Routing: Difference between revisions
No edit summary |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 38: | Line 38: | ||
==Routing Security== | ==Routing Security== | ||
In June 2022, the [[SSAC]] released SAC121, which provides information on: | In June 2022, the [[SSAC]] released SAC121, which provides information on: | ||
* | * the Internet’s routing system, | ||
* routing [[cybersecurity|security]] challenges for [[DNS]] infrastructure operators and their implications, | * routing [[cybersecurity|security]] challenges for [[DNS]] infrastructure operators and their implications, | ||
* the role of network operators in securing the Internet's routing system, and | * the role of network operators in securing the Internet's routing system, and | ||
* security extensions of the border gateway protocol.<ref>[https://www.icann.org/en/system/files/files/sac-121-en.pdf SAC121, ICANN Files]</ref> | * security extensions of the border gateway protocol.<br/> | ||
Attackers can inject false routes or information into the routing system. Mistakes can occur through misconfiguration, making it difficult to determine whether a routing incident was intentional or not. Performing [[DNSSEC]] validation on signed domain names can protect against routing hijacks. The RPKI builds upon the earlier work of routing registries by associating digital signatures with some of the information found in Internet routing messages. | |||
[[MANRS]] is one of many security responses to routing issues<ref>[https://www.manrs.org/ MANRS]</ref>; SAC121 is for a much broader audience.<ref>[https://www.icann.org/en/system/files/files/sac-121-en.pdf SAC121, ICANN Files]</ref> | |||
==References== | ==References== | ||
Latest revision as of 17:22, 11 July 2022
Routing is the process of selecting a path for traffic in a network or between or across multiple networks.
Internet Routing Registries
There are at least 25 IRRs registering and executing routing policies that
- offer public descriptions of the relationship between external and internal Border Gateway Protocol peers,
- offer Documentation,
- provide routing security,
- allow automatic generation of router configurations,
- provide a debugging aid,
- publish routing intentions,
- construct and maintain routing filters and router configurations, and
- share diagnostic and information service for general network management.[1]
Routing Incidents Types
Border Gateway Protocol (BGP) is a key tool for Internet connection redundancy, enabling data communications between large networks operated by different organizations. However, one bad move can lead to a major blackout.[2] Possible causes could be:
- Misconfiguration
- Malicious
- Targeted Traffic Misdirection
Timeline of Major Incidents
| Date | Incident | Outcomes |
|---|---|---|
| April 25, 1997 | AS 7007 incident among UU/Sprint | |
| May 7, 2005 | Google Outage | |
| February 24, 2008 | Pakistan Telecommunication Authority's attempt to block YouTube access within Pakistan takes down YouTube entirely | |
| November 11, 2008 | The Brazilian ISP Companhia de Telecomunicações do Brasil Central leaked their internal table onto the global BGP table | |
| April 8, 2010 | China Telecom originated 37,000 prefixes not belonging to them in 15 minutes, temporarily causing a global outage | |
| 2011 | Yandex accident | |
| 2014 to 2018 | 3ve’s BGP hijacker schemes |
Routing Security
In June 2022, the SSAC released SAC121, which provides information on:
- the Internet’s routing system,
- routing security challenges for DNS infrastructure operators and their implications,
- the role of network operators in securing the Internet's routing system, and
- security extensions of the border gateway protocol.
Attackers can inject false routes or information into the routing system. Mistakes can occur through misconfiguration, making it difficult to determine whether a routing incident was intentional or not. Performing DNSSEC validation on signed domain names can protect against routing hijacks. The RPKI builds upon the earlier work of routing registries by associating digital signatures with some of the information found in Internet routing messages. MANRS is one of many security responses to routing issues[3]; SAC121 is for a much broader audience.[4]