<h2 class="page-title"><a href="http://www.securityweek.com/routing-internet-disaster-waiting-happen">http://www.securityweek.com/routing-internet-disaster-waiting-happen</a></h2><h2 class="page-title">Routing on The Internet: A Disaster Waiting to Happen? </h2>
<div class="meta">
<div class="submitted">
<div>
By <a href="http://www.securityweek.com/authors/ram-mohan">Ram Mohan</a> on Dec 01, 2010 </div><br><div style="float: left; margin-top: 2px;">
<span dir="ltr" class="buzz-small"><span class="buzz-small-1-ltr buzz-small-1"></span><span class="buzz-small-2-ltr buzz-small-2"></span></span><em>Internet Routing - The
Internet's leading architects have considered the rapid growth and
fragmentation of core routing tables one of the most significant threats
to the long-term stability and scalability of the Internet </em></div></div></div>
<p style="text-align: left;">It has been reported that in April 2010,
about 15% of the world’s Internet traffic was hijacked by a set of
servers owned by China Telecom. Popular websites such as <a href="http://dell.com">dell.com</a>,
<a href="http://cnn.com">cnn.com</a> and <a href="http://amazon.de">amazon.de</a> were “re-routed” through Chinese networks before
reaching their destinations for about 18 minutes, until technicians
restored the correct parameters. In the technical world, this is
typically called a prefix hijack and it happened due to a couple of
wrong tweaks made at China Telecom. Whether this was intentional or not
is unknown, but such routing accidents are all too common online.</p>
<p style="text-align: left;"><img src="http://www.securityweek.com/sites/default/files/Internet-Routing.jpg" alt="Dangers of Internet Routing Methods" title="How Internet Routing Works" style="float: right; margin: 5px; border: 1px solid black;" height="168" width="269"></p>
<p>The "Inter" in Internet denotes the fact that it is actually a
network comprised of thousands of interconnected networks, each of which
is generally managed by a different entity. While packets of your
requests to access information (such as DNS queries) traverse many
networks, including ISPs, top-level domain name servers, and even the
Root, a single type of hardware is used at every layer in this exchange
process – a router.</p>
<p>So what is the purpose of a router? Routers tell packets of data
which way to go. Many companies have private networks between offices,
or even departments. When an e-mail is sent from one of these private
networks to another with in company, the router “decides” that those
packets should not be sent out to the Internet, but should instead
travel within the corporate private network. An email sent from the
same person to a potential customer, however, would be sent out via the
Internet. In order for routers to know where to send things, they need
to maintain some data about other networks. These are known as “routing
tables”. If these routing tables get incorrect information, these
types of mishaps occur.</p>
<p>Routing accidents are not new. In April 1997, AS7007 announced
routes to all of the Internet. In December 2004, thousands of networks
in the US were misdirected to Turkey, making it look like Turkey was the
entire Internet. In September 2005, AT&T, XO and Bell South
networks were misdirected to Bolivia. In July 2007, Yahoo was
unreachable for an hour due to a routing problem. In February 2008,
Pakistan Telecom hijacked all traffic aimed at YouTube and took YouTube
offline for two hours. More examples abound.</p>
<p><strong>BGP table growth </strong></p>
<p>For a number of years, many of the Internet's leading architects have
considered the rapid growth and fragmentation of core routing tables
one of the most significant threats to the long-term stability and
scalability of the Internet. As the number of Internet hosts and
networks increases, the greater the challenge will be for networks
running older or slower equipment.</p>
<p>Where these networks connect to each other to exchange traffic, it is
the Border Gateway Protocol that is responsible for deciding where to
forward IP packets to ensure they reach their correct destination
network. The BGP table, which can be found on all Internet routers,
contains all of the network "prefixes" – the IP address blocks assigned
to any given network – active on the Internet at any given time. Over
the years, as Internet usage has grown exponentially and the number of
organizations coming online has increased, the number of networks
advertised through BGP has swollen dramatically. In the last five years,
it has more than doubled, from about 150,000 at the start of 2005 to
almost 350,000 today. Some have suggested that the number of routing
table entries could hit two million in the next 10 years.</p>
<p>While this growth is due in part to the rapid global adoption of the
Internet in developed and developing nations, and the need for more
addresses as more Internet services come online, there are other
drivers. For example, the commercial imperative for reliable Internet
connectivity has compelled many organizations to multi-home their
mission-critical facilities, meaning they have two or more upstream
bandwidth suppliers. Depending on how their multi-homing architecture
has been designed, this can often mean a single data center, for
example, has to duplicate its entry in the core routing table, as it has
to announce the same network prefix multiple times, once for each
upstream link. This makes it more difficult to aggregate IP address
prefixes and slow the routing table expansion.</p>
<p>The danger here is that while BGP is the de-facto protocol for
inter-domain routing on the Internet, actual routing occurs without
checking whether the originator of the route is authorized to do so.
The global routing system itself is made up of autonomous systems (AS)
which are simply loosely interconnected routing domains. Each
autonomous system decides, unilaterally, and even arbitrarily, to trust
everything it hears from any other AS, to use that information without
validation, and to further transmit that information to its other peers.
This is often called “routing by rumor.”</p>
<p>Efforts are underway to secure the BGP based routing system. The
IETF has initiated a working group which is working on a Resource Public
Key Infrastructure (RPKI) which provides authorization for who can
originate a route to an address. Once implemented, it would mean that
China Telecom could not assert that it is the authoritative source for
the networks used by <a href="http://dell.com">dell.com</a> or <a href="http://cnn.com">cnn.com</a>, because it would not be the
entity allocated the addresses for Dell or CNN.</p>
<p><strong>Support for IPv6 </strong></p>
<p>Much has been made of the imminent depletion of unused IPv4 address
space in the technology press recently. The Regional Internet
Registries, which are responsible for handing out chunks of IP addresses
to ISPs and businesses, said in October that only 5 percent of the
total amount of addresses permitted by the IPv4 standard now remains
unallocated by IANA, the top-level IP address repository. Further,
current allocation trends suggest that IANA's pool will very probably be
exhausted at some time in the first half of 2011. It is now likely only
a matter of a few years before the RIRs themselves run out of available
IPv4 addresses. The need for network managers to have a strategy for
supporting IPv6, which enables exponentially more IP addresses, is
clearer than ever.</p>
<p>IPv6, with its billions upon billions of additional potential
addresses, will not reduce the growth of routing tables either. Indeed,
there are reasons to believe that the transition between IPv4 and IPv6
may actually exacerbate the problem. The two protocols will have to work
alongside each other for many years to come, and there are some
bridging functions that will require more IPv4 addresses to be
allocated. As smaller chunks of the dwindling pool of IPv4 are handed
out, or traded between organizations with preexisting address block
allocations, aggregating network prefixes and therefore slowing the
growth of the routing table could become a more challenging proposition.</p>
<p><strong> DNSSEC </strong></p>
<p>Typical DNS queries are routed using the User Datagram Protocol
(UDP), which only provides for DNS responses under 512 bytes. Since
domain names with <a href="http://www.securityweek.com/deploying-dnssec-four-ways-prepare-your-enterprise-dnssec" title="Deploying DNSSEC - Four Ways to Prepare Your Enterprise for DNSSEC ">DNSSEC enabled</a>
come with more information, network providers are forced to re-ask for
the DNS response using the Transmission Control Protocol (TCP), which
can return larger sets of data. On average, a DNSSEC response is about
2-4 times the size of a normal non-DNSSEC query because it also contains
the Resource Record Signature (RRSIG). To validate the signature, both
the Delegation Signer (DS) record and the DNSKEY record must also be
obtained, creating additional query load.</p>
<p>A study by the ICANN Security and Stability Committee in September of
2008 revealed that just 25% of the routers they tested were fully
DNSSEC compatible, meaning they were able to both route and proxy DNS
data using TCP or UDP with messages over 4096 bytes.</p>
<p>Since we know that home users are the most price-sensitive and
therefore the slowest to replace aging home routers, this means that if
corporations were to enable DNSSEC tomorrow, a good percentage of home
routers probably could not return the DNSSEC information so that the
user could get to a DNSSEC-validated site.</p>
<p><strong> In summary </strong></p>
<p>Like DNSSEC and the transition to IPv6, solving the problem of
routing table expansion is something that the Internet community as a
whole needs to address. Limitations in aging appliances that cannot
handle the future new protocols like IPv6 and DNSSEC is something that
router manufacturers and users alike need to take seriously. While it
is incumbent upon network operators to ensure that their equipment is
capable of handling the Internet's latest evolution, it is the
development of standards and practices for scalable routing, and
replacement of old hardware in the consumer market that should be done
through cooperation between hardware manufacturers, ISPs and other
interested stakeholders to preserve a smooth, and operating Internet.</p>