that each /16 has 256-/24's which in turn each have 32 /28's each.
customers don't buy /16's (regularly) they buy a /27-/30. this means that the /8 you oversee as an ISP may have as many as 4,194,000+ /30 prefixes to account for.

Re:

[phyrexianshaw.ca]

/28's per location.

if you get a /24 from ARIN, and have locations in Toronto, Dallas and Chicago, etc. I'm sure as hell not going to advertise a /24 at each to move all of the traffic to ONE location.

I'm advertising each location as it's own /28. That way people near Toronto customers get the quickest route to Toronto, etc. I don't know if you know the deal with Canada, but we have SHIT for paths. 2/3rds of the time you end up hopping half way around North America just to end up at the place one city

Re:It's called a filter

[Spazmania]

Not exactly. Most ISPs filter their customers announcements that way, but its highly impractical to implement such filters when peering with other ISPs.

The solution boils down to:

1. Temporary filter installed for errant routes
2. Peering POC at source ISP gets a stern lecture and a depeering threat
3. Peering is so valuable (and so costly to lose) that peering POC smacks around the person who allowed the leak in the first place.
4. Mistake repeats because the staff who originally allowed it are incompetent
5. Source ISP gets depeered so he has to pay for all his Internet traffic via a connection that actually is filtered
6. Source ISP fires the fool who screwed up in the first place, cancels the customer contract (if it was customer originated).
7. Source ISP most likely never recovers and ends up being bought out while in or near bankruptcy.

Okay, so steps 4 onward are an artful exaggeration. But seriously, senior network engineers get really bent out of shape when a peer slips them a bum route.

Re:

[ghjm]

Cage match: "senior network engineers" vs the government of China. Who are you betting on?

Re:

[Spazmania]

The network engineers. They'll mess you up man.

Oh, bullshit...

[autocracy]

Anybody who touches BGP needs to understand route filtering.

  * Would I trust everything I see from Sprint? Yes.
  * Would I trust anything except what I expect from the local ISP I route to? No.
  * Would I expect Sprint to execute the same filtering as above? Yes.

BGP nodes should always have filters on their connections that describe what is allowed to be accepted. Every failure I can think of... and I'm sure most notable ones that have happened... have been caused by failure to properly filter incoming routes.

why not, worked great for the banking system

[Anonymous Coward]

"would i trust everything i see from bear stearns?"

yes

"would i trust everything i see from lehman brothers?"

yes

oh wait..

Re:

[$RANDOMLUSER]

Sarcasm detected. You really can, however, trust everything you see from Goldman Sachs, since they are The Government.

Re:

[dgatwood]

Oh, a sarcasm detector. That's a real (sic) useful invention.

--Comic Book Guy

Re:

[vuke69]

In a nutshell, that's pretty much the problem and the solution.

Tier 1 providers pretty much have no choice but to accept any update from other Tier 1s because they could each legitimately have routes to pretty much any network. It is also each of their responsibilities to make sure they don't get any bunk routes from downstream. One weak link, the chain breaks and, and everyone suffers. Obviously you wouldn't (shouldn't) be accepting a zero bit mask route from anyone; but besides the basic idiot proofing

Re:

[Anonymous Coward]

Tier 1 providers pretty much have no choice but to accept any update from other Tier 1s because they could each legitimately have routes to pretty much any network.

While this is theoretically true, there are many scenario's which are very unlikely to be legitimate. E.g. how often does it happen that China Telecom and Level-3 both claim Level-3 routes on the same POP, legitimately? (Replace CT and L3 with any other 2 providers.)

Authentication

[rakuen]

So... what you're saying is we should all start using that nifty authentication feature several routing protocols support, because it would make routing more secure? I suppose the better question is, why haven't we done it?

Re:

[vlm]

So... what you're saying is we should all start using that nifty authentication feature several routing protocols support, because it would make routing more secure? I suppose the better question is, why haven't we done it?

The better question is actually, "what are they pushing". So they're outputting almost unbelievable FUD that everyone actually in the business laughs out loud at. The purpose of doing this is ....

That is the crucial part missing from the summary.

My guess is the usual big gov statist corporatist B.S., because its possible to make money off that, but its just a guess.

Re:

[Froggie]

It's a scare story, plain and simple. We don't understand why this works so It Must Be Bad and Someone Must Do Something About It.

Re:Authentication

[bhcompy]

Overhead. What might take a few milliseconds now takes a few more milliseconds. Not a problem on your little Belkin router, but when you're routing thousands of packets a second, it adds up. You can be sure there are many interests non-technical in nature that would be against raising their latency, even by milliseconds. Particularly, Wall Street.

Re:

[rakuen]

I know overhead can be a problem, especially with how much overhead there already is in exchanging information. However, the authentication should only be applied to the packets generated by the routing protocol, and not all packets. Therefore, overhead is limited. That is, unless every packet has to be authenticated. I'm not that far in my studies yet.

Re:

[silas_moeckel]

As it stands taking a full BGP feed slams a routers sup pretty hard. Now routing sups are often under powered but it's an issue. Then you have to look at what your authenticating we already authenticate sessions to stop injection attacks. If you going to authenticate the validity of the end point for each route, that stops some attacks but how do you do it so somebody can not re advertise that same route and send it somewhere else??? BGP is built on a trust model, and it's rather hard to do it another w

Re:

[TheLink]

The overhead is only in deciding whether to accept _changes_ to the routing table. If your router design isn't broken, that doesn't have to increase overheads of routing each packet at all.

For example, say I give you a piece of paper with a list telling you where to send stuff. So you just follow that.

Later, I could have a long talk with someone about what should be on a new list, but that does not have to affect you at all.

Once I'm done with that, I pass you the resulting list, and you use it.

Re:

[Froggie]

I am a tier 1 ISP and wish to send a packet to Sprint. My peering with Sprint is down (for whatever reason). Comcast tell me they can route to Sprint. I have two options: trust them, or don't trust them.

I can't actually say that Comcast are advertising a legitimate route to Sprint. But I also can't tell that they aren't snooping all the traffic, or terminating it at drive-by-malware sites, even if the route *is* legitimate. So there has to be trust at the tier 1 level.

The internet needs an upgrade...

[digitaldc]

...just like every other aging technology that increases its workload and interoperability on a scale that was never originally intended.

Re:

[Monkeedude1212]

The problem is not that the amount of traffic increases to stresses it can't handle, those are upgrades we have the technology for but just aren't spending the money - we'll worry about those when it actually becomes a problem.

The issue they are talking about abstractly is the way trust issues work on the net - and how its possible for a Chinese ISP to get 15% of traffic by saying "I'm super trustworthy".

In Laymens terms, they want to un-naive the interwebs.

Re:

[maxume]

Or they are overestimating the naivete of the internet.

Re:

[Froggie]

Actually, they just happened to be super-close.

Re:

[$RANDOMLUSER]

"rogers" on that one. What's this about "looming"? Internet routing started being a disaster two orders of (traffic) magnitude ago.

15%

[vxice]

before we throw this number around anymore, does anyone know approx. how much internet traffic normally goes through China? is the 15% number 15% more than normal, and additional 15%. a baseline is an incredibly important thing.

Re:15%

[genkaos]

Actually it was 15% of the internet's prefixes, not 15% of traffic.

Re:15%

[Unequivocal]

From what I've read so far on this, the 15% number is a red herring. The real problem was that China was able to route traffic for domains/networks which it had nothing to do with including dell.com and some US DoD networks. Volume wasn't the main issue (though surely it was causing problems in terms of latency and throughput) -- the main issue was that China was seeing packets that it shouldn't have.

Now we all know that no one routes traffic over the public internet that it doesn't assume bad actors will see. Right?

Re:15%

[camperdave]

Now we all know that no one routes traffic over the public internet that it doesn't assume bad actors will see. Right?

Keanu sees my packets?

Re:

[initialE]

All I see now is blonde, brunette, redhead.

Re:

[3.1415926535]

Even that claim is a red herring. Internet traffic is routed through, and visible to, many many entities that I would consider equally untrustworthy, and yet no one makes a stink about that. You have to have end-to-end encryption between authenticated peers if you want to have even a chance of keeping your data out of the hands of nogoodniks.

Re:

[Unequivocal]

You're right of course, but the point for me is that many folks don't do that (encrypt their traffic) b/c they're dumb about security, sometimes relying on what they think are immutable laws of routing (which this problem points out are not immutable at all).

No one in California hitting dell.com would think that their traffic would go through China to get to Texas (or wherever Dell.com is located). And especially if you look up dell.com's arin physical location you definitely wouldn't expect a big dog leg i

Re:

[Froggie]

No one in California hitting dell.com would think that their traffic would go through China to get to Texas (or wherever Dell.com is located).

Chances are it didn't this time, either. Someone in Japan going to dell.com might have gotten routed via China because China was advertising a really short route to the US. Someone from the US actually *has* a really short route to someone else in the US, and the Chinese ISP would be far away, so the bogus Chinese route would not have been used.

Sure enough, other background reading says it was Asian and Pacific traffic that tended to get caught up in this.

Re:

[Unequivocal]

Hey thanks - good tip. It seemed odd to me that traffic would route the long way, but I'd guessed (wrongly) that the .cn BGP weight must have been low enough to make it worth it. Of course now that you point it out, the routers in CA would know that .cn is far away on the first hop, so it wouldn't matter if the rest of the hops are basically free, the CA routers would choose a shorter/cheaper hop on the first step. Asian routers would be in a tougher spot and I could see how they'd jump on an advertised che

n the technical world

[cpicon92]

Really?

Re:

[sharkey]

Capitalized letters are prefixes, aren't they?

Imminent death of Internet predicted...

[EriktheGreen]

It's always amusing when a new pundit discovers exactly how the Internet actually works.

Until they gain enough technical knowledge to be dangerous, they assume that the Internet is just as Hollywood portrays... A rock-solid utility run by the Government that only PhDs and arcanely skilled teenage geniuses can control or understand.

Then they discover just how "fragile" it is, and start telling the people who've been making it work all along that they need to straighten up and fly right, or else a major disaster is going to happen. Good thing they told us.

It's sad that they can't just say "Oh, I guess I didn't understand.". Instead they have to "take charge" of things because otherwise they'd have to accept their own irrelevance, or even (gasp) accept that despite their new-found expertise, they *still* don't really understand.

So straighten up, Cisco... it's obvious to this guy you don't know what you're doing. Fix that BGP thing and do it NOW, you hear him?

Re:

[abigor]

You are absolutely right. Reminds me of that hysterical article from a few years back: "Is Linus Killing Linux?"

Re:

[Kjella]

Somehow I imagine the same will happen with IPv6. When shit hits the fan they'll throw a y2k panic round of fixes and it will get done.

Re:

[divisionbyzero]

It's always amusing when a new pundit discovers exactly how the Internet actually works.

Until they gain enough technical knowledge to be dangerous, they assume that the Internet is just as Hollywood portrays... A rock-solid utility run by the Government that only PhDs and arcanely skilled teenage geniuses can control or understand.

Then they discover just how "fragile" it is, and start telling the people who've been making it work all along that they need to straighten up and fly right, or else a major disaster is going to happen. Good thing they told us.

It's sad that they can't just say "Oh, I guess I didn't understand.". Instead they have to "take charge" of things because otherwise they'd have to accept their own irrelevance, or even (gasp) accept that despite their new-found expertise, they *still* don't really understand.

So straighten up, Cisco... it's obvious to this guy you don't know what you're doing. Fix that BGP thing and do it NOW, you hear him?

++

Re:

[hesaigo999ca]

Reminds me of that episode from the IT Crowd, where they create a black box,
and actually convince their (uber fail) boss that it IS the internet,
and is on loan for a few days, and that she can take it to a show and tell meeting....really funny!

Re:

[noidentity]

Man, I just found out that if a person's heart stops beating for a few minutes, he dies! Something must be done about this, or millions of people will start dying every day due to heart failure. We need to build in redundancy, or the human race might not survive.

Yes

[geekoid]

it's a disaster, the internet is collapsing, the world is ending. blah. blah. blah.

Pakistan 2008

[Teun]

Isn't this somewhat comparable to the problems Pakistan Telecom caused in 2008 with an unauthorized announcement of YouTube's subnet prefix?

If so not much has been learned...

I'm not worried

[arcite]

my router has lots of bandwidth.

Where does IPv6 stand in this?

[Midnight Thunder]

Since we are now getting to the final blocks of IPv4, how does this issue effect IPv6? Is this currently an IPv4 issue or will it impact IPv6 too?

Re:

[0123456]

I believe the intention is that location would be encoded in the IPV6 address, so routing be easy and misrouting would never be an issue (OK, router bugs aside). If, say, you give each country a 16-bit top-level IPV6 prefix, then you'll never end up sending American data to China by accident and you'd still never run out of IP addresses for those countries.

Just another example of why we need to switch from IPV4 to IPV6.

Re:

[phyrexianshaw.ca]

uhhhhh.... unless you have a prefix from another country that had to be moved somewhere else.

Say I have a /16 that was supposed to be assigned in Africa. being that I've got a location in Cairo, one in Toronto, and one in Dallas: there's nothing stopping my from injecting my routes into the global BGP session to route a portion (say a /24) of that to each of the centers.

you can't localize a prefix. that would cause a dependence on DNS to resolve names for IP's that may move around the world. and I d

Re:

[0123456]

uhhhhh.... unless you have a prefix from another country that had to be moved somewhere else.

Then you have to route to a prefix for a global ISP which will do whatever it wants with the packets. But there's no reason to have complex routing for a fixed computer in Africa which allows their packets to be sent to China by accident, just because some people are using satellite internet which could be anywhere on the planet. Though I guess you do always need some way to reconfigure the routers if required, so there's always going to be some protocol which could be used to tell them to send packets in c

Re:

[Unequivocal]

In TFA they mention this -- suggesting that V6 transition will exacerbate the BGP tables bloat problem, without addressing the core trust routing issues inherent with the way BGP is propagated today.

Makes sense - with new V6 routable addresses available a bunch of folks who have been compressing their networks behind NAT will probably put a lot of new networks online under V6. With V4 running side-by-side, there will need to be a some kind of V4 BGP routes over to these new V6 networks in order for them to

Re:

[Rich0]

I'm certainly not a BGP expert, but I also agree that IPv6 is likely to compound the problem. More routable IPs means it is harder to route them.

This sounds a lot like all the issues that went into local-number-portability with the phone company.

It used to be that a phone number was basically a heirarchical routing system. If the number was 123-456-7890 the telco would look up who handles 123, and pass along the call. Then that switch would figure out who has 456, and so on.

Now that there is local number

Re:

[19thNervousBreakdown]

More routable IPs means it is harder to route them.

Not necessarily. Fragmentation is the biggest issue--you can very often collapse a huge number of routes down to one since you only have to worry about the next hop. Resolve those routes as soon as you get the tables, then for everything that shares a prefix, collapse it into a single route. If there's small chunks taken out of it that need to go elsewhere, put them higher up in the priority list.

But, as we start to run out of addresses, an ISP who needs 4 million addresses is going to have to scrounge from

Re:

[Rich0]

I do agree with some of your points. An IP for every refrigerator on the planet isn't really a big problem.

An IP for every shoe or wristwatch on the plant, however, is. The difference is mobility - since mobility tends to cause route fragmentation.

Re:

[Midnight Thunder]

I do agree with some of your points. An IP for every refrigerator on the planet isn't really a big problem.

An IP for every shoe or wristwatch on the plant, however, is. The difference is mobility - since mobility tends to cause route fragmentation.

Then again, who says these devices will have the same IP where ever they go? I suspect these devices will get dynamic addresses.

What will be interesting is how big corporations connect to the internet via multiple providers.

Re:

[Melkman]

BGP works the same for IPv6 and IPv4, so filtering peers according to trust is still required. However the fragmentation issue is way worse for IPv4. This is because IPv6 allocations are that much bigger. To service 100k customers it is not uncommon for an ISP to use more than 10 IPv4 allocations which normally are not continuous. That is because the ISP can only request extra IPv4 address space from the RIR after he has assigned his current allocation to existing customers. To route those allocations the I

Re:

[zn0k]

That's only true if you ignore that virtually all businesses of decent size are going to want provider independent space. IPv6 was indeed designed to be strictly hierarchical and to have everyone take ISP IP space - but that doesn't work for larger businesses in practice. Larger businesses need to multihome with multiple providers to protect against provider failure. There are some design proposals out there for 'shims' that would let you run a server on an address from ISP 1 and recover the session with a

Re:

[Melkman]

Agreed, multihoming will add to the routing table size. However, if you look at the RIPE policy for IPv6 PI space ( http://www.ripe.net/ripe/policies/proposals/2006-01.html [ripe.net] ) you'll see that a business will get at least a /48. With 64K networks that will suffice for most. And the big multinationals that do require more will have no problem getting it, in a single prefix. So it stays with about one prefix per business (and in a filterable range for non transit systems too) which means less fragmentation. So

This B.S. again? Lies never die ;-)

[sribe]

In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom...

Except of course that after the initial flurry of headlines, analysis showed that the 15% figure was a wild exaggeration, orders of magnitude off...

Re:

[PhrstBrn]

Why fact-check and do actual journalism, when you can lie and be lazy, and make more money!

Let me get this straight.

[Nailer235]

When we realize the government has inadequate security we leap together in unison and scream, "Why didn't they fix that loophole before??" But when someone tries to raise awareness about the need to take preventative measures on a large scale, all of a sudden it's "lulz silly journalist." Also, the author is not even a journalist. His name is Ram Mohan, "Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry an

Re:

[phyrexianshaw.ca]

because people keep reposting it after reading it while knowing nothing about the topic that's being discussed.

regardless: all this shows is that:
1) a Chinese telecom was advertising routes for someone they shouldn't. 2) it takes a while for the BGP sessions to converge and reveal that two hosts were advertising the same prefixes, 3) the Chinese telecom SHOULD have pulled the local machine that was advertising a prefix to which it was not authoritive, 4) the Chinese telecom decided NOT to do this, revea

Comment removed

[account_deleted]

Comment removed based on user account deletion

And yet /. promotes IPv6

[ugen]

It's amazing that in the same breath (definitely on the same page) there are posts promoting/demanding immediate/accelerated acceptance/implementation of IPv6 and then this.

People, wake up - there are significant problems running the current, well compacted address space. Things will only get worse when address space becomes extremely sparse and, for all practical purposes, infinite.

Re:

[Raptoer]

Perhaps, but what choice so we have? Once we run out of v4 addresses we have to do something.
Also: IPv6 is initially allocated via geographical areas.

More importantly, it doesn't matter how sparse the table is as long as each section is contiguous. If I know I can send any traffic from (made up protocol) hosts 1 to 1000 to router 1200, and any hosts from 10,000,000 to 10,010,000 to router 4500, then my table is just fine.

As the life of an address space goes on it will tend to become less compacted, switchin

Re:

[BitZtream]

I'm pretty sure the same thing was said when the switch to CIDR instead of the old class based allocations was taking place too.

Re:

[pipedwho]

People, wake up - there are significant problems running the current, well compacted address space. Things will only get worse when address space becomes extremely sparse and, for all practical purposes, infinite.

With judicious allocation of IPv6 addresses this won't be a problem for a very long time.

Also, if it does become a looming issue in the far future, then some sort of periodic de-fragmentation of the upper address bits is always a possibility. Since the address space is so large, this could be done over a 20 year migration by slowly moving networks onto parallel 'de-fragged' address segments.

Re:

[badkarmadayaccount]

Or, use DHCP.

IPv6 & Fragmentation

[xkr]

The author complains about "fragmentation of routing tables," but then goes on to talk about route hijacking. Doesn't IPv6 largely fix routing table fragmentation? (Real question -- hoping for answer.) Route hijacking is largely fixed by good routing filter hygiene, as explained in previous posts. Most routing protocols support encryption, which won't help if a trusted router sends you bad routes, but can at least make sure you can tell the difference between trusted and untrusted route updates. I don't think BGP supports encrypted advertisements. Anybody know?

Re:

[xkr]

Also, IPv6 assigns addresses in geographic blocks, so you can easily tell of routes don't make any sense at all, like US to US routing via China.

Re:

[aXis100]

Routing table size IS the big issue.

Even with modern hardware accelerated routers, evey new session that flows through the router requires a lookup on the destination address to find the next hop. As the routing tables grow, so does the time taken to initially look up that match. This is a non trivial exercise that needs to be acomplishied in a very short space of time.

That said, it's nothing that more/faster/parallel hardware cant fix.

Hmmmmm.....

[IHC Navistar]

Is "Routing Hell" better than "Redirect Hell"? If it is, I'd like to leave the latter ASAP!