The Register reports a hack, speculated to be intentional instead of the usual finger fumble, whereby all of Google's traffic was routed for just over an hour to servers in Russia and China.
The Register story: https://www.theregister.co.uk/2018/11/13/google_russia_routing/.
It quotes this update from Google: https://status.cloud.google.com/incident/cloud-networking/18018#18018002
Excerpt from the update:
The issue with Google Cloud IP addresses being erroneously advertised by internet service providers other than Google has been resolved for all affected users as of 14:35 US/Pacific. Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google. We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence.
As BGP is "broken by design", i.e. assumes trust where there is no longer any, what is perhaps surprising is that it took so long to happen. Does not augur well.
So much for "the internet always routes around damage". Maybe "always" takes time to happen...
Exercise for the reader: is it possible to circumvent this effectively, and if so, how? Has my paranoia-meter misfired, and there's really nothing to worry about?
(Score: 1, Interesting) by Anonymous Coward on Tuesday November 13 2018, @03:48PM (1 child)
"but the will to adopt it, is the biggest obstacle"
I wouldn't assume that "will" has anything to do with it. Routing tables are huge processing tasks. Using crypto to authenticate a route is probably several orders of magnitude more CPU load. IOW, you'd need to re-engineer the whole router, and it would still probably converge routes like a pig. And slow convergence creates other problems that can introduce cascade failure modes and Denial of Service attack vectors.
IOW, authentication systems tend not to scale at the rate required to authenticate a full BGP4 routing table on 100k nodes. While somebody may have written the software, making it scale is an entirely different problem.
(Score: 2) by HiThere on Tuesday November 13 2018, @06:18PM
That's a valid point, but wouldn't it be likely to apply to any replacement? Perhaps there could be classes of message with different security requirements, from ROT13 to secure against quantum computers, so only the most sensitive messages would need strong crypto...of course, that singles out just which ones are sensitive.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.