Bah. Real simple cure for this nonsense. Too bad it's unlikely to happen.
Back when Usenet mattered, there used to be something called a "Usenet Death Penalty". What we need here is an "Autonomous System Death Penalty".
BGP works between "Autonomous Systems" (aka AS). ISPs almost invariably are. Bigger companies usually are. Anyone who wants to be independent of their upstream IP connection gets an AS number. The only way some ISP in Belarus can interfere with your IP packets is to announce over BGP that packets should be sent to their AS.
So anyone who was affected by some rogue ISP in Belarus should simply tell their BGP routers to totally ignore anything from that AS. Forever. And if they're a govt agency they simply tell Comcast, Verizon, AT&T, etc to drop any and all packets from that AS. To anywhere! And if it's a govt agency making this "request", there's a good chance that the Tier 1 IP providers will comply.
Done. That podunk ISP in Belarus has now been disconnected from a large part of the Internet. And good luck with them trying to get Verizon etc to undo that.
So, what the death penalty means is "you get to intentionally mess around with routing just once, then you go away forever". Now that podunk ISP can either go out of business or it can go begging IANA for a new AS number. And since ICANN (which operates IANA) answers (at least for now) to the US Dept of Commerce, it might not be too easy to get a new AS.
Yes I know the propeller-head nerds who operate the "technical" Internet would immediately think my proposal is much too harsh. But, ultimately, nerds need to understand that sometimes things are done for "political" rather than "technical" reasons. And the managers who sign the nerds' paychecks are political creatures; they almost invariably aren't nerds.
Yes I know the propeller-head nerds who operate the "technical" Internet would immediately think my proposal is much too harsh. But, ultimately, nerds need to understand that sometimes things are done for "political" rather than "technical" reasons. And the managers who sign the nerds' paychecks are political creatures; they almost invariably aren't nerds.
Nah, but I do think you can go fuck yourself for being so patronizing.
"propeller-head nerd who operates the 'technical' Internet" here...
I don't think it's too harsh, but it would never happen, of course. It would all go out the window the first time some large corporation was affected.
There are already solutions for this (filtering inbound announcements, RPKI, etc.), but people (ISPs) don't use them. BCP38 solved the "IP spoofing" issue years ago but AS's don't even implement that.
(Side note: IANA doesn't directly issue ASNs to entities. Here in the U.S., for example, you get them from ARIN. And they'll gladly give 'em out ($500 each).)
In the history of the Internet (or at least the WorldWideWeb), how many times has a big corporation pulled this stunt, even accidentally? If the answer is 0 or even a number I can count on 1 hand, I say go for it. Even if it was an accident, this is the type of fuck up that deserves Internet death. Think of it like the digital equivalent of walking out onto a highway with a semi barreling down the center lane.
My gut reaction is that this highjacking was "opportunistic" and "state sponsored". The "actors" knew there wouldn't be any consequences.
It would be nice to "send a message" by banning an AS number. The hassles involved in revoking that ban and/or obtaining a new AS number would make it unlikely that such opportunistic bad behavior would recur very often.
Could a system like this not be abused? If you wanted to get your competitor out of business, all you'd have to do is arrange for them to get blacklisted in this manner (I'm assuming it would be possible to achieve, as these things invariable are).
Yes, you just announce a bad BGP route with their AS. The blacklist idea assumes that BGP route announcements are attributable, which in many cases they are not.
You might want to consider that "intentional" is not always a clear-cut case.
In this scenario, Renesys claims that it's obvious that this was no accident, but there's also mention of a Pakistani accidental hijack and a presumably accidental Chinese incident.
Intelligence agencies are masterful at the art of making things look like coincidences or accidents, and many smaller ISPs could make an accidental hijack that looks intentional and dangerous.
Do we have enough numbers available to scratch definitively some?
There is also the political problem of leaving the one nation in charge of something global (they don't like due process when it's about foreign matter). It'd better be an international body.
I would like to note, however, that there are very large number of REAL situations where the best route for an EU-EU bound packet is via the US.
Depending on the providers in question, the specifics of their interconnects, and the explicits of any congestion mitigating traffic engineering, the shortest AS-Path announcement may come via an US peer.
Another solution would be to implement Tor like onion routing so that capturing the data on the fly would be useless and tampering with it - not possible.
Back when Usenet mattered, there used to be something called a "Usenet Death Penalty". What we need here is an "Autonomous System Death Penalty".
BGP works between "Autonomous Systems" (aka AS). ISPs almost invariably are. Bigger companies usually are. Anyone who wants to be independent of their upstream IP connection gets an AS number. The only way some ISP in Belarus can interfere with your IP packets is to announce over BGP that packets should be sent to their AS.
So anyone who was affected by some rogue ISP in Belarus should simply tell their BGP routers to totally ignore anything from that AS. Forever. And if they're a govt agency they simply tell Comcast, Verizon, AT&T, etc to drop any and all packets from that AS. To anywhere! And if it's a govt agency making this "request", there's a good chance that the Tier 1 IP providers will comply.
Done. That podunk ISP in Belarus has now been disconnected from a large part of the Internet. And good luck with them trying to get Verizon etc to undo that.
So, what the death penalty means is "you get to intentionally mess around with routing just once, then you go away forever". Now that podunk ISP can either go out of business or it can go begging IANA for a new AS number. And since ICANN (which operates IANA) answers (at least for now) to the US Dept of Commerce, it might not be too easy to get a new AS.
Yes I know the propeller-head nerds who operate the "technical" Internet would immediately think my proposal is much too harsh. But, ultimately, nerds need to understand that sometimes things are done for "political" rather than "technical" reasons. And the managers who sign the nerds' paychecks are political creatures; they almost invariably aren't nerds.