Internet failures over the next 3 years

jerry@freeside.fc.NET (Jeremy Porter) writes:

Largely we don't see conflicts of an actual prefix being announced
by hostile parties, where there isn't a technical parent/child
delegation relationship. The badness of such an event probably
is why.

Big events like MAI 7007, Qwest reannouncing 3561, and so forth are
noticed. But mis-announcing just a few /24 (out of a /19) or one /16
(out of a /15) don't make headlines. Nevertheless, it does happen on
a regular basis. Most of the time it does appear to be a configuration
error, which may explain why 'classfull' networks boundaries are the
most likely places to have problems.

For example, a few weeks ago I posted about the FCC's network prefix
being announced by a tiny provider. A more interesting one was at
one point during the war over Kosovo, a major backbone had a /16 of
its network redirected through Macedonia Telecom. Why go through the
trouble of installing a sniffer at mae-east, when you can just redirect
the route through a more convient tapping spot. The traffic still
flowed, just via a scenic route.

Unfortunately, there are no good tools for the first level support
people when confronted with an insane route. When reporting a problem,
you will generally get back a response it "worked" for them. The
next response is "that's how the Internet works," or "that's what
the customer requested." As far as the first-level support is concerned,
if ping or traceroute works, there is no problem. After a few days of
escalating the problem, someone will eventually discover a configuration
error, and fix it.

Note: the bell-heads haven't solved this problem either. Insane routes
also occur in the telephone system. Trying to explain to an operator why
even though the call goes through, it is going to the wrong place, is
hard to do.

Its good to have the tools in place and the technology understood
in the event its need, but to some extent just having the tools
is enough (MAPS-smurf/spam).

I suppose when someone finds a quick and dirty hack to remotely
cause BGP sessions to flap between providers on private peering or
public peering points, the "trust everyone" model will have to
examined again. Largely I feel it would result in ingress filtering
much like smurf attacks have with directed broadcast.

Since most of BGP route problems appear to be configuration mistakes
by operators, more wide-spread double checking of announcements would
help. Obviously a more sophisticated, malicious person or tool could
get around a simple check.

BGP vulnerablilties have been well covered in other forums. But until
there is a big problem, I agree with your assessment. BGP passwords
offer some protection against one particular type of impersonation
attack. Anti-spoofing and access-lists help against other types of
attack. Denial of service attacks are a bit harder to protect against.
Transitive trust is a tough one unless we can all agree on some source
to trust when there is a conflict.

Note: I don't think the bell-heads have really solved this one either.
If local number portability ever takes off, the net-heads are going to
have a remarkable sense of deja vu. And don't get me started on SS7