BGP and RPKI

栏目: IT技术 · 发布时间: 4年前

内容简介:We have been receiving occasional notifications, primarily via twitter from concerned customers who have visited 'isbgpsafeyet.com' and been told by the site's operator, Cloudflare, that their ISP is,Since this has now happened a few times, we felt it wort

We have been receiving occasional notifications, primarily via twitter from concerned customers who have visited 'isbgpsafeyet.com' and been told by the site's operator, Cloudflare, that their ISP is, apparently unsafe.

Since this has now happened a few times, we felt it worth giving some more information that may be useful to customers and others who've seen these tweets (either directed at us, or at other ISPs), explaining a bit about what BGP is and how RPKI can extend it, and also our feelings about Cloudflare attempting to build support in this manner, especially now, during the Corona Virus situation.

Setting the scene

Here is an example of the sort of tweet we have seen a few of now :

BGP and RPKI

To most of the world, this is a horror story! And we can see why people who have done the test would be naturally worried.

What is this "isbgpsafeyet.com" website?

The site is created by Cloudflare. Their aim is to encourage Internet providers to adopt the standard of BGP route validation known as 'RPKI' (Resource Public Key Infrastructure). Whilst it may be a good aim, we feel it is needlessly and deliberately frightening Internet users, who may have no idea what BGP even is, into believing their ISPs are acting irresponsibly, and then auto-shaming them on twitter, perhaps unfairly.

What is 'classic' BGP and how does it work?

BGP (Border Gateway Protocol) is how pretty much the entire Internet handles routing. In simple terms, before BGP, the only option to allow a router to know how to pass on traffic to a destination network, was with a list 'static routes' - essentially instructions that said "for traffic for this network, pass it onto this router".

Manual lists of routes are not viable once you get beyond quite a small number of destinations. BGP is the dominant method on the public Internet of addressing this. Routes to networks are 'announced' by the owners of those networks in a way that propagates through the infrastructure to all routers.

This means that if an ISP wants to activate a new block of IP addresses, they make a 'BGP announcement' for this new block, and quite quickly, the whole Internet becomes aware of the routing for this. So far so good. However, because the whole system relies on a degree of 'trust' - that all announcements are bona fide and genuine, the system - as originally conceived - can be open to abuse, or straightforward accidental breakage, for example from a mistyped announcement. And there have been a number of famous situations where chunks of the Internet have been inadvertently 'blackholed' because of a mistake in an announcement, or deliberate attack.

What can be done to minimise risks in BGP?

As has already been said, a degree of 'trust' is required for the system to work. There is a lot of monitoring of route announcements designed to allow mistakes and malice to quickly be addressed. Major ISPs can quickly filter anything that is wrong, reducing the impact.

Of course, it would help if there was a way to be sure that these route announcements, and this is what RPKI aims to do. With this the network of major transit providers can ensure they don't accept mistakes or malicious announcements in the first place. Once the major networks that interconnect across the world have these measures in place, even smaller ISPs using them for transit will see the advantages of correct routes.

The whole idea has not been without controversy and concern - one issue with one authority signing these route announcements at the top level is that the local courts for that organisation can order it to remove signing and shut down a chunk of the Internet. As IP addressing is not handled by each country this gives a court a lot of power, and opportunity for mistake and abuse. However, everyone agrees something needs to be done to improve matters.

What are AAISP doing?

At this stage we are looking in to this. We want to be sure we take the right approach, some of which will involved asking our transit providers what they are doing about it. If we simply filtered invalid routes that we get from transit it is too late and the route is blocked. This is marginally better than routing to somewhere else (some attacker) but it still means a black hole in the Internet. So we need our transit providers sending only valid routes, and if they are doing that we suddenly need to do very little.

The other thing we can look into is ensuring our own routes are signed.

Both of these are relatively complicated issues in our core network and not something we want to do anything with in the middle of a pandemic!

We do plan to implement RPKI but have no ETA yet. In the mean time, having been made aware of an invalid route deliberately announced by Cloudflare, we have blocked that route manually.

Is Cloudflare's approach the right approach?

No.

BGP and RPKI

We support much that Cloudflare does in the wider community, in particular its work to ensure sites remain reliable - especially at the moment, and its work providing public resources for things like DNS, including DoH. In short, we like Cloudflare, generally speaking.

But this site cultivates unnecessary fear in the minds of people who often do not understand the (extremely important) minutiae of what they are looking at. Essentially we feel at a time when people are extremely concerned with the security and reliability of their Internet connections, Cloudflare's site is spreading fears, and even encouraging visitors of their site to automatically spread and share that fear via Twitter.

See the tweet on the right, where somebody who thinks BGP is 'a very old routing method' and is then unfairly criticising his ISP, Vodafone, for using it. A clear sign that a little knowledge may be a dangerous thing. It is also revealing that, in spite of the headline besmirching (presumably) most ISPs and writing them off as 'unsafe', when you scroll down, the list of providers who do not yet implement RPKI is far far larger than the list of those who do, including Google, Comcast, Vodafone, Zayo, Hurricane Electric and many more huge players :

BGP and RPKI

Questions? Further actions?

If you have any questions about this, please do ask! We are not looking to hide anything!

If you want to help the overall situation, we'd suggest that if you see a tweet of this nature from someone who clearly does not understand the underlying detail fully enough to properly be aware of the risks, that you try to respond to their tweet with information that makes them better informed. RPKI is (probably) a good thing, although, for reasons given above, it does have some implementation risks, and some valid concerns surrounding jurisdiction. And in time we expect most providers will implement it.

And regarding "IsBGPSafeYet.com" ... Do you ever succeed in encouraging people to do what you want them to do by first spreading false rumours about them in public?

We feel not.


以上所述就是小编给大家介绍的《BGP and RPKI》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

网络营销实战密码

网络营销实战密码

昝辉Zac / 电子工业出版社 / 2009.1 / 56.00元

本书是作者几年来网络营销实战的总结,与其他网络营销书籍最大不同之处是:只专注于实战,不谈理论。本书分三部分详细介绍了网络营销实用策略和技巧,并分析了大量实战案例。第一部分介绍市场与产品研究,包括用户、市场和竞争对手的调查;产品、目标市场的确定;价格策略;赢利模式等。第二部分讨论以网络营销为导向的网站设计,包括怎样在网站上卖东西、提高转化率,以及网站目标设定等。第三部分研究怎样给网站带来流量,详细讨......一起来看看 《网络营销实战密码》 这本书的介绍吧!

JS 压缩/解压工具
JS 压缩/解压工具

在线压缩/解压 JS 代码

RGB转16进制工具
RGB转16进制工具

RGB HEX 互转工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换