Moni, dzina langa ndine Alexander Azimov. Ku Yandex, ndimapanga machitidwe osiyanasiyana owunikira, komanso zomangamanga zoyendera maukonde. Koma lero tikambirana za protocol ya BGP.
Sabata yapitayo, Yandex idathandizira ROV (Route Origin Validation) pamalo olumikizirana ndi anzawo onse, komanso malo osinthira magalimoto. Werengani pansipa za chifukwa chake izi zidachitikira komanso momwe zingakhudzire kulumikizana ndi ogwiritsa ntchito pa telecom.
BGP ndi chiyani cholakwika ndi izo
Mwina mukudziwa kuti BGP idapangidwa ngati njira yolumikizira ma interdomain. Komabe, panjira, kuchuluka kwa milandu yogwiritsira ntchito kunatha kukula: lero, BGP, chifukwa cha zowonjezera zambiri, yasintha kukhala basi yauthenga, yophimba ntchito kuchokera kwa wogwiritsa ntchito VPN kupita ku SD-WAN yamakono, ndipo yapezanso ntchito ngati. mayendedwe owongolera ngati SDN, kutembenuza vekitala yamtunda BGP kukhala chinthu chofanana ndi maulalo okhala ndi protocol.
Mkuyu. 1.
Chifukwa chiyani BGP yalandira (ndipo ikupitirizabe kulandira) ntchito zambiri? Pali zifukwa ziwiri zazikulu:
- BGP ndiyo njira yokhayo yomwe imagwira ntchito pakati pa machitidwe odziyimira pawokha (AS);
- BGP imathandizira mawonekedwe a TLV (mtundu-utali-mtengo). Inde, protocol siyili yokha mu izi, koma popeza palibe chomwe chingalowe m'malo mwake pamagawo apakati pa oyendetsa ma telecom, nthawi zonse zimakhala zopindulitsa kulumikiza chinthu china chogwira ntchito kuposa kuthandizira njira yowonjezera.
Chavuta ndi chiyani ndi iye? Mwachidule, protocol ilibe njira zomangira zowonera kulondola kwa zomwe walandira. Ndiye kuti, BGP ndi protocol yodalirika: ngati mukufuna kuuza dziko lapansi kuti muli ndi netiweki ya Rostelecom, MTS kapena Yandex, chonde!
Zosefera zochokera ku IRRDB - zabwino kwambiri zoyipa
Funso likubuka: chifukwa chiyani intaneti ikugwirabe ntchito muzochitika zotere? Inde, zimagwira ntchito nthawi zambiri, koma nthawi yomweyo zimaphulika nthawi ndi nthawi, zomwe zimapangitsa kuti zigawo zonse za dziko zisapezeke. Ngakhale ntchito zabodza ku BGP zikuchulukirachulukira, zosokoneza zambiri zimayambitsidwa ndi nsikidzi. Chitsanzo cha chaka chino ndi ku Belarus, zomwe zidapangitsa kuti gawo lalikulu la intaneti lisafike kwa ogwiritsa ntchito MegaFon kwa theka la ola. Chitsanzo china - adaphwanya imodzi mwamaukonde akulu kwambiri a CDN padziko lapansi.
Mpunga. 2. Kusokoneza magalimoto a Cloudflare
Komabe, nchifukwa ninji izi zimachitika kamodzi pa miyezi isanu ndi umodzi, osati tsiku lililonse? Chifukwa onyamula amagwiritsa ntchito nkhokwe zakunja za mayendedwe kuti atsimikizire zomwe amalandira kuchokera kwa oyandikana nawo a BGP. Pali nkhokwe zambiri zotere, zina mwazo zimayendetsedwa ndi olembetsa (RIPE, APNIC, ARIN, AFRINIC), ena ndi osewera odziyimira pawokha (odziwika kwambiri ndi RADB), komanso pali gulu lonse la olembetsa omwe ali ndi makampani akulu (Level3) NTT, etc.). Ndi chifukwa cha nkhokwe izi kuti ma inter-domain routing amasunga kukhazikika kwa magwiridwe ake.
Komabe, pali ma nuances. Zambiri zamayendedwe zimawunikidwa kutengera zinthu za ROUTE-OBJECTS ndi AS-SET. Ndipo ngati choyamba chikutanthauza chilolezo cha gawo la IRRDB, ndiye kuti kalasi yachiwiri palibe chilolezo ngati kalasi. Ndiko kuti, aliyense akhoza kuwonjezera aliyense ku seti zawo ndikudutsa zosefera za opereka kumtunda. Komanso, kusiyana kwa dzina la AS-SET pakati pa maziko osiyanasiyana a IRR sikutsimikiziridwa, zomwe zingayambitse zotsatira zodabwitsa ndi kutayika kwadzidzidzi kwa wogwiritsa ntchito telecom, yemwe, kumbali yake, sanasinthe kalikonse.
Vuto linanso ndikugwiritsa ntchito AS-SET. Pali mfundo ziwiri apa:
- Wogwiritsa ntchito akapeza kasitomala watsopano, amamuwonjezera ku AS-SET, koma pafupifupi samachotsa;
- Zosefera zomwezo zimakonzedwa kokha pazolumikizana ndi makasitomala.
Zotsatira zake, mawonekedwe amakono a zosefera za BGP amakhala ndi zosefera zomwe zimanyozetsa pang'onopang'ono pamakasitomala ndi makasitomala komanso kudalira zomwe zimachokera kwa anzawo ndi othandizira ma IP.
Kodi m'malo mwa zosefera zoyambira pa AS-SET ndi chiyani? Chochititsa chidwi kwambiri ndi chakuti mu nthawi yochepa - palibe. Koma njira zowonjezera zikutuluka zomwe zimathandizira ntchito ya zosefera zochokera ku IRRDB, ndipo choyamba, izi ndi, RPKI.
RPKI
Munjira yosavuta, zomangamanga za RPKI zitha kuganiziridwa ngati nkhokwe yogawidwa yomwe zolemba zake zimatha kutsimikiziridwa mwachinsinsi. Pankhani ya ROA (Route Object Authorization), wosayinayo ndiye mwiniwake wa malo adilesi, ndipo mbiriyo yokha ndi katatu (prefix, asn, max_length). Kwenikweni, cholemberachi chimapereka zotsatirazi: mwiniwake wa $ prefix adilesi malo walola AS nambala $asn kulengeza prefixes ndi kutalika osaposa $max_length. Ndipo ma routers, pogwiritsa ntchito cache ya RPKI, amatha kuyang'ana awiriwa kuti atsatire prefix - woyamba wokamba panjira.
Chithunzi 3. Zomangamanga za RPKI
Zinthu za ROA zakhala zokhazikika kwa nthawi yayitali, koma mpaka posachedwapa zidangokhala pamapepala a IETF. M'malingaliro anga, chifukwa cha izi zikumveka zoopsa - malonda oipa. Kuyimitsidwa kumalizidwa, cholimbikitsa chinali chakuti ROA idatetezedwa ku kubedwa kwa BGP - zomwe sizinali zoona. Owukira amatha kudumpha zosefera zochokera ku ROA poyika nambala yolondola ya AC kumayambiriro kwa njira. Ndipo izi zitangochitika, gawo lotsatira lomveka linali kusiya kugwiritsa ntchito ROA. Ndipo kwenikweni, chifukwa chiyani timafunikira ukadaulo ngati sugwira ntchito?
Nβchifukwa chiyani nthawi yakwana yoti musinthe maganizo? Chifukwa ichi sichowonadi chonse. ROA siyimateteza ku zochitika za owononga mu BGP, koma amateteza ku kubedwa kwa magalimoto mwangozi, mwachitsanzo kuchokera ku static kutayikira mu BGP, zomwe zikuchulukirachulukira. Komanso, mosiyana ndi zosefera zochokera ku IRR, ROV ikhoza kugwiritsidwa ntchito osati pamakasitomala okha, komanso polumikizana ndi anzawo komanso othandizira okwera. Ndiye kuti, pamodzi ndi kukhazikitsidwa kwa RPKI, chikhulupiliro choyambirira chikuzimiririka pang'onopang'ono kuchokera ku BGP.
Tsopano, kuyang'ana mayendedwe ozikidwa pa ROA akuyendetsedwa pang'onopang'ono ndi osewera ofunikira: European IX yayikulu ikutaya kale njira zolakwika; pakati pa ogwiritsa ntchito a Tier-1, ndikofunikira kuunikira AT&T, yomwe yathandizira zosefera pazolumikizana ndi anzawo. Othandizira akuluakulu okhutira akuyandikiranso polojekitiyi. Ndipo oyendetsa maulendo apakatikati akhazikitsa kale mwakachetechete, osauza aliyense za izi. Chifukwa chiyani onse ogwira ntchitowa akugwiritsa ntchito RPKI? Yankho ndi losavuta: kuteteza magalimoto anu otuluka ku zolakwika za anthu ena. Ichi ndichifukwa chake Yandex ndi amodzi mwa oyamba ku Russian Federation kuphatikiza ROV m'mphepete mwa maukonde ake.
Nanga nβciani cidzacitika pambuyo pake?
Tsopano talola kuyang'ana zidziwitso zamayendedwe pamalo olumikizirana ndi malo osinthira magalimoto komanso zowonera zachinsinsi. Posachedwapa, kutsimikiziranso kudzayatsidwa ndi opereka magalimoto okwera.
Kodi izi zikupanga kusiyana kotani kwa inu? Ngati mukufuna kuwonjezera chitetezo chamayendedwe apamsewu pakati pa netiweki yanu ndi Yandex, tikupangira:
- Sainani malo anu adilesi - ndizosavuta, zimatenga mphindi 5-10 pafupifupi. Izi zidzateteza kulumikizidwa kwathu ngati wina akubera adilesi yanu mosadziwa (ndipo izi zidzachitika posachedwa);
- Ikani imodzi mwazotsegula za RPKI (, ) ndikuthandizira kuyang'ana njira pamalire a netiweki - izi zitenga nthawi yochulukirapo, koma kachiwiri, sizidzayambitsa zovuta zaukadaulo.
Yandex imathandizanso kupanga makina osefa potengera chinthu chatsopano cha RPKI - (Autonomous System Provider Authorization). Zosefera zochokera ku ASPA ndi ROA zinthu sizingangosintha "zotayira" AS-SETs, komanso kutseka nkhani za MiTM kuukira pogwiritsa ntchito BGP.
Ndilankhula mwatsatanetsatane za ASPA m'mwezi umodzi pamsonkhano wotsatira wa Hop. Anzake ochokera ku Netflix, Facebook, Dropbox, Juniper, Mellanox ndi Yandex adzalankhulanso pamenepo. Ngati muli ndi chidwi ndi stack network ndi chitukuko chake m'tsogolomu, bwerani .
Source: www.habr.com