Security Experts:

Routing on The Internet: A Disaster Waiting to Happen?

Internet Routing - The Internet's leading architects have considered the rapid growth and fragmentation of core routing tables one of the most significant threats to the long-term stability and scalability of the Internet

It has been reported that in April 2010, about 15% of the world’s Internet prefixes was hijacked by a set of servers owned by China Telecom. Popular websites such as dell.com, cnn.com and amazon.de were “re-routed” through Chinese networks before reaching their destinations for about 18 minutes, until technicians restored the correct parameters. In the technical world, this is typically called a prefix hijack and it happened due to a couple of wrong tweaks made at China Telecom. Whether this was intentional or not is unknown, but such routing accidents are all too common online.

Dangers of Internet Routing Methods

The "Inter" in Internet denotes the fact that it is actually a network comprised of thousands of interconnected networks, each of which is generally managed by a different entity. While packets of your requests to access information (such as DNS queries) traverse many networks, including ISPs, top-level domain name servers, and even the Root, a single type of hardware is used at every layer in this exchange process – a router.

So what is the purpose of a router? Routers tell packets of data which way to go. Many companies have private networks between offices, or even departments. When an e-mail is sent from one of these private networks to another with in company, the router “decides” that those packets should not be sent out to the Internet, but should instead travel within the corporate private network. An email sent from the same person to a potential customer, however, would be sent out via the Internet. In order for routers to know where to send things, they need to maintain some data about other networks. These are known as “routing tables”. If these routing tables get incorrect information, these types of mishaps occur.

Routing accidents are not new. In April 1997, AS7007 announced routes to all of the Internet. In December 2004, thousands of networks in the US were misdirected to Turkey, making it look like Turkey was the entire Internet. In September 2005, AT&T, XO and Bell South networks were misdirected to Bolivia. In July 2007, Yahoo was unreachable for an hour due to a routing problem. In February 2008, Pakistan Telecom hijacked all traffic aimed at YouTube and took YouTube offline for two hours. More examples abound.

BGP table growth

For a number of years, many of the Internet's leading architects have considered the rapid growth and fragmentation of core routing tables one of the most significant threats to the long-term stability and scalability of the Internet. As the number of Internet hosts and networks increases, the greater the challenge will be for networks running older or slower equipment.

Where these networks connect to each other to exchange traffic, it is the Border Gateway Protocol that is responsible for deciding where to forward IP packets to ensure they reach their correct destination network. The BGP table, which can be found on all Internet routers, contains all of the network "prefixes" – the IP address blocks assigned to any given network – active on the Internet at any given time. Over the years, as Internet usage has grown exponentially and the number of organizations coming online has increased, the number of networks advertised through BGP has swollen dramatically. In the last five years, it has more than doubled, from about 150,000 at the start of 2005 to almost 350,000 today. Some have suggested that the number of routing table entries could hit two million in the next 10 years.

While this growth is due in part to the rapid global adoption of the Internet in developed and developing nations, and the need for more addresses as more Internet services come online, there are other drivers. For example, the commercial imperative for reliable Internet connectivity has compelled many organizations to multi-home their mission-critical facilities, meaning they have two or more upstream bandwidth suppliers. Depending on how their multi-homing architecture has been designed, this can often mean a single data center, for example, has to duplicate its entry in the core routing table, as it has to announce the same network prefix multiple times, once for each upstream link. This makes it more difficult to aggregate IP address prefixes and slow the routing table expansion.

The danger here is that while BGP is the de-facto protocol for inter-domain routing on the Internet, actual routing occurs without checking whether the originator of the route is authorized to do so. The global routing system itself is made up of autonomous systems (AS) which are simply loosely interconnected routing domains. Each autonomous system decides, unilaterally, and even arbitrarily, to trust everything it hears from any other AS, to use that information without validation, and to further transmit that information to its other peers. This is often called “routing by rumor.”

Efforts are underway to secure the BGP based routing system. The IETF has initiated a working group which is working on a Resource Public Key Infrastructure (RPKI) which provides authorization for who can originate a route to an address. Once implemented, it would mean that China Telecom could not assert that it is the authoritative source for the networks used by dell.com or cnn.com, because it would not be the entity allocated the addresses for Dell or CNN.

Support for IPv6

Much has been made of the imminent depletion of unused IPv4 address space in the technology press recently. The Regional Internet Registries, which are responsible for handing out chunks of IP addresses to ISPs and businesses, said in October that only 5 percent of the total amount of addresses permitted by the IPv4 standard now remains unallocated by IANA, the top-level IP address repository. Further, current allocation trends suggest that IANA's pool will very probably be exhausted at some time in the first half of 2011. It is now likely only a matter of a few years before the RIRs themselves run out of available IPv4 addresses. The need for network managers to have a strategy for supporting IPv6, which enables exponentially more IP addresses, is clearer than ever.

IPv6, with its billions upon billions of additional potential addresses, will not reduce the growth of routing tables either. Indeed, there are reasons to believe that the transition between IPv4 and IPv6 may actually exacerbate the problem. The two protocols will have to work alongside each other for many years to come, and there are some bridging functions that will require more IPv4 addresses to be allocated. As smaller chunks of the dwindling pool of IPv4 are handed out, or traded between organizations with preexisting address block allocations, aggregating network prefixes and therefore slowing the growth of the routing table could become a more challenging proposition.

DNSSEC

Typical DNS queries are routed using the User Datagram Protocol (UDP), which only provides for DNS responses under 512 bytes. Since domain names with DNSSEC enabled come with more information, network providers are forced to re-ask for the DNS response using the Transmission Control Protocol (TCP), which can return larger sets of data. On average, a DNSSEC response is about 2-4 times the size of a normal non-DNSSEC query because it also contains the Resource Record Signature (RRSIG). To validate the signature, both the Delegation Signer (DS) record and the DNSKEY record must also be obtained, creating additional query load.

A study by the ICANN Security and Stability Committee in September of 2008 revealed that just 25% of the routers they tested were fully DNSSEC compatible, meaning they were able to both route and proxy DNS data using TCP or UDP with messages over 4096 bytes.

Since we know that home users are the most price-sensitive and therefore the slowest to replace aging home routers, this means that if corporations were to enable DNSSEC tomorrow, a good percentage of home routers probably could not return the DNSSEC information so that the user could get to a DNSSEC-validated site.

In summary

Like DNSSEC and the transition to IPv6, solving the problem of routing table expansion is something that the Internet community as a whole needs to address. Limitations in aging appliances that cannot handle the future new protocols like IPv6 and DNSSEC is something that router manufacturers and users alike need to take seriously. While it is incumbent upon network operators to ensure that their equipment is capable of handling the Internet's latest evolution, it is the development of standards and practices for scalable routing, and replacement of old hardware in the consumer market that should be done through cooperation between hardware manufacturers, ISPs and other interested stakeholders to preserve a smooth, and operating Internet.

(Updated: 12/03/2010  10:04AM)

Related Reading: Do Recent BGP Anomalies Shed a Light on What's to Come?

Related Reading: Trouble Ahead - The Implementation Challenges for DNSSEC

Related Reading: Deploying DNSSEC - Four Ways to Prepare Your Enterprise for DNSSEC

Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover

Related Reading: The Missing Ingredients for DNSSEC Success

view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.