SoylentNews is people
SoylentNews
Over the last several weeks, some of the most prominent digital companies like Google, Cloudflare, Amazon and most recently Apple experienced issues with the services they are offering. While the types of services each of these companies differ, the common thread between these incidents was that they were a direct result of problems with the Border Gateway Protocol (BGP)—the protocol that more than any other technology makes the Internet a reality. Of course the other commonality across these incidents was that they were quite costly for the affected companies and their users.
BGP events such as these are meticulously investigated and reported at least internally by each organization, and in some cases quite publicly. However, in the aftermath of all the analysis and hand-wringing about the vulnerable state of the Internet, not much ever seems to happen in the big picture to prevent further routing problems from recurring. That is the situation we find ourselves, decades after BGP’s inception.
Now, it’s not that there are no norms or built-in mechanisms for doing and making BGP right on the Internet. Over the years, methods such as maximum prefix limits, Internet Route Registry (IRR) based filtering and Resource Public Key Infrastructure (RPKI) have been defined and implemented. For more information on some of these methods, check out our earlier post on Best Practices to Combat Route Leaks and Hijacks.
Yet all of these best practice methods suffer from the same fundamental limitation—there’s no way to make these practices binding on all the networks that make up the Internet. The only way that best practices grow on the Internet is through social promotion and business pressure.
To that end, RIPE held a RPKI deployathon in March, a much-needed event that gave hands-on experience with RPKI technology to those who needed it the most – network engineers and operators. RPKI proponents have been active to raise awareness. In fact, if there was one positive thing that emerged as a result of recent outages, it was the fact that Border Gateway Protocol protection mechanisms got some real exposure, but especially RPKI.
[...] Even though this was a very small scale and inadvertent event, it showcases how effective RPKI-based route filtering is.
Wide-scale adoption of RPKI will go a long way to cleaning up Internet routing and make it more secure. How can you help? If you’re a provider, implement strict filtering based on RPKI. If you’re an enterprise, put strict routing announcement filtering based on RPKI down as a requirement in your RFIs or RFPs for ISP services. The more market pressure ISPs receive, the more they’ll be motivated to adopt best practices that benefit everyone.
(Score: 3, Interesting) by driverless on Tuesday July 23 2019, @04:56AM
I've worked on RPKI. Like many, many other BGP "solutions", it's something that requires everyone to participate and play by the rules, everyone to agree on a hierarchical, controlled way to do things, and everything to work perfectly. Easy enough to demonstrate in a Petri dish in the lab, but I don't think it's got a hope in the real world. The fact that it hasn't made a difference in nearly a decade of work on it seems to support that.
And as if that wasn't enough, it relies on PKI in order to work...