How do we actually know that China hijacked traffic and not an ISP caused
the error ? In my lab I can easily make a mistake by prepending as-path to a
wrong route and/or sending it to a wrong neighbor. Can something like that
happen on much larger scale ?
On 18 November 2010 20:29, Tom Kacprzynski <tom.kac_at_gmail.com> wrote:
> I think the problem doing prefix-list for carriers is that you don't know
> who they will be used by for transit. So a European network could advertise
> their Provider Independent network through China Telecom and you would not
> be able to count all of their clients using them for transit or other
> carriers with these filters. I don't think the issue is as simple as
> filtering when dealing with transit provider and not end users. I think we
> should be talking about how Secure BGP should play a role in Internet
> security.
>
> My two cents.
>
> Now back to DHCP Servers lab for ccie.
>
> On Thu, Nov 18, 2010 at 7:15 PM, Joseph L. Brunner
> <joe_at_affirmedsystems.com>wrote:
>
> > The carriers should write very simple prefix lists that they will only do
> >
> > ip prefix-list china-nets seq 5 permit 61.0.0.0/8 le 24
> > ip prefix-list china-nets seq 10 permit 202.0.0.0/8 le 24
> >
> >
> > etc. for all the china netblocks when peering with them, so they can't
> > announce ANYTHING they dont own.
> >
> > PERIOD.
> >
> > If i can't get to EVERYTHING else though ANOTHER carrier it would better
> to
> > have it down than go through china
> >
> > ________________________________________
> > From: nobody_at_groupstudy.com [nobody_at_groupstudy.com] On Behalf Of Ahmed
> > Elhoussiny [aelhoussiny_at_gmail.com]
> > Sent: Thursday, November 18, 2010 7:52 PM
> > To: --Hammer--
> > Cc: Ronnie Angello; Cisco certification
> > Subject: Re: OT: China telecom operator denies hijacking Internet
> traffic
> >
> > Its just an example for how BGP attributes/communities, filters can
> easily
> > affect the whole internet.
> >
> >
> > On Fri, Nov 19, 2010 at 12:37 AM, --Hammer-- <bhmccie_at_gmail.com> wrote:
> >
> > > Why complying with the groupstudy posting rules is important....
> > >
> > >
> > >
> > > --Hammer
> > >
> > > "I was a normal American nerd."
> > > -Jack Herer
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> > > Ronnie Angello
> > > Sent: Thursday, November 18, 2010 4:29 PM
> > > To: Ahmed Elhoussiny
> > > Cc: Cisco certification
> > > Subject: Re: OT: China telecom operator denies hijacking Internet
> traffic
> > >
> > > Why route filtering is important... :)
> > >
> > > On Thu, Nov 18, 2010 at 5:20 PM, Ahmed Elhoussiny
> > > <aelhoussiny_at_gmail.com>wrote:
> > >
> > > > Dears, just sharing some news, BGP & International Gateways
> > > >
> > > > *For 18 minutes, about 15 percent of all web traffic was redirected
> > > through
> > > > China, including traffic to and from the sites of the U.S. Army,
> Navy,
> > > > Marine Corps, Air Force, the office of the Secretary of Defense, the
> > > Senate
> > > > and NASA, according to a report delivered to Congress by the
> U.S.-China
> > > > Economic and Security Review Commission.*
> > > >
> > > > *The report says that the irregular routing could have allowed the
> > > > surveillance of users or sites, the disruption or diversion of
> > > > communications and the compromising of supposedly secure encrypted
> > > > sessions.
> > > > *
> > > >
> > > > *The report alleges that the diversion was caused when China Telecom
> > > > briefly
> > > > offered a false electronic notification to internet traffic on the
> web,
> > > > causing some traffic to mistakenly conclude that the quickest way to
> > > reach
> > > > its destination was to travel through the company's servers in
> China.*
> > > >
> > > > *
> > > >
> > > >
> > >
> > >
> >
> http://edition.cnn.com/2010/US/11/17/websites.chinese.servers/index.html?hpt
> > > =T1<
> >
> http://edition.cnn.com/2010/US/11/17/websites.chinese.servers/index.html?hpt%0A=T1
> > >
> > > > *
> > > >
> > > > * *
> > > >
> > > >
> > > >
> > > > *Solution: filters that deny BGP updates about your prefixes that
> is
> > > > originated from your country, including some bgp reg_exp, accepting
> > only
> > > > this prefixes from trusted BGP (e or i)sources*
> > > >
> > > > *
> > > > A new update about this from Network World magazine:*
> > > >
> > > > The incident could have been an
> > > > accident<
> > > >
> > >
> > >
> >
> http://www.pcworld.com/article/193849/a_chinese_isp_momentarily_hijacks_the_
> > > internet.html<
> >
> http://www.pcworld.com/article/193849/a_chinese_isp_momentarily_hijacks_the_%0Ainternet.html
> > >
> > > > >that
> > > > stems from a weakness of the Border Gateway Protocol (BGP), which is
> > > > used to help route traffic and connect the Internet together.
> > > >
> > > > BGP data is sent from small service providers like IDC China
> > > > Telecommunication and then shared with larger providers. Small
> > providers
> > > > generally direct Internet traffic to about 30 routes. For some
> reason,
> > on
> > > > April 8 IDC China Telecommunication began directing to tens of
> > thousands
> > > of
> > > > networks. The bad information was then accepted by larger Internet
> > > > providers
> > > > like China Telecom, which then propagated the data.
> > > >
> > > > * *
> > > >
> > > > *
> > > >
> > > >
> > >
> > >
> >
> http://www.networkworld.com/news/2010/111810-china-telecom-operator-denies-h
> > > ijacking.html?hpg1=bn<
> >
> http://www.networkworld.com/news/2010/111810-china-telecom-operator-denies-h%0Aijacking.html?hpg1=bn
> > >
> > > > *
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Thanks & B.regards
> > > > Ahmed Elhoussiny,2x CCIE# 21988 (R&S-SP)
> > > > Network Consultant & Cisco Academy Instructor
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > Ronald Angello
> > > Senior Network Architect
> > > CCIE 17846
> > > CCDP, CCIP, CCNP
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> >
> > Thanks & B.regards
> > Ahmed Elhoussiny,2x CCIE# 21988 (R&S-SP)
> > Network Consultant & Cisco Academy Instructor
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 18 2010 - 23:10:45 ART
This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART