[AfrICANN-discuss] Routing on The Internet: A Disaster Waiting to
Happen?
Anne-Rachel Inné
annerachel at gmail.com
Thu Dec 2 19:21:09 SAST 2010
http://www.securityweek.com/routing-internet-disaster-waiting-happenRouting
on The Internet: A Disaster Waiting to Happen?
By Ram Mohan <http://www.securityweek.com/authors/ram-mohan> on Dec 01,
2010
*Internet Routing - The Internet's leading architects have considered the
rapid growth and fragmentation of core routing tables one of the most
significant threats to the long-term stability and scalability of the
Internet *
It has been reported that in April 2010, about 15% of the world’s Internet
traffic was hijacked by a set of servers owned by China Telecom. Popular
websites such as dell.com, cnn.com and amazon.de were “re-routed” through
Chinese networks before reaching their destinations for about 18 minutes,
until technicians restored the correct parameters. In the technical world,
this is typically called a prefix hijack and it happened due to a couple of
wrong tweaks made at China Telecom. Whether this was intentional or not is
unknown, but such routing accidents are all too common online.
[image: Dangers of Internet Routing Methods]
The "Inter" in Internet denotes the fact that it is actually a network
comprised of thousands of interconnected networks, each of which is
generally managed by a different entity. While packets of your requests to
access information (such as DNS queries) traverse many networks, including
ISPs, top-level domain name servers, and even the Root, a single type of
hardware is used at every layer in this exchange process – a router.
So what is the purpose of a router? Routers tell packets of data which way
to go. Many companies have private networks between offices, or even
departments. When an e-mail is sent from one of these private networks to
another with in company, the router “decides” that those packets should not
be sent out to the Internet, but should instead travel within the corporate
private network. An email sent from the same person to a potential customer,
however, would be sent out via the Internet. In order for routers to know
where to send things, they need to maintain some data about other networks.
These are known as “routing tables”. If these routing tables get incorrect
information, these types of mishaps occur.
Routing accidents are not new. In April 1997, AS7007 announced routes to all
of the Internet. In December 2004, thousands of networks in the US were
misdirected to Turkey, making it look like Turkey was the entire Internet.
In September 2005, AT&T, XO and Bell South networks were misdirected to
Bolivia. In July 2007, Yahoo was unreachable for an hour due to a routing
problem. In February 2008, Pakistan Telecom hijacked all traffic aimed at
YouTube and took YouTube offline for two hours. More examples abound.
*BGP table growth *
For a number of years, many of the Internet's leading architects have
considered the rapid growth and fragmentation of core routing tables one of
the most significant threats to the long-term stability and scalability of
the Internet. As the number of Internet hosts and networks increases, the
greater the challenge will be for networks running older or slower
equipment.
Where these networks connect to each other to exchange traffic, it is the
Border Gateway Protocol that is responsible for deciding where to forward IP
packets to ensure they reach their correct destination network. The BGP
table, which can be found on all Internet routers, contains all of the
network "prefixes" – the IP address blocks assigned to any given network –
active on the Internet at any given time. Over the years, as Internet usage
has grown exponentially and the number of organizations coming online has
increased, the number of networks advertised through BGP has swollen
dramatically. In the last five years, it has more than doubled, from about
150,000 at the start of 2005 to almost 350,000 today. Some have suggested
that the number of routing table entries could hit two million in the next
10 years.
While this growth is due in part to the rapid global adoption of the
Internet in developed and developing nations, and the need for more
addresses as more Internet services come online, there are other drivers.
For example, the commercial imperative for reliable Internet connectivity
has compelled many organizations to multi-home their mission-critical
facilities, meaning they have two or more upstream bandwidth suppliers.
Depending on how their multi-homing architecture has been designed, this can
often mean a single data center, for example, has to duplicate its entry in
the core routing table, as it has to announce the same network prefix
multiple times, once for each upstream link. This makes it more difficult to
aggregate IP address prefixes and slow the routing table expansion.
The danger here is that while BGP is the de-facto protocol for inter-domain
routing on the Internet, actual routing occurs without checking whether the
originator of the route is authorized to do so. The global routing system
itself is made up of autonomous systems (AS) which are simply loosely
interconnected routing domains. Each autonomous system decides,
unilaterally, and even arbitrarily, to trust everything it hears from any
other AS, to use that information without validation, and to further
transmit that information to its other peers. This is often called “routing
by rumor.”
Efforts are underway to secure the BGP based routing system. The IETF has
initiated a working group which is working on a Resource Public Key
Infrastructure (RPKI) which provides authorization for who can originate a
route to an address. Once implemented, it would mean that China Telecom
could not assert that it is the authoritative source for the networks used
by dell.com or cnn.com, because it would not be the entity allocated the
addresses for Dell or CNN.
*Support for IPv6 *
Much has been made of the imminent depletion of unused IPv4 address space in
the technology press recently. The Regional Internet Registries, which are
responsible for handing out chunks of IP addresses to ISPs and businesses,
said in October that only 5 percent of the total amount of addresses
permitted by the IPv4 standard now remains unallocated by IANA, the
top-level IP address repository. Further, current allocation trends suggest
that IANA's pool will very probably be exhausted at some time in the first
half of 2011. It is now likely only a matter of a few years before the RIRs
themselves run out of available IPv4 addresses. The need for network
managers to have a strategy for supporting IPv6, which enables exponentially
more IP addresses, is clearer than ever.
IPv6, with its billions upon billions of additional potential addresses,
will not reduce the growth of routing tables either. Indeed, there are
reasons to believe that the transition between IPv4 and IPv6 may actually
exacerbate the problem. The two protocols will have to work alongside each
other for many years to come, and there are some bridging functions that
will require more IPv4 addresses to be allocated. As smaller chunks of the
dwindling pool of IPv4 are handed out, or traded between organizations with
preexisting address block allocations, aggregating network prefixes and
therefore slowing the growth of the routing table could become a more
challenging proposition.
* DNSSEC *
Typical DNS queries are routed using the User Datagram Protocol (UDP), which
only provides for DNS responses under 512 bytes. Since domain names with DNSSEC
enabled<http://www.securityweek.com/deploying-dnssec-four-ways-prepare-your-enterprise-dnssec>come
with more information, network providers are forced to re-ask for the
DNS response using the Transmission Control Protocol (TCP), which can return
larger sets of data. On average, a DNSSEC response is about 2-4 times the
size of a normal non-DNSSEC query because it also contains the Resource
Record Signature (RRSIG). To validate the signature, both the Delegation
Signer (DS) record and the DNSKEY record must also be obtained, creating
additional query load.
A study by the ICANN Security and Stability Committee in September of 2008
revealed that just 25% of the routers they tested were fully DNSSEC
compatible, meaning they were able to both route and proxy DNS data using
TCP or UDP with messages over 4096 bytes.
Since we know that home users are the most price-sensitive and therefore the
slowest to replace aging home routers, this means that if corporations were
to enable DNSSEC tomorrow, a good percentage of home routers probably could
not return the DNSSEC information so that the user could get to a
DNSSEC-validated site.
* In summary *
Like DNSSEC and the transition to IPv6, solving the problem of routing table
expansion is something that the Internet community as a whole needs to
address. Limitations in aging appliances that cannot handle the future new
protocols like IPv6 and DNSSEC is something that router manufacturers and
users alike need to take seriously. While it is incumbent upon network
operators to ensure that their equipment is capable of handling the
Internet's latest evolution, it is the development of standards and
practices for scalable routing, and replacement of old hardware in the
consumer market that should be done through cooperation between hardware
manufacturers, ISPs and other interested stakeholders to preserve a smooth,
and operating Internet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20101202/64592a12/attachment.htm
More information about the AfrICANN
mailing list