Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Internet Routing, Looming Disaster?

CmdrTaco posted more than 2 years ago | from the fear-the-packets dept.

Networking 109

wiredmikey writes "The Internet's leading architects have considered the rapid growth and fragmentation of core routing tables one of the most significant threats to the long-term stability and scalability of the Internet. In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom. In the technical world, this is typically called a prefix hijack, and it happened due to a couple of wrong tweaks made at China Telecom. Whether this was intentional or not is unknown, but such routing accidents are all too common online. While BGP is the de-facto protocol for inter-domain routing on the Internet, actual routing occurs without checking whether the originator of the route is authorized to do so. The global routing system itself is made up of autonomous systems (AS) which are simply loosely interconnected routing domains. Each autonomous system decides, unilaterally, and even arbitrarily, to trust everything it hears from any other AS, to use that information without validation, and to further transmit that information to its other peers..."

cancel ×

109 comments

Sorry! There are no comments related to the filter you selected.

...news? (2, Insightful)

phyrexianshaw.ca (1265320) | more than 2 years ago | (#34405096)

And this is news because?

This is how the BGP internet functions. the last proposed solution was to centralize the BGP trust tables, which is likely a WORSE solution.

if you can't trust your peers: go work in another kitchen.

Re:...news? (3, Insightful)

wiredmikey (1824622) | more than 2 years ago | (#34405146)

It's not so much news as it is insight. If you're an experienced network expert it may not be surprising, but too many people in the tech world still don't have a clue on some of the challenges, dangers, problems that are happening currently and that we face moving forward with the overall internet infrastructure.

Re:...news? (1, Insightful)

vlm (69642) | more than 2 years ago | (#34405270)

challenges, dangers, problems that are happening currently

Its FUD not insight. Those problems were solved years / decades ago.

The fact that the folks at the far left tail of the cluefullness bell curve will always find a way to shoot themselves in their feet, is not exactly an insight into this business or even generally into human nature.

FUDs usually used to gain control or make money not educate.

Problems solved? You mean the IRRs? (0, Flamebait)

Anonymous Coward | more than 2 years ago | (#34406350)

If by "problem solved" you mean the IRRs, you need some reality juice.

Most ASs do not use the IRRs, and the data in the IRRs is stale and often incorrect. This has been MEASURED by various RIRs, we see an update of that same presentation every two years, and nothing changes. It doesn't help that self-policing in the IRRs is utter crap (see: proxy objects).

Yes, people will push for RPKI. Deal with it. The anarchy screwed up, failed to uphold enough self-restraint and self-regulation to solve the problem in practice, and now we will have the same kind of crap needed for DNSSEC, now for routing.

Re:...news? (3, Funny)

phyrexianshaw.ca (1265320) | more than 2 years ago | (#34405494)

So it's "omfg, we non-technical people just learned how BGP works! it's scary!"

seeing something like this coming from an AP site, or Fox, I would have just brushed it aside and ignored it. but really? slashdot?


Owner: "you mean I can hijack someone else's traffic!!? omfg!!"
*pays to have someone implement it*
Owner: "WHY DOESN'T IT WORK!!?"
Tech: "I have no idea.. it should! I read an article on /. about china doing it!"
*phone rings*
ISP: "you seem to have a configuration issue on your equipment, you're trying to advertise routes that belong to someone else. you'll have to get that fixed before we continue routing your prefixes to you. "
Owner: "omg, [isp] called me.. undo it all..."

Re:...news? (2, Funny)

Anonymous Coward | more than 2 years ago | (#34411394)

Tech to owner: you mean just fix it?
Owner. NO NO NO OMG OMG OMG Take it all out, turn it all off, cut all the wire. Cut the electricity to all of it and shotgun the machinery. We have to stop NOW! IT all BorKen!

Re:...news? (3, Informative)

anti-NAT (709310) | more than 2 years ago | (#34408644)

"If you're an experienced network expert it may not be surprising, ..."

and they're the people at ISPs who're running it (I used to be one of them). Running the Internet backbone is self regulating, because everybody who does it also has a vested interest in policing it. This article is FUD. The clueless tech people can continue to remain clueless.

Re:...news? (0)

Anonymous Coward | more than 2 years ago | (#34409716)

Telling you about how it works gives you insight. Telling you it's a 'looming disaster', a 'disaster waiting to happen' is unqualified speculation.

Yes, you can do it if you work for a nice large ISP and want to destroy your career. And *when* you do it, if you're doing it for nefarious purposes, there's still no guarantee that enough packets would come your way and make it down your (suddenly rather underspecified) pipes for you to accomplish anything useful. Oh, and you'll probably owe your customers quote a lot of money if you have SLA agreements, because you're going to get de-peered till you sort your life out.

In summary, it's not technical but social (or at least corporate) measures that prevent this from being of much use to anyone. I know it might be a shock to /. readers but non-technical measures can actually work too.

It's called a filter (5, Informative)

Tolaris (31078) | more than 2 years ago | (#34405114)

No, each ISP chooses what routes to accept from what peers. It's called a filter. Smart ISP use routing databases like RIPE to verify what they'll accept and reject automatically. Others do it by hand. Dumb ones accept updates from peers without filtering. It's this last group that needs to update their practices.

Re:It's called a filter (4, Interesting)

phyrexianshaw.ca (1265320) | more than 2 years ago | (#34406172)

That's not entirely true.

though you choose what MAJOR prefixes you accept routing information for, nobody cares about the /8's.

If I had say a /24 assigned to me, and I decided to have it routed to my building in Toronto, but then decided to move a /28 to a location in Dallas, what would be the easiest way to go about that?

if I had enough other locations to assign /28's to, I could simply retrieve an AS number and advertise each /28 to the parents at each location. this would then trail up to the largest area that my /24 exists under, and the traffic would be routed locally to each location.

sure, many ISP's that you deal with in North America may have policies regarding what exact prefixes you advertise at each peering location, but at some point you become large enough to be "trusted". once you start carrying your own traffic internally is often the breaking point.

say I decided to lease some dark fiber between my two locations: then suddenly my rates may be cheaper than the existing path the ISP is taking between the two. (HIGHLY unlikely, unless your IT department has WAY too much money and you've got a few ISP's interested in sharing a portion of your pipe, though it can seriously reduce the cost of some 100Mbit customer facing links in some cases)
this then leads to an interesting predicament: how does one know what prefixes will be advertised over that pipe? sure, each ISP sharing the connection MAY decide to restrict advertisements: but few have the capacity to do so for many of the smaller /24's or /28's that exist. keep in mind that each /16 has 256-/24's which in turn each have 32 /28's each.
customers don't buy /16's (regularly) they buy a /27-/30. this means that the /8 you oversee as an ISP may have as many as 4,194,000+ /30 prefixes to account for.

Re:It's called a filter (0)

Anonymous Coward | more than 2 years ago | (#34409146)

/28s? You should never originate anything longer than a /24 into BGP. If you got a /28 allocation from a RIR, something is very wrong. Usually, /28 are allocated from the ISP's pool of addresses directly to customers, and the ISP aggregates all these /28 before originating routes... If you need to be multihomed, then you should have your own ASN and at least a /24 to originate it yourself.

And no, you don't need to be multihomed if all you need is 16 public IP addresses.

Re:It's called a filter (3, Interesting)

Spazmania (174582) | more than 2 years ago | (#34407826)

Not exactly. Most ISPs filter their customers announcements that way, but its highly impractical to implement such filters when peering with other ISPs.

The solution boils down to:

1. Temporary filter installed for errant routes
2. Peering POC at source ISP gets a stern lecture and a depeering threat
3. Peering is so valuable (and so costly to lose) that peering POC smacks around the person who allowed the leak in the first place.
4. Mistake repeats because the staff who originally allowed it are incompetent
5. Source ISP gets depeered so he has to pay for all his Internet traffic via a connection that actually is filtered
6. Source ISP fires the fool who screwed up in the first place, cancels the customer contract (if it was customer originated).
7. Source ISP most likely never recovers and ends up being bought out while in or near bankruptcy.

Okay, so steps 4 onward are an artful exaggeration. But seriously, senior network engineers get really bent out of shape when a peer slips them a bum route.

Re:It's called a filter (2)

ghjm (8918) | more than 2 years ago | (#34410046)

Cage match: "senior network engineers" vs the government of China. Who are you betting on?

Re:It's called a filter (1)

Spazmania (174582) | more than 3 years ago | (#34413528)

The network engineers. They'll mess you up man.

Oh, bullshit... (5, Informative)

autocracy (192714) | more than 2 years ago | (#34405120)

Anybody who touches BGP needs to understand route filtering.

  * Would I trust everything I see from Sprint? Yes.
  * Would I trust anything except what I expect from the local ISP I route to? No.
  * Would I expect Sprint to execute the same filtering as above? Yes.

BGP nodes should always have filters on their connections that describe what is allowed to be accepted. Every failure I can think of... and I'm sure most notable ones that have happened... have been caused by failure to properly filter incoming routes.

Re:Oh, bullshit... (0)

Anonymous Coward | more than 2 years ago | (#34405212)

mod this up please..

nothing new to see here, move along

why not, worked great for the banking system (3, Funny)

Anonymous Coward | more than 2 years ago | (#34405538)

"would i trust everything i see from bear stearns?"

yes

"would i trust everything i see from lehman brothers?"

yes

oh wait..

Re:why not, worked great for the banking system (2)

$RANDOMLUSER (804576) | more than 2 years ago | (#34406158)

Sarcasm detected. You really can, however, trust everything you see from Goldman Sachs, since they are The Government.

Re:why not, worked great for the banking system (2)

dgatwood (11270) | more than 2 years ago | (#34408090)

Oh, a sarcasm detector. That's a real (sic) useful invention.

--Comic Book Guy

Re:Oh, bullshit... (0)

Anonymous Coward | more than 2 years ago | (#34405642)

While the major carriers are pretty careful about only advertising out what their customers are legitimately advertising, the same is not true with what they accept from peers.

So it only takes one bad peer to inject a misappropriated route. Do you really think they ensure that every prefix they hear from large international peers was assigned to a customer in that geographical region? Especially since there are thousands and thousands of legitimate exceptions?

(There are other messes, mind you, in that the days of being able to do weak-RPF are over, since hardly anyone ensures that everyone advertises on links they send outbound traffic to.)

Re:Oh, bullshit... (3, Insightful)

vuke69 (450194) | more than 2 years ago | (#34405794)

In a nutshell, that's pretty much the problem and the solution.

Tier 1 providers pretty much have no choice but to accept any update from other Tier 1s because they could each legitimately have routes to pretty much any network. It is also each of their responsibilities to make sure they don't get any bunk routes from downstream. One weak link, the chain breaks and, and everyone suffers. Obviously you wouldn't (shouldn't) be accepting a zero bit mask route from anyone; but besides the basic idiot proofing, you have to put a lot of faith in your peers, and their ability/diligence.

Re:Oh, bullshit... (1)

Anonymous Coward | more than 2 years ago | (#34409908)

Tier 1 providers pretty much have no choice but to accept any update from other Tier 1s because they could each legitimately have routes to pretty much any network.

While this is theoretically true, there are many scenario's which are very unlikely to be legitimate. E.g. how often does it happen that China Telecom and Level-3 both claim Level-3 routes on the same POP, legitimately? (Replace CT and L3 with any other 2 providers.)

Re:Oh, bullshit... (0)

Anonymous Coward | more than 3 years ago | (#34412894)

Would I trust everything I see from Sprint? Yes.

No. BGP route filtering is not either / or proposition and the internet is not the only large BGP routing space. Use priorities and ensure that routes you know belong to someone closely connected to you (e.g. your customer) are locked to that customer.

The basic question should be; "if they messed this up, would the rest of the internet notice before me". If not, then you should be locking it down even against the likes of Sprint.

Authentication (1)

rakuen (1230808) | more than 2 years ago | (#34405130)

So... what you're saying is we should all start using that nifty authentication feature several routing protocols support, because it would make routing more secure? I suppose the better question is, why haven't we done it?

Re:Authentication (1, Interesting)

vlm (69642) | more than 2 years ago | (#34405200)

So... what you're saying is we should all start using that nifty authentication feature several routing protocols support, because it would make routing more secure? I suppose the better question is, why haven't we done it?

The better question is actually, "what are they pushing". So they're outputting almost unbelievable FUD that everyone actually in the business laughs out loud at. The purpose of doing this is ....

That is the crucial part missing from the summary.

My guess is the usual big gov statist corporatist B.S., because its possible to make money off that, but its just a guess.

Re:Authentication (1)

Froggie (1154) | more than 2 years ago | (#34409820)

It's a scare story, plain and simple. We don't understand why this works so It Must Be Bad and Someone Must Do Something About It.

Re:Authentication (3, Insightful)

bhcompy (1877290) | more than 2 years ago | (#34405512)

Overhead. What might take a few milliseconds now takes a few more milliseconds. Not a problem on your little Belkin router, but when you're routing thousands of packets a second, it adds up. You can be sure there are many interests non-technical in nature that would be against raising their latency, even by milliseconds. Particularly, Wall Street.

Re:Authentication (2)

rakuen (1230808) | more than 2 years ago | (#34405590)

I know overhead can be a problem, especially with how much overhead there already is in exchanging information. However, the authentication should only be applied to the packets generated by the routing protocol, and not all packets. Therefore, overhead is limited. That is, unless every packet has to be authenticated. I'm not that far in my studies yet.

Re:Authentication (0)

Anonymous Coward | more than 2 years ago | (#34405856)

Every packet sent would generate the extra overhead.

Re:Authentication (1)

silas_moeckel (234313) | more than 2 years ago | (#34409634)

As it stands taking a full BGP feed slams a routers sup pretty hard. Now routing sups are often under powered but it's an issue. Then you have to look at what your authenticating we already authenticate sessions to stop injection attacks. If you going to authenticate the validity of the end point for each route, that stops some attacks but how do you do it so somebody can not re advertise that same route and send it somewhere else??? BGP is built on a trust model, and it's rather hard to do it another way that will actually secure anything. Using the ripe route db works well to propagate filters but at some point you have to assume that your ISP will have every route and trust them, adding crypto will not change that. A simple database of what AS should be advertising what net blocks works wonders, there are about 300k net blocks in use and not to many left to expand that.

Re:Authentication (2)

TheLink (130905) | more than 2 years ago | (#34405800)

The overhead is only in deciding whether to accept _changes_ to the routing table. If your router design isn't broken, that doesn't have to increase overheads of routing each packet at all.

For example, say I give you a piece of paper with a list telling you where to send stuff. So you just follow that.

Later, I could have a long talk with someone about what should be on a new list, but that does not have to affect you at all.

Once I'm done with that, I pass you the resulting list, and you use it.

Re:Authentication (2)

Froggie (1154) | more than 2 years ago | (#34410028)

I am a tier 1 ISP and wish to send a packet to Sprint. My peering with Sprint is down (for whatever reason). Comcast tell me they can route to Sprint. I have two options: trust them, or don't trust them.

I can't actually say that Comcast are advertising a legitimate route to Sprint. But I also can't tell that they aren't snooping all the traffic, or terminating it at drive-by-malware sites, even if the route *is* legitimate. So there has to be trust at the tier 1 level.

The internet needs an upgrade... (2)

digitaldc (879047) | more than 2 years ago | (#34405162)

...just like every other aging technology that increases its workload and interoperability on a scale that was never originally intended.

Re:The internet needs an upgrade... (2)

Monkeedude1212 (1560403) | more than 2 years ago | (#34405260)

The problem is not that the amount of traffic increases to stresses it can't handle, those are upgrades we have the technology for but just aren't spending the money - we'll worry about those when it actually becomes a problem.

The issue they are talking about abstractly is the way trust issues work on the net - and how its possible for a Chinese ISP to get 15% of traffic by saying "I'm super trustworthy".

In Laymens terms, they want to un-naive the interwebs.

Re:The internet needs an upgrade... (0)

Anonymous Coward | more than 2 years ago | (#34405322)

but what they really need are un-naive operators

Re:The internet needs an upgrade... (1)

maxume (22995) | more than 2 years ago | (#34405778)

Or they are overestimating the naivete of the internet.

Re:The internet needs an upgrade... (1)

Froggie (1154) | more than 2 years ago | (#34410058)

Actually, they just happened to be super-close.

Re:The internet needs an upgrade... (2)

$RANDOMLUSER (804576) | more than 2 years ago | (#34405788)

"rogers" on that one. What's this about "looming"? Internet routing started being a disaster two orders of (traffic) magnitude ago.

15% (2, Insightful)

vxice (1690200) | more than 2 years ago | (#34405182)

before we throw this number around anymore, does anyone know approx. how much internet traffic normally goes through China? is the 15% number 15% more than normal, and additional 15%. a baseline is an incredibly important thing.

Re:15% (4, Informative)

genkaos (570912) | more than 2 years ago | (#34405396)

Actually it was 15% of the internet's prefixes, not 15% of traffic.

Re:15% (4, Insightful)

Unequivocal (155957) | more than 2 years ago | (#34405610)

From what I've read so far on this, the 15% number is a red herring. The real problem was that China was able to route traffic for domains/networks which it had nothing to do with including dell.com and some US DoD networks. Volume wasn't the main issue (though surely it was causing problems in terms of latency and throughput) -- the main issue was that China was seeing packets that it shouldn't have.

Now we all know that no one routes traffic over the public internet that it doesn't assume bad actors will see. Right?

Re:15% (3, Funny)

camperdave (969942) | more than 2 years ago | (#34406432)

Now we all know that no one routes traffic over the public internet that it doesn't assume bad actors will see. Right?

Keanu sees my packets?

Re:15% (1)

initialE (758110) | more than 3 years ago | (#34412740)

All I see now is blonde, brunette, redhead.

Re:15% (1)

3.1415926535 (243140) | more than 2 years ago | (#34407352)

Even that claim is a red herring. Internet traffic is routed through, and visible to, many many entities that I would consider equally untrustworthy, and yet no one makes a stink about that. You have to have end-to-end encryption between authenticated peers if you want to have even a chance of keeping your data out of the hands of nogoodniks.

Re:15% (1)

Unequivocal (155957) | more than 2 years ago | (#34407984)

You're right of course, but the point for me is that many folks don't do that (encrypt their traffic) b/c they're dumb about security, sometimes relying on what they think are immutable laws of routing (which this problem points out are not immutable at all).

No one in California hitting dell.com would think that their traffic would go through China to get to Texas (or wherever Dell.com is located). And especially if you look up dell.com's arin physical location you definitely wouldn't expect a big dog leg in your traffic path thru .cn.

People make implicit assumptions about BGP routes even if they don't know what BGP is. The China routing problem raises this issue, more so than the volume of traffic that China routed temporarily.

Re:15% (1)

Froggie (1154) | more than 2 years ago | (#34410138)

No one in California hitting dell.com would think that their traffic would go through China to get to Texas (or wherever Dell.com is located).

Chances are it didn't this time, either. Someone in Japan going to dell.com might have gotten routed via China because China was advertising a really short route to the US. Someone from the US actually *has* a really short route to someone else in the US, and the Chinese ISP would be far away, so the bogus Chinese route would not have been used.

Sure enough, other background reading says it was Asian and Pacific traffic that tended to get caught up in this.

Re:15% (1)

Unequivocal (155957) | more than 2 years ago | (#34410666)

Hey thanks - good tip. It seemed odd to me that traffic would route the long way, but I'd guessed (wrongly) that the .cn BGP weight must have been low enough to make it worth it. Of course now that you point it out, the routers in CA would know that .cn is far away on the first hop, so it wouldn't matter if the rest of the hops are basically free, the CA routers would choose a shorter/cheaper hop on the first step. Asian routers would be in a tougher spot and I could see how they'd jump on an advertised cheap route through China.

Thanks for clearing that up (assuming I'm following along)!

n the technical world (1)

cpicon92 (1157705) | more than 2 years ago | (#34405210)

Really?

Re:n the technical world (2)

sharkey (16670) | more than 2 years ago | (#34406092)

Capitalized letters are prefixes, aren't they?

Imminent death of Internet predicted... (5, Insightful)

EriktheGreen (660160) | more than 2 years ago | (#34405226)

It's always amusing when a new pundit discovers exactly how the Internet actually works.

Until they gain enough technical knowledge to be dangerous, they assume that the Internet is just as Hollywood portrays... A rock-solid utility run by the Government that only PhDs and arcanely skilled teenage geniuses can control or understand.

Then they discover just how "fragile" it is, and start telling the people who've been making it work all along that they need to straighten up and fly right, or else a major disaster is going to happen. Good thing they told us.

It's sad that they can't just say "Oh, I guess I didn't understand.". Instead they have to "take charge" of things because otherwise they'd have to accept their own irrelevance, or even (gasp) accept that despite their new-found expertise, they *still* don't really understand.

So straighten up, Cisco... it's obvious to this guy you don't know what you're doing. Fix that BGP thing and do it NOW, you hear him?

Re:Imminent death of Internet predicted... (2)

abigor (540274) | more than 2 years ago | (#34405356)

You are absolutely right. Reminds me of that hysterical article from a few years back: "Is Linus Killing Linux?"

How to counter .... (0)

Anonymous Coward | more than 2 years ago | (#34405448)

Then they discover just how "fragile" it is, and start telling the people who've been making it work all along that they need to straighten up and fly right, or else a major disaster is going to happen.

It's very simple; put all ISPs behind NAT routers - Linksys' are perfect. Therefore, all the ISPs will be 192.1.1.xxx and everyone will be under that. The Internet only needs one hundred IP addresses!

My captcha is "urinate" - how fitting.

Re:Imminent death of Internet predicted... (0)

Anonymous Coward | more than 2 years ago | (#34405600)

Articles like these are ripe for parody.

World collapse imminent: pundit discovers IEEE 754 floating point numbers aren't always able to accurately store fractional components of real numbers.

Re:Imminent death of Internet predicted... (1)

Kjella (173770) | more than 2 years ago | (#34405912)

Somehow I imagine the same will happen with IPv6. When shit hits the fan they'll throw a y2k panic round of fixes and it will get done.

Re:Imminent death of Internet predicted... (1)

divisionbyzero (300681) | more than 2 years ago | (#34405948)

It's always amusing when a new pundit discovers exactly how the Internet actually works.

Until they gain enough technical knowledge to be dangerous, they assume that the Internet is just as Hollywood portrays... A rock-solid utility run by the Government that only PhDs and arcanely skilled teenage geniuses can control or understand.

Then they discover just how "fragile" it is, and start telling the people who've been making it work all along that they need to straighten up and fly right, or else a major disaster is going to happen. Good thing they told us.

It's sad that they can't just say "Oh, I guess I didn't understand.". Instead they have to "take charge" of things because otherwise they'd have to accept their own irrelevance, or even (gasp) accept that despite their new-found expertise, they *still* don't really understand.

So straighten up, Cisco... it's obvious to this guy you don't know what you're doing. Fix that BGP thing and do it NOW, you hear him?

++

Re:Imminent death of Internet predicted... (1)

hesaigo999ca (786966) | more than 2 years ago | (#34406744)

Reminds me of that episode from the IT Crowd, where they create a black box,
and actually convince their (uber fail) boss that it IS the internet,
and is on loan for a few days, and that she can take it to a show and tell meeting....really funny!

Re:Imminent death of Internet predicted... (1)

noidentity (188756) | more than 2 years ago | (#34408272)

Man, I just found out that if a person's heart stops beating for a few minutes, he dies! Something must be done about this, or millions of people will start dying every day due to heart failure. We need to build in redundancy, or the human race might not survive.

Do keep in mind... (0)

Anonymous Coward | more than 2 years ago | (#34405248)

That every major ISP carefully plans out and monitors their BGP peering sessions. I do agree that fragmentation is an issue, but not with the blatant Chinese sensationalism. It is against any ISPs best interests to load their BGP metrics in a way to drastically change the current flow of data, as that would introduce network instability. In addition, the author doesn't seem to recognize that roughly 50% of the traffic on the internet today is either Google or Facebook related - they can talk about an elegant and scalable solution all they want, but so long as the traffic looks like it does now, it is the content providers who drive the future of the landscape.

Yes (1)

geekoid (135745) | more than 2 years ago | (#34405252)

it's a disaster, the internet is collapsing, the world is ending. blah. blah. blah.

But there is a solution (1)

hades.himself (1678062) | more than 2 years ago | (#34405268)

And that's why RPKI is under development all over the world.

Pakistan 2008 (1)

Teun (17872) | more than 2 years ago | (#34405340)

Isn't this somewhat comparable to the problems Pakistan Telecom caused in 2008 with an unauthorized announcement of YouTube's subnet prefix?

If so not much has been learned...

I'm not worried (1)

arcite (661011) | more than 2 years ago | (#34405394)

my router has lots of bandwidth.

Where does IPv6 stand in this? (2)

Midnight Thunder (17205) | more than 2 years ago | (#34405418)

Since we are now getting to the final blocks of IPv4, how does this issue effect IPv6? Is this currently an IPv4 issue or will it impact IPv6 too?

Re:Where does IPv6 stand in this? (1)

0123456 (636235) | more than 2 years ago | (#34405584)

I believe the intention is that location would be encoded in the IPV6 address, so routing be easy and misrouting would never be an issue (OK, router bugs aside). If, say, you give each country a 16-bit top-level IPV6 prefix, then you'll never end up sending American data to China by accident and you'd still never run out of IP addresses for those countries.

Just another example of why we need to switch from IPV4 to IPV6.

Re:Where does IPv6 stand in this? (1)

phyrexianshaw.ca (1265320) | more than 2 years ago | (#34405818)

uhhhhh.... unless you have a prefix from another country that had to be moved somewhere else.

Say I have a /16 that was supposed to be assigned in Africa. being that I've got a location in Cairo, one in Toronto, and one in Dallas: there's nothing stopping my from injecting my routes into the global BGP session to route a portion (say a /24) of that to each of the centers.

you can't localize a prefix. that would cause a dependence on DNS to resolve names for IP's that may move around the world. and I don't know about you: but I sure hate it when things stop working because of DNS.

Re:Where does IPv6 stand in this? (1)

0123456 (636235) | more than 2 years ago | (#34405914)

uhhhhh.... unless you have a prefix from another country that had to be moved somewhere else.

Then you have to route to a prefix for a global ISP which will do whatever it wants with the packets. But there's no reason to have complex routing for a fixed computer in Africa which allows their packets to be sent to China by accident, just because some people are using satellite internet which could be anywhere on the planet. Though I guess you do always need some way to reconfigure the routers if required, so there's always going to be some protocol which could be used to tell them to send packets in completely the wrong direction.

Re:Where does IPv6 stand in this? (0)

Anonymous Coward | more than 2 years ago | (#34407560)

uhhhhh.... unless you have a prefix from another country that had to be moved somewhere else.

uhhhhh why move the prefix somewhere else? Deallocate the old one and get a new one in the new country. There are more IPv6 addresses than there are stars in the universe.

Re:Where does IPv6 stand in this? (0)

Anonymous Coward | more than 2 years ago | (#34408364)

So I guess you don't want anyone running anycast either?

Re:Where does IPv6 stand in this? (1)

Unequivocal (155957) | more than 2 years ago | (#34405698)

In TFA they mention this -- suggesting that V6 transition will exacerbate the BGP tables bloat problem, without addressing the core trust routing issues inherent with the way BGP is propagated today.

Makes sense - with new V6 routable addresses available a bunch of folks who have been compressing their networks behind NAT will probably put a lot of new networks online under V6. With V4 running side-by-side, there will need to be a some kind of V4 BGP routes over to these new V6 networks in order for them to be translatable. More BGP bloat..

Come to think of it, this seems like a big reason why V6 transition is so dang hard.

I do not know how BGP or something equivalent works in the V6 world and the article didn't seem to address that. Anyone?

Re:Where does IPv6 stand in this? (1)

Rich0 (548339) | more than 2 years ago | (#34406518)

I'm certainly not a BGP expert, but I also agree that IPv6 is likely to compound the problem. More routable IPs means it is harder to route them.

This sounds a lot like all the issues that went into local-number-portability with the phone company.

It used to be that a phone number was basically a heirarchical routing system. If the number was 123-456-7890 the telco would look up who handles 123, and pass along the call. Then that switch would figure out who has 456, and so on.

Now that there is local number portability his breaks down. I can keep my area-code 123 number from Maine and use it in California. The result is that any time you dial a phone number there needs to be a central database lookup to figure out who owns the number, and where it might be. If the number is mobile it gets even more complicated, though I suspect that this becomes the wireless provider's headache.

Now, with phone numbers the problem is managable since there are only 32-bits worth in the US, and relatively few of those are actually ported. Numbers aren't portable internationally, so that is where it ends. Also, phone calls tend to be more channel-based, so the routing only happens once to open the channel, and then packets follow the same route (at least it used to work that way).

With IPv6 you can have WAY more address space than you could ever store in a database, so you need to limit route propagation even fairly high up the tree.

I think that we need to get rid of the concept of IPs as property, or as personal identifiers. That is what leads to route fragmentation in the first place.

Re:Where does IPv6 stand in this? (2)

19thNervousBreakdown (768619) | more than 2 years ago | (#34406796)

More routable IPs means it is harder to route them.

Not necessarily. Fragmentation is the biggest issue--you can very often collapse a huge number of routes down to one since you only have to worry about the next hop. Resolve those routes as soon as you get the tables, then for everything that shares a prefix, collapse it into a single route. If there's small chunks taken out of it that need to go elsewhere, put them higher up in the priority list.

But, as we start to run out of addresses, an ISP who needs 4 million addresses is going to have to scrounge from hundreds of tiny prefixes that still exist instead of getting a large contiguous block of addresses. Route collapsing isn't going to have nearly as much effect in that case.

If IPv6 significantly reduces the address pressure, and it should unless those giving out prefixes are completely incompetent, complex routing tables will be able to be made simpler again. There will still be fragmentation issues for PI addresses, but hopefully those are all under a single dedicated prefix so they at least don't make the rest of the space worse as well.

Re:Where does IPv6 stand in this? (1)

Rich0 (548339) | more than 2 years ago | (#34407002)

I do agree with some of your points. An IP for every refrigerator on the planet isn't really a big problem.

An IP for every shoe or wristwatch on the plant, however, is. The difference is mobility - since mobility tends to cause route fragmentation.

Re:Where does IPv6 stand in this? (1)

Midnight Thunder (17205) | more than 3 years ago | (#34412644)

I do agree with some of your points. An IP for every refrigerator on the planet isn't really a big problem.

An IP for every shoe or wristwatch on the plant, however, is. The difference is mobility - since mobility tends to cause route fragmentation.

Then again, who says these devices will have the same IP where ever they go? I suspect these devices will get dynamic addresses.

What will be interesting is how big corporations connect to the internet via multiple providers.

Re:Where does IPv6 stand in this? (0)

Anonymous Coward | more than 2 years ago | (#34407240)

The core issue is the semantic overloading of IP addresses. They serve as both IDs and locations, its as if your address was your name. Cisco is working on a very interesting solution called the LISP the Locator/ID separation protocol. http://www.cisco.com/en/US/products/ps10800/products_ios_protocol_option_home.html

Separating the ID from the location function allows for much simpler and more elegant multi-homing, by basically letting us say we want packets routed to a specific ID and let the network determine where it actually is. In retrospect this is how the internet should have been designed, but its too late now.

Re:Where does IPv6 stand in this? (2)

Melkman (82959) | more than 2 years ago | (#34405702)

BGP works the same for IPv6 and IPv4, so filtering peers according to trust is still required. However the fragmentation issue is way worse for IPv4. This is because IPv6 allocations are that much bigger. To service 100k customers it is not uncommon for an ISP to use more than 10 IPv4 allocations which normally are not continuous. That is because the ISP can only request extra IPv4 address space from the RIR after he has assigned his current allocation to existing customers. To route those allocations the ISP has to announce more than 10 routes (one for each allocation) with BGP. This is one of the reasons the full internet routing table approaches 500k routes atm. For IPv6 the ISP can probably service all of its customers with 1 or 2 allocations. So the routing table will be about a factor 10 smaller. (the figures are guestimates, but I think they are about right.)

Re:Where does IPv6 stand in this? (2)

zn0k (1082797) | more than 2 years ago | (#34406298)

That's only true if you ignore that virtually all businesses of decent size are going to want provider independent space. IPv6 was indeed designed to be strictly hierarchical and to have everyone take ISP IP space - but that doesn't work for larger businesses in practice. Larger businesses need to multihome with multiple providers to protect against provider failure. There are some design proposals out there for 'shims' that would let you run a server on an address from ISP 1 and recover the session with a client to an IP address from ISP 2, but those aren't real yet. The only real solution we have is to give businesses provider independent space that they then announce to both ISPs - and that point you're off worse than you are with IPv4 as there are far more potential routes due to the larger address space.

Re:Where does IPv6 stand in this? (1)

Melkman (82959) | more than 2 years ago | (#34408682)

Agreed, multihoming will add to the routing table size. However, if you look at the RIPE policy for IPv6 PI space ( http://www.ripe.net/ripe/policies/proposals/2006-01.html [ripe.net] ) you'll see that a business will get at least a /48. With 64K networks that will suffice for most. And the big multinationals that do require more will have no problem getting it, in a single prefix. So it stays with about one prefix per business (and in a filterable range for non transit systems too) which means less fragmentation. So I don't agree that the bigger address space will lead to more routes. Only more multihoming organisations will lead to more routes. If anything, the larger address space allows to aggregate better because there is less need to utilize every bit of the space. On the other hand I suspect fragmentation of IPv4 will increase dramatically after the RIR's run out. Because large prefixes will be cut up in smaller ones and sold/transferred to other parties. No, that's not allowed now but I bet it will be after the RIR's run out.

This B.S. again? Lies never die ;-) (2)

sribe (304414) | more than 2 years ago | (#34405528)

In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom...

Except of course that after the initial flurry of headlines, analysis showed that the 15% figure was a wild exaggeration, orders of magnitude off...

Re:This B.S. again? Lies never die ;-) (1)

PhrstBrn (751463) | more than 2 years ago | (#34405774)

Why fact-check and do actual journalism, when you can lie and be lazy, and make more money!

Re:This B.S. again? Lies never die ;-) (0)

Anonymous Coward | more than 2 years ago | (#34406184)

Why fact-check ...

You must be confused, the art of fact checking is more about checking to see if the publisher can be sued for what is printed rather than check for actual factual evidence.

Let me get this straight. (2)

Nailer235 (1822054) | more than 2 years ago | (#34405658)

When we realize the government has inadequate security we leap together in unison and scream, "Why didn't they fix that loophole before??" But when someone tries to raise awareness about the need to take preventative measures on a large scale, all of a sudden it's "lulz silly journalist." Also, the author is not even a journalist. His name is Ram Mohan, "Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. "

Claims About China's Internet Hijack Are Overblown (0)

Anonymous Coward | more than 2 years ago | (#34405662)

Claims About China's April Internet Hijack Are Overblown

http://tech.slashdot.org/story/10/11/19/1527217/Claims-About-Chinas-April-Internet-Hijack-Are-Overblown [slashdot.org]

So why is it being repeated over and over again?

Re:Claims About China's Internet Hijack Are Overbl (1)

phyrexianshaw.ca (1265320) | more than 2 years ago | (#34405892)

because people keep reposting it after reading it while knowing nothing about the topic that's being discussed.

regardless: all this shows is that:
1) a Chinese telecom was advertising routes for someone they shouldn't. 2) it takes a while for the BGP sessions to converge and reveal that two hosts were advertising the same prefixes, 3) the Chinese telecom SHOULD have pulled the local machine that was advertising a prefix to which it was not authoritive, 4) the Chinese telecom decided NOT to do this, revealing awareness that some globally routed prefixes at the local level can be forwarded to local routers before either being captured or properly forwarded.

there is NOTHING new here: this is how BGP works.

Wait a second.... (3, Informative)

SirThe (1927532) | more than 2 years ago | (#34405950)

In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom.

Wasn't there an article yesterday about how this wasn't true?

Mod parent up (0)

Anonymous Coward | more than 2 years ago | (#34406094)

Yes, here on slashdot. Please mod parent up. I wanted to say this, but I stay as an AC.

Re:Wait a second.... (0)

Anonymous Coward | more than 2 years ago | (#34410810)

Yeah, the story explaining how the 15% figure was pulled out of some blogger's backside was posted by Soulskill on Nov 19. http://tech.slashdot.org/story/10/11/19/1527217/Claims-About-Chinas-April-Internet-Hijack-Are-Overblown.

And yet /. promotes IPv6 (2)

ugen (93902) | more than 2 years ago | (#34405958)

It's amazing that in the same breath (definitely on the same page) there are posts promoting/demanding immediate/accelerated acceptance/implementation of IPv6 and then this.

People, wake up - there are significant problems running the current, well compacted address space. Things will only get worse when address space becomes extremely sparse and, for all practical purposes, infinite.

Re:And yet /. promotes IPv6 (2)

Raptoer (984438) | more than 2 years ago | (#34409390)

Perhaps, but what choice so we have? Once we run out of v4 addresses we have to do something.
Also: IPv6 is initially allocated via geographical areas.

More importantly, it doesn't matter how sparse the table is as long as each section is contiguous. If I know I can send any traffic from (made up protocol) hosts 1 to 1000 to router 1200, and any hosts from 10,000,000 to 10,010,000 to router 4500, then my table is just fine.

As the life of an address space goes on it will tend to become less compacted, switching to a new one that is huge will make a sparse, but compacted table.

Re:And yet /. promotes IPv6 (1)

BitZtream (692029) | more than 2 years ago | (#34409958)

I'm pretty sure the same thing was said when the switch to CIDR instead of the old class based allocations was taking place too.

Re:And yet /. promotes IPv6 (1)

pipedwho (1174327) | more than 3 years ago | (#34412484)

People, wake up - there are significant problems running the current, well compacted address space. Things will only get worse when address space becomes extremely sparse and, for all practical purposes, infinite.

With judicious allocation of IPv6 addresses this won't be a problem for a very long time.

Also, if it does become a looming issue in the far future, then some sort of periodic de-fragmentation of the upper address bits is always a possibility. Since the address space is so large, this could be done over a 20 year migration by slowly moving networks onto parallel 'de-fragged' address segments.

IPv6 & Fragmentation (2)

xkr (786629) | more than 2 years ago | (#34406042)

The author complains about "fragmentation of routing tables," but then goes on to talk about route hijacking. Doesn't IPv6 largely fix routing table fragmentation? (Real question -- hoping for answer.) Route hijacking is largely fixed by good routing filter hygiene, as explained in previous posts. Most routing protocols support encryption, which won't help if a trusted router sends you bad routes, but can at least make sure you can tell the difference between trusted and untrusted route updates. I don't think BGP supports encrypted advertisements. Anybody know?

Re:IPv6 & Fragmentation (2)

xkr (786629) | more than 2 years ago | (#34406226)

Also, IPv6 assigns addresses in geographic blocks, so you can easily tell of routes don't make any sense at all, like US to US routing via China.

Re:IPv6 & Fragmentation (0)

Anonymous Coward | more than 2 years ago | (#34406504)

No. Some academics thought it could, but in reality, however NO autonomous system is going to pay any ISPs any extra $$$ for IPv6 address space AND deal with renumbering crap when they have to switch ISPs.

So, we now have IPv6 relocatable blocks. Which means it works the same way as in IPv4. Now, aggregation is *easy*, but it is not DONE in IPv4 (and it won't be done in IPv6 either) when you need to do traffic engineering to steer incoming traffic towards some specific link/transit AS. THAT is not going to change without a MAJOR change in the way Internet routing (i.e. BGP) works.

So, if anything, IPv6 will make it much worse.

But hey, WTF routers have to be such !@#$ constrained devices with $$$$$$$$ memory? A US$ 10K server has enough RAM and CPU to deal with 10.000 copies of the full IPv4 routing table (and it degrades into just *one* FIB, which is what has to go to the hardware anyway and you can summarize it a LOT. "Fix the routers" may well be the answer.

Re:IPv6 & Fragmentation (0)

Anonymous Coward | more than 2 years ago | (#34407032)

IPv6 does not inherently fix the problem, but has a large enough number of addresses that they are given out based on geography. This was also largely the idea of IPv4 until addresses first became scarce and class-less routing was invented. The regional routing can be broken, though (for example thru the use of MobileIP until a care-of address is established or VPN), and some of the first assigned prefixes had nothing to do with geography 3ffe::, the 6bone network and 2002:: for 6to4).

Re:IPv6 & Fragmentation (0)

Anonymous Coward | more than 2 years ago | (#34409460)

No, but it does support authenticated peers and all sorts of cool stuff like "if you advertise all of the sudden a metric crapton of prefixes when you should only be advertising ten, I will reset my BGP peering with you".

Route table growth and IPv6 (0)

Anonymous Coward | more than 2 years ago | (#34406070)

I've always wondered when everyone switches to IPv6 doesn't this effectivly double the size of the DFZ's routing table right there as IPv6 network advertisements are independant of v4?

I honestly don't get why routing table size is such a dire issue .. A few hundred thousand or even a few million routes does not seem unreasonable from a memory POV? Even for IPv6 it is not like your going to see many folks advertising much more than a /32? ..gulp..right? :)

Have to keep in mind we are not talking all routers just those few that actually need to pull a full BGP session.

The biggest real fear issue I know of is propogating flappy state changes throughout the global network leading to some form of self-reinforcing congestive collapse but like all things there are countermeasures (route dapending) to address this and available bandwidth for signaling has more than kept up with table growth over time but perhaps not equally in all regions?

Before the world comes to an end and all my traceroutes start seeing stars I would like to mention it is telling the author ommitted route filtering, bogons and basically every measure that exists today to prevent exactly the things he is talking about from his article.. WTF?

WRT to the China incident the 15% number floating around is in the form of *routes* not traffic..again WTF.

Re:Route table growth and IPv6 (1)

aXis100 (690904) | more than 3 years ago | (#34412792)

Routing table size IS the big issue.

Even with modern hardware accelerated routers, evey new session that flows through the router requires a lookup on the destination address to find the next hop. As the routing tables grow, so does the time taken to initially look up that match. This is a non trivial exercise that needs to be acomplishied in a very short space of time.

That said, it's nothing that more/faster/parallel hardware cant fix.

n1ghtw0lf (0)

Anonymous Coward | more than 2 years ago | (#34406072)

Well that's why you encrypt sensitive data. the whole idea of the internet is to be an autonomous HEADLESS system... granite even though the majority of network is "trafficked" through a few very large governmental servers its designed to run without the need of a centralized master and to change that would then introduce the "who should be in charge" question. bottom line is if you dont want everyone to be able to read it either ENCRYPT it or better yet don't put it on the internet to start with!

Hmmmmm..... (1)

IHC Navistar (967161) | more than 2 years ago | (#34408220)

Is "Routing Hell" better than "Redirect Hell"? If it is, I'd like to leave the latter ASAP!

But what if (1)

TheHonch (1390893) | more than 2 years ago | (#34410734)

we would have a major conflict in the world, like a WW3 or slightly less, what could the cyberwarriors do? Wouldn't BGP-attacks be on top of the todo-list? Then DNS-rootservers? Or to put it differently, what would you do to cause the most disruption on the enemy?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>