Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Status of Routing Reform — How Fragile is the Internet?

timothy posted more than 4 years ago | from the hopefully-comcast-is-not-the-standard-bearer dept.

Networking 139

crimeandpunishment points out the Associated Press's look (as carried by SkunkPost) "at an issue the government has been aware of for more than 20 years, but still isn't fixed and continues to cause Internet outages: a flaw in the routing system that sends data from carrier to carrier. Most outages are innocent and fixed quickly, but there's growing concern the next one could be devastating. A general manager at Renesys Corporation, which tracks the performance of Internet data routes, says, 'It amazes me every day when I get into work and find it's working.'"

cancel ×

139 comments

Sorry! There are no comments related to the filter you selected.

Strength is weakness (0)

Anonymous Coward | more than 4 years ago | (#32151320)

So the strength of the internet ( no single point of failure) is it's weakness.

Re:Strength is weakness (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32151326)

I'm gonna shove mah nigga dick up your tight ass, cracka.

Re:Strength is weakness (3, Interesting)

Concerned Onlooker (473481) | more than 4 years ago | (#32151700)

No single point of failure? Correct. Instead it seems to be many points of failure. I am not a networking wiz and I don't even like networking issues, but I have taken a few networking classes and after trying to set up even basic RIP stuff I'm amazed that the internet works at all. It's been a while ago but I recall that even one team in our lab screwing up brought down the whole network.

Re:Strength is weakness (5, Informative)

mysidia (191772) | more than 4 years ago | (#32151868)

And that is a big reason why the Internet exterior gateway protocol is not RIP or any other IGP.

A premise of the RIP and other IGP protocols is routers talking to each other trust each other.

With BGP, the premise is the opposite... routers speaking the protocol implement policies against each other: policies regarding what routes they propagate or originate outbound, policies regarding what routes they accept, and policies regarding what incoming routes they propagate.

So networks that don't trust each other only accept appropriate routes from their peer based on AS-path and Prefix-list filters.

Basically almost all networks should treat their peers as untrusted, and list out prefixes of end users.

It doesn't start to get hairy, until you need to peer with a provider (instead of an end-user) and accept all prefixes from them, because you want their customer prefixes, or you want to buy transit from them.

As for ISPs and providers though... failing to filter downstream announces is the exception to the rule.

Re:Strength is weakness (1)

OeLeWaPpErKe (412765) | more than 4 years ago | (#32152744)

Why don't we let congress fix it ? We'll be back to running RIP on the internet backbone before anyone can say "it doesn't scale".

BGP works, and all secure origin (never mind secure path) bgp announcements require and effect a total government takeover. It basically brings internet routing under government control, and the government (ICANN) key can take any IP offline, through revoking it's authorization, without warning and without recourse.

About the only thing that could remain operational without government fiat would be p2p networks (although thepiratebay would be screwed).

Let's hope there aren't too many democrats here, otherwise I probably shouldn't have said that.

Re:Strength is weakness (0)

Anonymous Coward | more than 4 years ago | (#32152798)

I'm in a hellhole of a country, working for a tiny company and we do run BGP. Pretty much the first things I was taught about it were to:

A) Filter what I announce to each of my peers.

B) Filter what routes I accept from each of my peers, based on RIR info. If you're lazy or you run a big network, there are even automated tools that can help you do that.

If that article is suggesting that network administrators working on Tier1/Big Tier2 carriers have no knowledge of such things, either I'm a super genius amongst netadmins ( I wish ) or they really don't know much about what they're talking about.

Re:Strength is weakness (5, Insightful)

Comen (321331) | more than 4 years ago | (#32151918)

"I am not a networking wiz and I don't even like networking issues" So you tried to setup basic RIP and you are amazed the internet works at all huh.
Well this artical is pure BS, sure you packets go between multiple backbone ISP's and a couple smaller isps on the edge maybe, but the guys that run the bigger ISP's do have rules that govern how they BGP peer with other backbones and peers. They enforce strict BGP filtering, to keep the smaller compaines from causing major issues.
Sure every once in a awhile someone might fat finger some shit and mess something up that will effect 1 of the main backbones, but with more automated tools this happens way less than it used to. Most big backbone ISP's use router hierarchy and pure core routers are protected from anyone configuring them much at all once setup.
I think the system runs well, I am sure it could be made better in many ways, but the issues made here are non issues, the backbones one security would be the main factor here, and that should get only better over time.
Its better there is no central routing authority on the internet. Each company has it in thier best interest that it has the best routes to get to a centain network, and if that company messes its routes up, others should be protected by proper BGP filering. BGP filtering can get pretty complex, on ciscos this can be with prefix based ACL's and also with BGP AS number based ACL's, you can also use BGP communities to keep things nice and neat. If done correctly it can be pretty rock solid, if a rookie does the filtering you can have holes and issues, but a big company like LEVEL3 for instance, should have standards and all this stuff pretty hardened and worked out.
This internet sky is not falling.

Re:Strength is weakness (1)

soppsa (1797376) | more than 4 years ago | (#32153200)

Yea the article (and def summary) are clueless. As a network architect for a tier1, I assure you its pure FUD... EVERYONE uses ACLs on their edge... and definitely prefix limits too.

Re:Strength is weakness (1)

jesset77 (759149) | more than 4 years ago | (#32153404)

Well this artical is pure BS

"Uh Hacker told Uh Panel Uh thing, and now we're all gonna die". I dunno, I might have appreciated some links to sources discussing the events in more detail or filling in some, any of the gaping informational holes.

"Routing errors also blocked Internet access in different parts of the world, often for millions of people, in 2001, 2004, 2005, 2006, 2008 and 2009." ORLY? Certainly you could name these incidents or link somewhere, or do you expect me to google "routing error 2004" and figure out which event you are talking about? Or are you just pulling dates out of your ass? Occam's Razor suggests the latter theory.

"Soon, even Internet users in the U.S. were deprived of videos of singing cats and skateboarding dogs for a few hours."

8I

Well why didn't you let us know how much was at stake [slashdot.org] from the get go, then? Holy shitballs, something must be done right away!

Re:Strength is weakness (0)

Anonymous Coward | more than 4 years ago | (#32151992)

Yep. RIP isn't a good protocol to hold up the Internet. Especially considering it takes me more than 15 hops to get out of the US in many instances. BGP (Border Gateway Protocol) is what handles the Internet. It scales well, is infinitely customizable and is known to make grown men cry and suck on their thumbs.

In all seriousness though, BGP is a great protocol for handling this type of thing. I think that perhaps with reliabilities being what they are right now the timers could probably be set a little more aggressively, especially considering the computation power of a lot of today's routers that would be holding the BGP table.

proof of concept of "laziness" (0)

Anonymous Coward | more than 4 years ago | (#32151996)

ya strength of what 20 years ago cold war still existed so technically if it all went down we could a been commutatively screwed.
nice work they upgrade the networks so well with capitalism working so great and all.

Re:Strength is weakness (0)

Anonymous Coward | more than 4 years ago | (#32153122)

No single point of failure? Correct. Instead it seems to be many points of failure. I am not a networking wiz and I don't even like networking issues, but I have taken a few networking classes and after trying to set up even basic RIP stuff I'm amazed that the internet works at all. It's been a while ago but I recall that even one team in our lab screwing up brought down the whole network.

Just go right ahead and protect yourself from these issues and cut your connection with an axe. Are we supposed to be surprised or shocked that someone who has "taken a few networking classes" couldn't implement a 2 decade old protocol while you were trying to learn it? I think it's time to let the adults talk now jimmy.

Almost-a-car-analogy (0)

Anonymous Coward | more than 4 years ago | (#32153248)

True story: When I was a kid I once tried with some friends to build a motorized go-card out of an old moped and a pedal car. The thing was actually able to move quite quickly, and I'm still amazed that nobody got hurt before it was seized by the police. However, for some obscure reason, I'm not THAT amazed that regular cars made by professional motor vehicle manufacturers mostly work fine (cue toyota jokes here).

Re:Strength is weakness (1)

iserlohn (49556) | more than 4 years ago | (#32153292)

/don't know if serious

between this and that dnssec thing... (4, Funny)

gandhi_2 (1108023) | more than 4 years ago | (#32151330)

...i'm glad I decided to wait for internets2 before i get online.

[posted via FIDOnet]

Re:between this and that dnssec thing... (0)

Anonymous Coward | more than 4 years ago | (#32151356)

The Internet is on computers now?

Re:between this and that dnssec thing... (3, Funny)

Anonymous Coward | more than 4 years ago | (#32151364)

No, it's on dogs. See, he posted from Fidonet! Dogs carry around TCPIP packets.

Re:between this and that dnssec thing... (0)

Anonymous Coward | more than 4 years ago | (#32151966)

Dogs carrying TCP/IP packets... is that more reliable than RFC1149?

Re:between this and that dnssec thing... (1)

Lennie (16154) | more than 4 years ago | (#32152500)

Dogs usually don't get attacks by preditor birds, so maybe yes.

Re:between this and that dnssec thing... (2, Funny)

Abstrackt (609015) | more than 4 years ago | (#32153740)

Dogs carrying TCP/IP packets... is that more reliable than RFC1149?

It's certainly more reliable than when they tried using cats. Not only was it very high latency but sometimes packets would get dropped or lost under the fridge. In most cases, the data wouldn't get delivered at all. Add to that the inability of RFC1149 to operate in the same spectrum as cats (too many mangled packets) and you can see that dogs were clearly the better choice.

Re:between this and that dnssec thing... (1)

BiggestPOS (139071) | more than 4 years ago | (#32151414)

Better still, wait for Internet 2.1 - we all know x.0 releases just aren't up to snuff.

Re:between this and that dnssec thing... (0)

Anonymous Coward | more than 4 years ago | (#32151600)

Ah what short memories experts have. The same ones who warned of the end of civilization on January 1,2000 have found another catastrophe looming.

Re:between this and that dnssec thing... (2, Informative)

mrrudge (1120279) | more than 4 years ago | (#32152826)

That's possibly not a great argument to bring up amidst an internet community likely to contain a large amount of people who's hard work stopped the millennium bug being a massive problem.

Re:between this and that dnssec thing... (1)

somersault (912633) | more than 4 years ago | (#32153252)

a large amount of people who's hard work stopped the millennium bug being a massive problem.

And probably caused it in the first place ;)

It is fragile (5, Insightful)

mysidia (191772) | more than 4 years ago | (#32151354)

Kind of. However, it has also always been this way, and it has survived so far. All that has really changed is the number of players has increased, and the size of the routing tables are increasing.

It has to work, so a lot of people should notice very quickly if something large goes wrong.

It also cannot very easily be fixed, as many players would have to spend a lot of money for it to change, and there is little financial incentive to chase that ghost.

And you thought IPv6 or DNSSEC adoption was taking a long time... imagine how many decades it would take for SBGP adoption?

Re:It is fragile (1)

For a Free Internet (1594621) | more than 4 years ago | (#32151834)

yeah but you are stupode and dumbe.

Re:It is fragile (1)

OeLeWaPpErKe (412765) | more than 4 years ago | (#32152790)

This sort of thing always works the same way. Something works well, really well (considering just how many things it's connecting), because of a lack of government control.

So they invite a problem, something that everyone knows isn't a problem at all, but the only solution is total submission to government control.

Democrats will, obviously, not stop this. Heck, I'd be amazed if republicans would stop it, but at least they'd be somewhat more restrained.

Not a problem (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32151370)

First of all, the US federal government shouldn't have the power to do this even in America, and it definitely doesn't have the power to enforce this in the rest of the world.

Secondly, no sane ISP will forward BGP data.

This limits the problem to people with access to core internet routers. Companies that own these routers should only give access to extremely trustworthy people, and even then, they should still only need to access the server when there's a legitimate change. The issue then lies with accidents, which will always happen, no matter what you do, and corruptness. Corrupt ISPs should be removed from the network as soon as they are found to be corrupt.

Re:Not a problem (2, Insightful)

freeworldtech (1245388) | more than 4 years ago | (#32151988)

I agree completely. Why does it have to be the governments job to fix everything. Personally I think we are all a lot better off if they have nothing to do with it.

Re:Not a problem (5, Insightful)

KahabutDieDrake (1515139) | more than 4 years ago | (#32152086)

Yeah, I wish the government would have never even gotten involved. The internet was so much better before those bastards stuck their dirty fingers in there. :stare:

Re:Not a problem (1)

Alcemenes (460409) | more than 4 years ago | (#32153222)

Society has been conditioned to think the government needs to take care of everything. We become more of a nanny state with each passing day because a select few refuse to accept responsibility for their actions. These same people want the government to protect us from ourselves for our own good. Bad people will do bad things, that's a fact of life. Hell, good people do bad things sometimes too. Oh well, my opinion matters not. Give them a few years and they will turn the Internet into another over-regulated mess that will suck on levels previously unheard of.

Re:Not a problem (0)

Anonymous Coward | more than 4 years ago | (#32152058)

Not exactly.. it limits the problem to people with ASN's that speak BGP.. of which there are many. The barrier to entry is not high.

Re:Not a problem (0)

Anonymous Coward | more than 4 years ago | (#32152174)

No big ISP trust any other ISP in BGP.
We do filtering of both incoming and outgoing routing updates to avoid problems. This is the reason why the internet works. No single ISP can kill the internet (but they can kill their part of it).
Most large connectivityproblems are caused by broken fiber cables and CFOs that are gambling with redundancy to save cost.

You guys in the US should start thinking about why all international connections are connected to so few places.
Maybe your government are involved in that...

Re:Not a problem (1)

masterwit (1800118) | more than 4 years ago | (#32152182)

umm...Comcast. They need to be nuked.

Agreed, but... (1)

LostMyBeaver (1226054) | more than 4 years ago | (#32152356)

I wonder if something should be done to limit the deployment of straight Ethernet as opposed to OC-[0-9]+, ATM, Sonet, etc... for Tier-1 backbone traffic.

I don't have real numbers or statistics I can back up my claims with, but having experimented with implementing SONET and ethernet VLSI simulations, I'm convinced that SONET maintains a much more reliable connection and is able to recover from glitches MUCH quicker than Ethernet. Sure, we're talking about milliseconds, but over long distances, glitches must be common enough to allow these glitches to screw up UDP traffic on a massive scale.

On the other hand, maybe it's time for a new extension for Ethernet to be made which re-frames Ethernet packets for easy redundancy. So, basically an Ethernet wrapper which simply numbers the packets and passes it over two separate lines or over two different wavelengths in the same fiber. Then the receive discards the packets which come late. It obviously won't resolve bottleneck related packet loss, but it will help to resolve the issue of glitch related packet loss.

Things like trying to force proliferation of BGP (or similar) routing technologies on an international scale would simply be irresponsible. Though, I'd imagine that governments would love it as it would simplify line snooping substantially for them.

Re:Not a problem (1)

alfredos (1694270) | more than 4 years ago | (#32152688)

Completely agreed. I don't understand why any government is quoted at all. The issue, if it exists, is more a technological one than any other thing. Definately (and thankfully) no politicians are or should be involved.

The current system has shown not only its outstanding scalability and reliability, but also its usefulness to filter out bad guys when they come in large chunks (which they do - look at the McColo incident for a dramatic example.)

My conclusion is that we're looking for problems to fix, of which there are none here, where we should be rather looking for improvements to be made, of which of course there are plenty.

Re:Not a problem (1)

samson13 (1311981) | more than 4 years ago | (#32153364)

Secondly, no sane ISP will forward BGP data.

What? That's what the ISP is payed for. If they don't advertise the routes we give them then they won't receive the traffic we want them to forward to us. If they don't forward their BGP routes from the rest of the Internet how do we know what they can reach (hopefully everything but probably nothing if they don't forward BGP)?

Hopefully they are being reasonably careful with their filtering but there is not an awful lot they can do. Hopefully they make sure that we only advertise our routes against our AS number but they can't even filter out our routes/AS number from other ISPs cause that might be the preferred/available path.

Two words.. (3, Informative)

Anonymous Coward | more than 4 years ago | (#32151380)

BGP Filtering. There, fixed that for you.

Re:Two words.. (0)

Anonymous Coward | more than 4 years ago | (#32151830)

Exactly...maybe in the early days before there was any serious route filtering, bogon service...etc. The old war stories about network operators running to the breaker boxes to shut down their network to save the global Internet from an advertisement mistake are more or less over.

Secure BGP sounds reasonable on its face but there is a fundemental reason why nobody cares. Session related decisions are always between directly connected peers. If they can't trust each other to make a *local* forwarding decision then how can they trust each other to send data over those same interfaces?

Fix the plumbing (0, Offtopic)

cosm (1072588) | more than 4 years ago | (#32151402)

Seeing as Al Gore invented the internet and all, I presume this 'Inconvenient Truth' could be fixed by a consortium of Ted Stevens, Gore, and some good tube management.

Re:Fix the plumbing (0)

Anonymous Coward | more than 4 years ago | (#32151882)

Something must be seriously different with slashdot if this collection of ancient unfunny nerd jokes wasn't immediately moderated up to Score 5 Funny. Is there an autistic linux users convention going on or something?

Re:Fix the plumbing (0)

Anonymous Coward | more than 4 years ago | (#32151942)

Yes and we resent your comment.

Re:Fix the plumbing (0, Offtopic)

Ihmhi (1206036) | more than 4 years ago | (#32152002)

I showed your mom some good tube management last night.

Government?? (0)

Anonymous Coward | more than 4 years ago | (#32151410)

WHY should the government intervene? It's not the government's internet!
Get them involved and it'll really be fixed beyond repair!

Re:Government?? (0)

Anonymous Coward | more than 4 years ago | (#32151430)

Yeah it's not like the US government is the founder of the internet or anything.

Re:Government?? (0)

Anonymous Coward | more than 4 years ago | (#32151796)

Actually no, DARPA is, if it was the US Government that was the founder, IPv4 would still be in a committee somewhere :)

Hint: Military trumps government for getting stuff done... just not always what you wanted done, or how you wanted it done :D Come to think of it that sounds a lot like the government, only usually there's somebody at the top of the pile to make sure it actually gets done :)

Re:Government?? (1)

Daniel Dvorkin (106857) | more than 4 years ago | (#32151866)

Actually no, DARPA is, if it was the US Government that was the founder, IPv4 would still be in a committee somewhere :)

Hint: Military trumps government for getting stuff done...

You don't actually know what "the government" is, do you?

Re:Government?? (1)

YttriumOxide (837412) | more than 4 years ago | (#32152320)

Actually no, DARPA is, if it was the US Government that was the founder, IPv4 would still be in a committee somewhere :)

Hint: Military trumps government for getting stuff done...

You don't actually know what "the government" is, do you?

I'd agree with the GP. The military is not directly "the government" (unless you live in a place under martial law). They certainly work for the government, but so do school teachers and I wouldn't refer to a school as being "the government".

I consider "the government" to be "that which governs". The military's job is NOT to govern, but to defend the nation (which often takes a myriad of forms depending on where you live) - the government is responsible for directing the military to do this and may often have their fingers in the "how", but not always, and only very rarely down to an actual implementation level.

Use phone to manually change routes? (5, Insightful)

schwit1 (797399) | more than 4 years ago | (#32151424)

Better make sure your phone system is not on the same network or any affected.

"In the meantime, network administrators deal with hijacking an old-fashioned way: calling their counterparts close to where the hijacking is happening to get them to manually change data routes. Because e-mails may not arrive if a route has been hijacked, the phone is a more reliable option, says Tom Daly, chief technical officer of Dynamic Network Services Inc., which provides Web hosting and other Internet services."

Re:Use phone to manually change routes? (1)

MichaelSmith (789609) | more than 4 years ago | (#32151434)

I suppose phone != skype.

Re:Use phone to manually change routes? (3, Informative)

scdeimos (632778) | more than 4 years ago | (#32151660)

Unfortunately you can't make that assumption any more.

Even national telcos, such as Telstra in Australia, are routing all of their landline and mobile voice and data telecommunications over IP networks (and have done so since 2007 [computerworld.com.au] ).

Re:Use phone to manually change routes? (1)

TooMuchToDo (882796) | more than 4 years ago | (#32151752)

But that data is typically routed over MPLS networks, which can (and often are) be separated from public IP networks similar to how VLANS are used.

Re:Use phone to manually change routes? (0)

Anonymous Coward | more than 4 years ago | (#32152102)

Correct Telstra's MPLS core cloud (which does what the gp post lists) and Internet cloud are two seperate networks. They interconnect, but the cores don't.

Re:Use phone to manually change routes? (3, Informative)

Charliemopps (1157495) | more than 4 years ago | (#32151538)

Not when every ISP out there is voiping everything out of soft switches. There is no "Old school phone system" any more. It all VOIPS eventually. Any major data outage WILL affect voice as long as it's on a lower layer... i.e. DNS problems shouldn't cause a problem but routing issues certainly will.

Re:Use phone to manually change routes? (5, Funny)

MichaelSmith (789609) | more than 4 years ago | (#32151596)

How about carrying an iridium phone?

Re:Use phone to manually change routes? (1)

MichaelSmith (789609) | more than 4 years ago | (#32152024)

I was being serious, shirley.

Re:Use phone to manually change routes? (0)

Anonymous Coward | more than 4 years ago | (#32152120)

I can understand why you would want to be able to have your phone function in high temperatures, but wouldn't that get a bit heavy?

Re:Use phone to manually change routes? (2, Insightful)

MichaelSmith (789609) | more than 4 years ago | (#32152140)

No solutions look heavy when you have been using Eclipse.

The Internet is not going to end (0, Redundant)

xiando (770382) | more than 4 years ago | (#32151440)

Last week we were running out of IPv4 and now it's BGP hijacking and next week who knows. The sky will not be falling and the Internet(s) is not going to die. I actually read the whole article and omg Pentagon's Defense Advanced Research Projects Agencys Peiter Zatko claims he can take the Internet(s) down in a few hours. I say BS.

This "hijacking" happens all the time, people immediately see it and fix it and nobody notices.

Re:The Internet is not going to end (0)

Anonymous Coward | more than 4 years ago | (#32151518)

But there are only 13 internet root servers . . . .

Re:The Internet is not going to end (2, Informative)

Aeternitas827 (1256210) | more than 4 years ago | (#32151546)

But there are only 13 internet root servers . . . .

13 root DNS servers...this is a different protocol altogether. I don't pretend to understand real well--VLSM/CIDR confuse the hell out of me, and that's where I gave up trying to understand the nuts and bolts--but there's a very large number of systems whose routes would need to be compromised, and quickly, to make this have an effect that is visible to end users--and even that would be short lived. As the parent put it:

This "hijacking" happens all the time, people immediately see it and fix it and nobody notices.

Re:The Internet is not going to end (2, Insightful)

Lennie (16154) | more than 4 years ago | (#32152522)

Euh... their are more then 13 routes, their are 13 addresses (prefixes) but their are many, many more routes, most of those 13 prefixes are announced in many places it's called anycast and their aren't just 13 servers either. Every one of them is a cluster of machines and as many use anycast their are multiple clusters per 'root nameserver'.

Re:The Internet is not going to end (2, Funny)

timmarhy (659436) | more than 4 years ago | (#32151624)

it's hard to work out if your joking, ignorant or stupid

Re:The Internet is not going to end (0)

Anonymous Coward | more than 4 years ago | (#32152220)

While you're at it, can you work out why your sister's vagina smells like walrus rape?

Re:The Internet is not going to end (1)

Thanshin (1188877) | more than 4 years ago | (#32152652)

it's hard to work out if your joking, ignorant or stupid

Not true. There's a lot of stupid ignorants joking while they work out in my gym.

Route filtering (5, Informative)

Anonymous Coward | more than 4 years ago | (#32151504)

Route filtering, USE IT!
Especially when peering with Pakistani/Chinese/etc ISPs.
This is why RIRs such as RIPE/ARIN/APNIC have their information publicly available.
So you know which addresses belong to who.
Only accept routes from your BGP peers that you know belong to them.
This also (in addition to hijack prevention) prevents a clueless NOC monkey from another autonomous system from messing up your whole network by announcing a default route.

That cannot be done. (1)

khasim (1285) | more than 4 years ago | (#32151872)

For it would deprive us of these terrible sensationalist articles. The InterWebz is doomed!

Mistakes will be made. And some people will lose their Internet connectivity (in some form or other) for a period of time.

During that time, the people who control the routers will be working to fix whatever problem happened and the idiots who caused the problem will either learn how to do it CORRECTLY or be fired. Although the executives who insisted on cutting the budget so that they couldn't hire people with the knowledge in the first place will still keep their bonuses and their jobs.

At work, our Internet connection is through Verizon. Within the past two months, we've had 1 day of no connection (and Verizon still denies that there was any problem) and a few days massive packet loss (and still there is no problem noticed by Verizon).

BGP works and works well. But it does require people with the knowledge of how to make it work.

Re:Route filtering (2, Interesting)

sych (526355) | more than 4 years ago | (#32151894)

What about ISPs whose customers bring their own portable IP address space along with them, and then multi-home? (i.e. have two or more ISPs, and request BGP peering with both?)

The directly-connected ISPs can do their checks to make sure that their customer owns that IP address and adjust their filters accordingly... but anybody else with BGP peering to these ISPs (i.e. other ISPs) can only hope and pray that their peers are doing the right thing. Blind faith might not be good enough.

As I understand it, SBGP [cisco.com] would implement PKI and digital signatures to ensure that only someone who actually *owns* a particular netblock/ASN can advertise a route for it.

Currently, anyone can advertise pretty much anything and it's only individual ISPs filtering settings that would prevent it getting propagated.

Re:Route filtering (0)

Anonymous Coward | more than 4 years ago | (#32152070)

You add your customer's AS set in RADB. That plus automation = Problem solved, more or less.

Re:Route filtering (1)

alfredos (1694270) | more than 4 years ago | (#32152710)

This also (in addition to hijack prevention) prevents a clueless NOC monkey from another autonomous system from messing up your whole network by announcing a default route.

If you have a full table, or even half of it, even if you allow default routes being accepted, no harm will be done. More specific networks win over less specific, and the default is the least specific of all.

Accepting a default route can even be an elegant way of doing things in certain scenarios, for example for small but multihomed stubs.

Routing reform (-1, Troll)

michaelmalak (91262) | more than 4 years ago | (#32151572)

Routing reform? The answer is simple. Just fine every router $750 until it starts routing correctly.

Re:Routing reform (1)

mysidia (191772) | more than 4 years ago | (#32151652)

Routing reform? The answer is simple. Just fine Cisco $750 for every router until it starts routing correctly (or they go bankrupt and take Federal bailout money in exchange for incorporating federal guidelines in all future router designs; including backdoor, and mandating USGaBGP, US government-authorized BGP, where the government will issue every router operator who pays the fee and follows the rules a digital certificate to use their AS number, and a digital certificate for each IP prefix the router owner obtains, after filling out 100000 reams of paperwork).

There, fixed it for you.

we're doomed (1)

Charliemopps (1157495) | more than 4 years ago | (#32151582)

The only reason a Major ISP hasn't had a full, network wide outage is simply a lack of desire on the part of the people that would be capable of doing such a thing. In fact, many ISPs do have network wide outages fairly regularly but are able to keep it hidden. Most customers think it was local to them. What makes networks so week? The same thing that caused the oil spill in the gulf. It costs to much to do things correctly. And what are the chances anything bad will happen... right?

Next article... "How Fragile is Wikipedia?" (4, Insightful)

mysidia (191772) | more than 4 years ago | (#32151622)

What?! Anyone can edit it?! Really???

'It amazes me every day when I get into work and find the Wikipedia front page has not been blanked or filled with goatse porn.'

We know what kind of "solution" DHS has in mind (3, Insightful)

Daniel Dvorkin (106857) | more than 4 years ago | (#32151654)

From TFA:

"It's kind of everybody's problem, because it impacts the stability of the Internet, but at the same time it's nobody's problem because nobody owns it," says Doug Maughan, who deals with the issue at the Department of Homeland Security.

So clearly we need one centrally owned routing system under the watchful and benevolent eye of DHS, right? With help from advisors provided by Microsoft and Disney.

Decentralized routing is a feature, not a bug. And although the problems identified in the article are real enough, the implications of this kind of discussion always scare the hell out of me.

Re:We know what kind of "solution" DHS has in mind (5, Insightful)

dalagra (1807876) | more than 4 years ago | (#32151726)

Decentralized routing is a feature, not a bug. And although the problems identified in the article are real enough, the implications of this kind of discussion always scare the hell out of me.

While agreeing with you, I would go a step further and suggest that the bugs of decentralized systems are often more palatable than the the features of centralized systems. (this is of course considering the context of this article -- the internet)

Re:We know what kind of "solution" DHS has in mind (1)

alfredos (1694270) | more than 4 years ago | (#32152722)

bugs of decentralized systems are often more palatable than the the features of centralized systems. (this is of course considering the context of this article -- the internet)

You can get to the general law easily from there - things that are wrong, ill or plain bad news run faster and are more eagerly consumed than things that go right, well or are good news. This summary (and /. news in general) is no exception.

Re:We know what kind of "solution" DHS has in mind (1)

Hurricane78 (562437) | more than 4 years ago | (#32151772)

Wasn’t decentralization the whole point of the Internet? You know, because centralization would offer a SINGLE POINT OF FAILURE?

it is fragile, but it works (4, Insightful)

dalagra (1807876) | more than 4 years ago | (#32151676)

From the article: "My fear is that innovation on the Internet would slow down if there's a need to go through a central authority," Poll says. "I see little appetite for that in the industry." --- Is there an argument against this (quote above)?

Fragile but working (0)

Anonymous Coward | more than 4 years ago | (#32151718)

Turn on IP6 [bit.ly] , people. Duh.

Feature not a bug (4, Insightful)

Anonymous Coward | more than 4 years ago | (#32151738)

This is ridiculous, I suspect this is FUD created to take control of the Internet. Routing tables are a feature of the Internet that are designed to ensure the Internet doesn't have a single point of failure. Hacked router?, connection hit by bomb?, satellite suffering from solar flares?... change a few routes and it's fixed. Security?... TLS. The moron even suggests that creating a central authority would make the Internet more secure!!! Imagine if you wanted to take out the Internet and it relied on a central authority, hmm, what would you attack, billions of Internet clients, millions of routers, or the one authority?

Re:Feature not a bug (1)

alfredos (1694270) | more than 4 years ago | (#32152732)

This is ridiculous, I suspect this is FUD created to take control of the Internet

Or, rather less dramatically, just to promote a new beta site (from TFA) that quotes an article written by some clueless guy at AP...

Clarke's Third Law (2, Funny)

ChipMonk (711367) | more than 4 years ago | (#32151756)

'It amazes me every day when I get into work and find it's working.'

Or, as Arthur C. Clarke put it, "Any sufficiently advanced technology is indistinguishable from magic."

Re:Clarke's Third Law (0)

Anonymous Coward | more than 4 years ago | (#32152628)

"Any sufficiently advanced technology is indistinguishable from magic."

Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

If internet ever dies, I suggest sacrificing priests until it's up again.

Re:Clarke's Third Law (1)

HungryHobo (1314109) | more than 4 years ago | (#32153226)

"If it's distinguishable from magic, it's not advanced enough."

"Any sufficiently analyzed magic is indistinguishable from science"

Re:Clarke's Third Law (0)

Anonymous Coward | more than 4 years ago | (#32153858)

"If it's distinguishable from magic, it's not advanced enough."

"Any sufficiently analyzed magic is indistinguishable from science"

And the cycle begins anew.

This is going to get worse (1, Insightful)

HangingChad (677530) | more than 4 years ago | (#32151876)

With the FCC stymied in its attempts to regulate the internet, it's going to be basically an ISP fur ball. Layer general greed and self-interest of individual providers on top of load and routing problems, take away the regulators ability to maintain order and you have a recipe for disaster.

I got a bad feeling about this.

Re:This is going to get worse (0)

Anonymous Coward | more than 4 years ago | (#32153428)

One more like that, and I'm a goner!

fix worse then the problem (1)

timmarhy (659436) | more than 4 years ago | (#32151952)

man, i sure am tired all government attempts at fixing things. Iraq, the economy, health care, privacy.

if the government gets to "fix" the internet, i may just have to give up slashdot.

Oh crap, this can get worse than net neutrality (2, Informative)

Captain Linger (869777) | more than 4 years ago | (#32152012)

Route filtering. Trust me, if the 12 occasionally scattered folk I work with every day can manage block leaks of inappropriate routes within 15-60 minutes, so can everyone else, and they typically do...generally they're properly filtered to begin with. The open nature of the internet and diversity amongst transit carriers is precisely what contains these leaks to segmented populations rather than causing a massive nationwide failure. The fact that largely Internet standards have been left to technocratic, Balkanized organizations rather than via Congress is what keeps everyone playing nice. The "next one" may be "a big one", but anyone running a truly important network should and will have diverse carriers...anyone critical to the US infrastructure should and does generally run over dark fiber that would not be affected. Not seeing the call to action here, but I have very little faith in the media to actually competently understand and relate this one. HangingChad, exactly: "I got a bad feeling about this"

Beware: plans to fix this are misguided (4, Interesting)

presidenteloco (659168) | more than 4 years ago | (#32152026)

I've seen alternate routing protocols proposed wherein your traffic has to barter/haggle its way through the network at every hop, as some new troll demands a passage fee for a certain QOS.

These new methods look to me like they would create two issues:
1. Unpredictable permutations of complex, balkanized, and non-local routing strategies. Performance of the system as a whole would be unpredictable and possibly unstable.

2. It really is back to the old circuit-switching network of ma bell, on top of IP. A few nice low-latency end-to-end Concorde-like connections for those willing to fork over the dough, clogging up the routers so all the proletariat traffic suffers in a poverty of routes and bandwidth.

Deep Simplicity at the core of routing protocol is the only thing that will work at the scale of the Internet. Maybe a "voluntary-QOS-downgrade" flag on email packets etc, and a "pretty please low latency" flag on video packets, might work, but these should not have monetary contracts associated with them. They should just indirectly affect the end-consumer's bandwidth bill if anything.

Re:Beware: plans to fix this are misguided (1)

Aeternitas827 (1256210) | more than 4 years ago | (#32152248)

They should just indirectly affect the end-consumer's bandwidth bill if anything.

That would be one large roadblock--possibly the largest--to implementing any wholesale changes to the whole scheme; if transport costs go up, invariably part of that cost is sent down to the consumer, which would at least lead to vicious consumer backlash (at most, a race to see who can dicker down those costs best, which could lead to subscribers hopping like mad from ISP to ISP). In any case, revenue to some degree gets impacted, and over an issue that the VAST majority of end-users know nothing about. Yeah, it's broke right now, but there's no distinct reason to fix it. If something were going to go horrendously wrong, it very likely (imho, almost assuredly) would have happened at some point since this flaw became known.

Re:Beware: plans to fix this are misguided (1)

HungryHobo (1314109) | more than 4 years ago | (#32153246)

It has happened in the past, it's just not a big enough deal that people hear about it.
I think it was iran which tried to block youtube in their country and accidentally routed the whole world to their network which then melted.
and some guy years ago who told the whole net he had the best route to everywhere.

New tag (1)

ManiaX Killerian (134390) | more than 4 years ago | (#32152526)

Can we please have a tag "moronswithnobasicunderstandingofthetechnologyproposestupidsolutions" ? The article is mostly fear-mongering and a a waste of time. Should we be looking at what every idiot on the planet thinks about something he doesn't understand?

If so, can I write something on how bad particle physics is, because there are always problems with the accelerators and they carry a lot of energy and can open black holes?

As on the BGP hijacks, etc. - there are BGPmon and a ton of other projects that track the internet. There are established ways to stop all leaks/hijacks within a hour or two, and there's the way of making the person responsible NOT do that again. Go read on NANOG or a similar list the discussions on the topic, they're far more useful.

Re:New tag (0)

Anonymous Coward | more than 4 years ago | (#32152548)

If so, can I write something on how bad particle physics is, because there are always problems with the accelerators and they carry a lot of energy and can open black holes?

Go on with your bad self, you can write whatever the hell you want. Will people read it? Possibly. Will they flame it like so:

Can we please have a tag "moronswithnobasicunderstandingofthetechnologyproposestupidsolutions" ? The article is mostly fear-mongering and a a waste of time. Should we be looking at what every idiot on the planet thinks about something he doesn't understand?

Probably.

Re:New tag (1)

viralMeme (1461143) | more than 4 years ago | (#32153170)

Yes, a non-issue, the Telecoms rely on each other to correctly route traffic.

BGPSEC (1)

Skapare (16644) | more than 4 years ago | (#32153274)

Where's BGPSEC when you need it?

It's a problem that already has a answer (0)

Anonymous Coward | more than 4 years ago | (#32153332)

RADB had been around a long time and is a loose description of AS peers and AS routes in BGP. This describes which AS and IP ranges peer based on published IP database information (whois).

All carriers are meant to create their BGP filters from the RADB information, using standard tools, which then means that bogus route advertisements are filtered.

Unfortunately some peers get put on the net without going through the process and these become essentially "trusted" peers. The simple thing to do with these peers that then advertise bogus routes
is to tell them they're no longer trusted and force then to create proper RADB entries so we can control their routes.

Filtering works, for those that configure it (2, Informative)

gavving (1689168) | more than 4 years ago | (#32153640)

As someone who's accidentally announced the entire Internet routing table to an ISP when setting up a dual-homed configuration, I can confirm that good upstream ISPs do BGP filtering. I was trying to troubleshoot what was going on, and the Tech on the other end was helpful enough to tell me that I was sending him the full route table. Fortunately they had filters in place to stop them from going out any further and impacting anything. But I had it clearly demonstrated to me how important filters are on both ends of the connections.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>