Re: OT: China telecom operator denies hijacking Internet

I think the problem doing prefix-list for carriers is that you don't know
who they will be used by for transit. So a European network could advertise
their Provider Independent network through China Telecom and you would not
be able to count all of their clients using them for transit or other
carriers with these filters. I don't think the issue is as simple as
filtering when dealing with transit provider and not end users. I think we
should be talking about how Secure BGP should play a role in Internet
security.

My two cents.

Now back to DHCP Servers lab for ccie.

On Thu, Nov 18, 2010 at 7:15 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> The carriers should write very simple prefix lists that they will only do
>
> ip prefix-list china-nets seq 5 permit 61.0.0.0/8 le 24
> ip prefix-list china-nets seq 10 permit 202.0.0.0/8 le 24
>
>
> etc. for all the china netblocks when peering with them, so they can't
> announce ANYTHING they dont own.
>
> PERIOD.
>
> If i can't get to EVERYTHING else though ANOTHER carrier it would better to
> have it down than go through china
>
> ________________________________________
> From: nobody_at_groupstudy.com [nobody_at_groupstudy.com] On Behalf Of Ahmed
> Elhoussiny [aelhoussiny_at_gmail.com]
> Sent: Thursday, November 18, 2010 7:52 PM
> To: --Hammer--
> Cc: Ronnie Angello; Cisco certification
> Subject: Re: OT: China telecom operator denies hijacking Internet traffic
>
> Its just an example for how BGP attributes/communities, filters can easily
> affect the whole internet.
>
>
> On Fri, Nov 19, 2010 at 12:37 AM, --Hammer-- <bhmccie_at_gmail.com> wrote:
>
> > Why complying with the groupstudy posting rules is important....
> >
> >
> >
> > --Hammer
> >
> > "I was a normal American nerd."
> > -Jack Herer
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Ronnie Angello
> > Sent: Thursday, November 18, 2010 4:29 PM
> > To: Ahmed Elhoussiny
> > Cc: Cisco certification
> > Subject: Re: OT: China telecom operator denies hijacking Internet traffic
> >
> > Why route filtering is important... :)
> >
> > On Thu, Nov 18, 2010 at 5:20 PM, Ahmed Elhoussiny
> > <aelhoussiny_at_gmail.com>wrote:
> >
> > > Dears, just sharing some news, BGP & International Gateways
> > >
> > > *For 18 minutes, about 15 percent of all web traffic was redirected
> > through
> > > China, including traffic to and from the sites of the U.S. Army, Navy,
> > > Marine Corps, Air Force, the office of the Secretary of Defense, the
> > Senate
> > > and NASA, according to a report delivered to Congress by the U.S.-China
> > > Economic and Security Review Commission.*
> > >
> > > *The report says that the irregular routing could have allowed the
> > > surveillance of users or sites, the disruption or diversion of
> > > communications and the compromising of supposedly secure encrypted
> > > sessions.
> > > *
> > >
> > > *The report alleges that the diversion was caused when China Telecom
> > > briefly
> > > offered a false electronic notification to internet traffic on the web,
> > > causing some traffic to mistakenly conclude that the quickest way to
> > reach
> > > its destination was to travel through the company's servers in China.*
> > >
> > > *
> > >
> > >
> >
> >
> http://edition.cnn.com/2010/US/11/17/websites.chinese.servers/index.html?hpt
> > =T1<
> http://edition.cnn.com/2010/US/11/17/websites.chinese.servers/index.html?hpt%0A=T1
> >
> > > *
> > >
> > > * *
> > >
> > >
> > >
> > > *Solution: filters that deny BGP updates about your prefixes that is
> > > originated from your country, including some bgp reg_exp, accepting
> only
> > > this prefixes from trusted BGP (e or i)sources*
> > >
> > > *
> > > A new update about this from Network World magazine:*
> > >
> > > The incident could have been an
> > > accident<
> > >
> >
> >
> http://www.pcworld.com/article/193849/a_chinese_isp_momentarily_hijacks_the_
> > internet.html<
> http://www.pcworld.com/article/193849/a_chinese_isp_momentarily_hijacks_the_%0Ainternet.html
> >
> > > >that
> > > stems from a weakness of the Border Gateway Protocol (BGP), which is
> > > used to help route traffic and connect the Internet together.
> > >
> > > BGP data is sent from small service providers like IDC China
> > > Telecommunication and then shared with larger providers. Small
> providers
> > > generally direct Internet traffic to about 30 routes. For some reason,
> on
> > > April 8 IDC China Telecommunication began directing to tens of
> thousands
> > of
> > > networks. The bad information was then accepted by larger Internet
> > > providers
> > > like China Telecom, which then propagated the data.
> > >
> > > * *
> > >
> > > *
> > >
> > >
> >
> >
> http://www.networkworld.com/news/2010/111810-china-telecom-operator-denies-h
> > ijacking.html?hpg1=bn<
> http://www.networkworld.com/news/2010/111810-china-telecom-operator-denies-h%0Aijacking.html?hpg1=bn
> >
> > > *
> > >
> > >
> > >
> > >
> > >
> > > --
> > >
> > > Thanks & B.regards
> > > Ahmed Elhoussiny,2x CCIE# 21988 (R&S-SP)
> > > Network Consultant & Cisco Academy Instructor
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Ronald Angello
> > Senior Network Architect
> > CCIE 17846
> > CCDP, CCIP, CCNP
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
>
> Thanks & B.regards
> Ahmed Elhoussiny,2x CCIE# 21988 (R&S-SP)
> Network Consultant & Cisco Academy Instructor
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 18 2010 - 19:29:08 ART