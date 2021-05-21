Arthur T Knackerbracket has processed the following story:
Comcast, one of America's largest broadband providers, has now deployed RPKI on its network to defend against BGP route hijacks and leaks.
BGP route hijacks is a networking problem that occurs when a particular network on the internet falsely advertises that it supports certain routes or prefixes that it, in fact, does not.
This occurs either because of malicious activity or some misconfiguration (the latter is better referred to as "BGP leaks" rather than hijacking).
Left unchecked, a BGP route hijack or leak can cause a drastic surge in misdirected internet traffic that eventually leads to global congestion and a Denial of Service (DoS).
This week, in a move to strengthen the security and robustness of its network, telecom giant Comcast has deployed Resource Public Key Infrastructure (RPKI) on its network.
RPKI is a framework designed to secure the Internet's routing infrastructure, primarily Border Gateway Protocol (BGP).
Last month, BleepingComputer reported that a major BGP leak had disrupted thousands of networks globally.
Some of Comcast's prefixes were also present in those advertised by Vodafone's network that suffered the leak.
[...] It is akin to having a "postal system" for the internet that facilitates the redirection of traffic from one (autonomous) system of networks to another.
The internet is a network of networks, and for example, a user based in one country wanted to access a website based in another, there has got to be a system in place that knows what paths to take when redirecting the user across multiple networked systems. This is similar to a letter being transited through multiple postal branches between its source and destination. And, that is the purpose of BGP: to direct internet traffic correctly over various paths and systems between the source and destination to make the internet function.
(Score: 5, Interesting) by driverless on Friday May 21, @11:12AM (6 children)
This won't actually prevent much, because pretty much all BGP problems have been from legitimate AS owners advertising incorrect routes. So RPKI just authenticates the invalid data rather than preventing much of anything. In particular the linked issue wouldn't have been prevented by RPKI, because the problem is authorisation, not authentication.
(Score: 2) by sjames on Saturday May 22, @02:43AM (5 children)
It will prevent some problems. A number of networks "borrow" public IPs that were handed out to the DOD but never used as internal addresses. Sometimes by error their border routers announce them. Turkey once tried to black hole youtube internally but the routes leaked beyond their border and caused global outages. Spam hosts have been known to hijack a disused /24. Other than the youtube incident, it's just not the sort of thing that will make the news, but it happens.
(Score: 0) by Anonymous Coward on Saturday May 22, @10:25AM (4 children)
And how would this RPKI stuff prevent the Turkey black hole stuff? Or even the BGP leak mentioned in the summary?
What I see that will prevent such stuff are systems that track who normally advertises what routes and geographically where these locations are. So in event that a huge/weird change occurs like an ISP in India says it has a great route to Brazil, it will get flagged and not implemented unless some human approves it.
(Score: 2) by sjames on Saturday May 22, @10:34AM (3 children)
Had RPKI been in place, nobody outside of Turkey would have accepted the black hole routes for Youtube's IPs.
(Score: 3, Touché) by driverless on Saturday May 22, @11:43AM (2 children)
Why not? The routes were signed by a legitimate, authorised, trusted key. You've fallen into exactly the trap I mentioned, confusing authentication with authorisation. What you need to do is configure your systems to ignore e.g. an ISP in Turkey advertising an address block for (US) Youtube, and that has nothing to do with RPKI. Or, more specifically, you can do that with or without RPKI, so it's presence is irrelevant.
(Score: 2) by sjames on Saturday May 22, @05:18PM
How would the government of Turkey have managed to come up with Youtube's secret key?
(Score: 0) by Anonymous Coward on Sunday May 23, @04:24AM
The whole problem is that you cannot do that reliably 100% of the time without smart people doing manual review. People lie and make mistakes all the time. We wouldn't even be having this conversation if route leaks didn't exist. So please do tell your method (or the preferred alternative you support) for preventing route leaks that works without RPKI.