Internal Internet traffic routed outside Russia by a Chinese operator
The Russian Internet traffic in several circumstances has been re-routed outside the country, the incidents seem to be caused by routing errors made by China Telecom.
The news has been published by the Internet monitoring service Dyn in a blog post, which also reports that domestic traffic was re-routed apparently due to a networking fault caused by a weakness in the Border gateway protocol (#BGP).
However, as can often happen with these [peering] relationships, one party can leak the routes received from the other and effectively insert itself into the path of the other party’s Internet communications. This happened over a dozen times in the past year between these two providers. This is a general phenomenon that occurs with some regularity but isn’t often discussed in BGP security literature. In this blog post, we’ll explore the issue via the lens of this single example. In a follow-on blog, we’ll explore several additional examples.
The original article below gives a fairly comprehensive explanation of peering and what can go wrong. It also explains the #Vimpelcom and #China_Telecom peering agreement and shows how it went wrong on several occasions. (eg China Telecom announcing full tables)
▻http://research.dyn.com/2014/11/chinese-routing-errors-redirect-russian-traffic
The above article also references the following very good and self-explanatory read that explains BGP prefix hijacking, and available security measures:
Why Is It Taking So Long to Secure Internet Routing?
People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?
▻http://queue.acm.org/detail.cfm?id=2668966
Thus, while we continue to make progress toward protocol-based defenses for routing security, the next frontier in routing security could very well be hardening the software and hardware used in Internet routers.
#RPKI
#BGPSEC
#routing #security