Friday, April 09, 2010

export any

So we were talking about China exporting its internal chaos, while also importing Indian internal chaos. Then, the good folk at 31 Jin-rong Street, Beijing gave us a practical example. That would be AS4134, CHINANET-BACKBONE, aka China Telecom's long lines/Internetworking division. Starting at 1558 GMT, they leaked a very large number of other people's routes into the global Internet. According to Martin Brown of Renesys, the incident affected some 31,847 routes in 10 minutes, or several times the number normally announced from 4134.

Anyone who accepted one of the leaked routes would have seen their traffic to that network go to China Telecom first, and only then to their destination, presuming that China Telecom's internal routing was valid. Otherwise it would have gone nowhere.

The key thing to remember here is that Internet routers know where to route your traffic because they tell each other which routes they have. Network A - in this case AS4134 - tells its peers that it can route to network B directly and to C via D or E, but preferably D. The peers pass on this information to their peers. Eventually, this means that any router connected to the Internet can have a full copy of the routing table for the entire Internet at any moment, should it need it. The downside of the Border Gateway Protocol which governs this is, however, that it doesn't perform any verification of the routing updates; like a lot of Internet engineering from the 70s and 80s, it relies on trust. More to the point, it relies on trust in others' competence.

Occasionally, bad things happen, as when Pakistan accidentally routed all inbound traffic to YouTube into the censorship proxy at Pakistan Telecom. In this case, somehow, China Telecom issued 31,847 routing updates to the world at large. An important distinction here is that between internal and external BGP; it's possible that a huge national backbone operator might have offered its customers a seriously large number of routes, indeed a full route-view. But they certainly shouldn't have offered them to the wider Internet - hence the idea of a routing "leak".

We've blogged before that the Chinese Internet isn't characterised by "cyberwar" or even by censorship, but rather by chaos. This is a physical, real-time example of internal chaos within China being exported to the rest of the world. As a result, not just because of BGP issues but also of spam, etc, quite a lot of networks filter all or most netblocks inside China; here's a sample access control list.

No comments:

kostenloser Counter