Technology and other geekstuff - Gigantic hole in the Internet? (not)

Gigantic hole in the Internet? (not)

Wednesday, August 27, 2008, 03:03 PM
Posted by Administrator

This is finally up in Norwegian news too.

Dagbladet writes about a 'security hole' in the Internet.

BGP works in this way:

o You use AS Numbers (ASN) which are globally unique.
(simplified, but not completely true: Two Internet Providers can not share the same ASN)
o These AS numbers are used for path decisions on the internet,
the general idea is that less 'AS hops' (AS numbers between you and the destination) is better.
o IP address ranges are linked to AS numbers.
o Setting up a BGP session for exchange of IP traffic between AS numbers (ISPs) is called 'a peering'.

CIDR
In routing, you will have to say that for example: 192.168.0.0/24 is at your router (this means 192.168.0.0 - 192.168.0.255)
A /23 is double the size of a /24, and hence 192.168.0.0 - 192.168.1.255

Path decision
Some attributes are used for deciding which ISP to use to reach another in (BGP) routing.
The ones I am going to focus on here is AS_PATH and CIDR

The 'problem' about routing is that a more specific route will be prefered.

Let us say that the fictive company boogle owns 192.168.0.0/23 and keeps bmail in the rear end of that /23-network, from 192.168.1.128 - 192.168.1.256.

What will happen when someone announces 192.168.1.0/24 to other ISPs?

Yes, they will of course start using this route instead of the less specific /23-network that boogle announces.

BGP peering
In BGP, one AS (autonomous system) will announce to the other ASNs which IP ranges they will accept traffic for.

Let us say you have AS1, AS2, AS3 and AS4 - which are owned by ISP1, ISP2, ISP3 and ISP4.

ISP1 uses ISP2 to reach the internet, because ISP2 has built a large network.

ISP3 and ISP4 are peering, and ISP4 also uses ISP2 to reach the internet (and then also to reach ISP1).

ISP3 usually uses a hidden ISP5 to reach ISP1.

Let us take the example from above then, with the preceding facts.

What will happen when ISP4 decides to announce the more specific network to ISP3?
Yes, ISP3 which is used to having this path: ISP5 -> ISP1 will of course exchange this for ISP4 -> ISP2 -> ISP1

This is regardless of a longer AS_PATH (ISP4->ISP3->ISP1) because of the more specific network.

The other way this can be exploited is to force in a route with a shorter AS_PATH.

The real problem
These are FEATURES of BGP and IP routing, and was never a security hole.
The actual security hole is misconfigured routers that will accept announcements of networks from maliciously configured routers.

[ add comment ] ( 6 views ) | permalink | related link |

( 3 / 646 )

<Back | 1 | 2 | 3 | Next> Last>>