Mhoro, zita rangu ndinonzi Alexander Azimov. PaYandex, ini ndinogadzira akasiyana ekutarisa masisitimu, pamwe nekutakura network architecture. Asi nhasi tichataura nezve BGP protocol.
Vhiki rapfuura, Yandex yakagonesa ROV (Route Origin Validation) pakusangana nevese vezera ravo, pamwe nenzvimbo dzekuchinjana traffic. Verenga pazasi kuti sei izvi zvakaitwa uye kuti zvichakanganisa sei kudyidzana nevashandisi venhare.
BGP uye chii chakaipa nazvo
Iwe unogona kunge uchiziva kuti BGP yakagadzirwa senge interdomain routing protocol. Nekudaro, munzira, huwandu hwemakesi ekushandisa akakwanisa kukura: nhasi, BGP, nekuda kwekuwedzera kwakawanda, yachinja kuita meseji bhazi, inovhara mabasa kubva kune opareta VPN kuenda kune yazvino fashoni SD-WAN, uye yakatowana application se. chifambiso cheSDN-senge controller, inoshandura chinhambwe vector BGP kuita chimwe chinhu chakafanana nemalink sat protocol.
Mufananidzo: gumi neshanu.
Sei BGP yakagamuchira (uye ichiramba ichigamuchira) kushandiswa kwakawanda kudaro? Pane zvikonzero zvikuru zviviri:
- BGP ndiyo yega protocol inoshanda pakati peautonomous systems (AS);
- BGP inotsigira hunhu muTLV (mhando-urefu-kukosha) fomati. Ehe, iyo protocol haisi yega mune izvi, asi sezvo pasina chekuitsiva pamatanho ari pakati pevafambisi venhare, zvinogara zvichibatsira kubatanidza chimwe chinhu chinoshanda kwairi pane kutsigira imwe nzira yekufambisa.
Chii chakaipa naye? Muchidimbu, iyo protocol haina maitiro akavakirwa-mukati ekutarisa kurongeka kweruzivo rwakagamuchirwa. Ndiko kuti, BGP is a priori trust protocol: kana iwe uchida kuudza pasirese kuti wava muridzi wetiweki yeRostelecom, MTS kana Yandex, ndapota!
IRRDB yakavakirwa sefa - yakanakisa yeakaipisisa
Mubvunzo unomuka: nei Indaneti ichiri kushanda mumamiriro ezvinhu akadaro? Hongu, inoshanda nguva zhinji, asi panguva imwechete inoputika nguva nenguva, zvichiita kuti zvikamu zvese zvenyika zvisasvike. Kunyangwe hacker chiitiko muBGP chiri kuwedzerawo, mazhinji anomalies achiri kukonzerwa nebugs. Muenzaniso wegore rino ndewe muBelarus, iyo yakaita kuti chikamu chakakosha cheInternet chisasvike kune vashandisi veMegaFon kwehafu yeawa. Mumwe muenzaniso - yakatyora imwe yemakuru eCDN network pasi rose.
Mupunga. 2. Cloudflare traffic interception
Asi zvakadaro, nei kukanganiswa kwakadaro kuchiitika kamwe chete mwedzi mitanhatu yega yega, uye kwete mazuva ese? Nekuti vatakuri vanoshandisa ekunze dhatabhesi yeruzivo rwekufambisa kuti vaone zvavanogamuchira kubva kune vavakidzani veBGP. Kune akawanda dhatabhesi akadaro, mamwe acho anotungamirwa nevanonyoresa (RIPE, APNIC, ARIN, AFRINIC), vamwe vatambi vakazvimiririra (vanonyanya kuzivikanwa ndeye RADB), uye kune zvakare seti yakazara yevanyori vemakambani makuru (Level3) , NTT, nezvimwewo). Kutenda kune aya dhatabhesi kuti inter-domain routing inochengetedza kugadzikana kwekushanda kwayo.
Zvisinei, pane nuances. Ruzivo rwekufambisa runotariswa zvichienderana neROUTE-OBJECTS uye AS-SET zvinhu. Uye kana yekutanga ichireva mvumo yechikamu che IRRDB, saka yekirasi yechipiri hapana mvumo sekirasi. Ndokunge, chero munhu anogona kuwedzera chero munhu kumaseti avo uye nekudaro achipfuura mafirita evanopa kumusoro. Uyezve, iyo yakasiyana-siyana yeAS-SET yekutumidza mazita pakati pezvigadziko zvakasiyana-siyana zve IRR hazvivimbiswe, izvo zvinogona kutungamirira kumigumisiro inoshamisa nekurasikirwa nekukasira kwekubatanidza kune telecom operator, uyo, nokuda kwake, haana kuchinja chero chinhu.
Rimwe dambudziko nderekushandisa maitiro eAS-SET. Pane mapoinzi maviri pano:
- Kana mushandisi awana mutengi mutsva, anoiwedzera kune yayo AS-SET, asi anenge asingamboibvisa;
- Iwo mafirita pachawo anogadziridzwa chete pamainterfaces nevatengi.
Nekuda kweizvozvo, iyo yazvino fomati yeBGP mafirita ane zvishoma nezvishoma anodzikisira mafirita munzvimbo dzinosangana nevatengi uye kuvimba kwekutanga mune izvo zvinouya kubva kune vezera uye IP transit vanopa.
Chii chiri kutsiva prefix mafirita akavakirwa paAS-SET? Chinhu chinonyanya kufadza ndechekuti munguva pfupi - hapana. Asi mamwe maitiro ari kubuda anozadzisa basa re IRRDB-based mafirita, uye chekutanga pane zvese, izvi ndezvechokwadi, RPKI.
RPKI
Nenzira yakapfava, iyo RPKI dhizaini inogona kufungidzirwa seyakagoverwa dhatabhesi iyo marekodhi anogona kuve cryptographically verified. Panyaya yeROA (Route Object Authorization), anosaina ndiye muridzi wekero nzvimbo, uye rekodhi pachayo itatu (prefix, asn, max_length). Chaizvoizvo, chinyorwa ichi chinomiririra zvinotevera: muridzi weiyo $ prefix kero nzvimbo akabvumidza iyo AS nhamba $asn kushambadza prefixes nehurefu husingapfuuri $max_length. Uye ma routers, achishandisa RPKI cache, vanokwanisa kutarisa vaviri vacho kuti vatevedzere prefix - mutauri wekutanga munzira.
Mufananidzo 3. RPKI architecture
Zvinhu zveROA zvakamisikidzwa kwenguva yakareba, asi kusvika nguva pfupi yadarika zvakangoramba zviri pabepa mujenari reIETF. Mune maonero angu, chikonzero cheizvi chinonzwika chinotyisa - kushambadzira kwakashata. Mushure mekumisikidzwa kwapera, kurudziro yaive yekuti ROA yakadzivirirwa kubva kuBGP kubiwa - chaive chisiri chokwadi. Vanorwisa vanogona kupfuura zviri nyore ROA-based mafirita nekuisa iyo chaiyo AC nhamba pakutanga kwenzira. Uye pakangoitika izvi, danho rinotevera rine musoro raive rekusiya kushandiswa kweROA. Uye chaizvo, nei tichida tekinoroji kana isingashande?
Sei yava nguva yekuchinja pfungwa dzako? Nokuti ichi hachisi chokwadi chose. ROA haidziviriri kubva kune hacker chiitiko muBGP, asi inodzivirira pakubiwa kwemotokari netsaona, semuenzaniso kubva kune static leaks muBGP, iyo iri kuwedzera kuwanda. Zvakare, kusiyana neIRR-based mafirita, ROV inogona kushandiswa kwete chete pakusangana nevatengi, asiwo pakusangana nevezera uye vanopa kumusoro. Ndiko kuti, pamwe nekuunzwa kweRPKI, a priori trust iri kunyangarika zvishoma nezvishoma kubva kuBGP.
Ikozvino, nzira dzekutarisa dzakavakirwa paROA dziri kuitwa zvishoma nezvishoma nevatambi vakakosha: iyo huru yeEuropean IX yave kutorasa nzira dzisiridzo; pakati pevashandisi veTier-1, zvakakodzera kutarisisa AT&T, iyo yakagonesa mafirita panzvimbo dzekupindirana nevamwe vayo vezera. Iwo makuru makuru ekupa zvemukati ari kusvikawo purojekiti. Uye gumi nevaviri vevafambisi vepakati nepakati vakatozviita chinyararire, vasina kuudza chero munhu nezvazvo. Sei vese ava vashandisi vari kuita RPKI? Mhinduro iri nyore: kuchengetedza traffic yako inobuda kubva mukukanganisa kwevamwe vanhu. Ndicho chikonzero Yandex ndeimwe yekutanga muRussian Federation kuisa ROV pamucheto wetiweki yayo.
Chii chichatevera kuitika?
Ikozvino tagonesa kutarisa ruzivo rwekufambiswa kunzvimbo dzekuchinjisa dzine traffic dzekuchinjana mapoinzi uye yakavanzika peering. Munguva pfupi iri kutevera, kuoneswa kuchagoneswa zvakare nevanopa traffic traffic.
Izvi zvinoita mutsauko wei kwauri? Kana iwe uchida kuwedzera kuchengetedzeka kwetraffic routing pakati petiweki yako neYandex, tinokurudzira:
- Saina nzvimbo yako yekero - zviri nyore, zvinotora 5-10 maminitsi paavhareji. Izvi zvinodzivirira kubatana kwedu kana mumwe munhu akaba nzvimbo yako yekero asingazivi (uye izvi zvichaitika nokukurumidza kana kuti gare gare);
- Isa imwe yeakavhurika sosi RPKI caches (, ) uye gonesa kutarisa nzira pamuganhu wetiweki - izvi zvinotora nguva yakawanda, asi zvakare, hazvizokonzerese matambudziko ehunyanzvi.
Yandex inotsigirawo kuvandudzwa kwesefa system yakavakirwa pachinhu chitsva cheRPKI - (Autonomous System Provider Authorization). Mafirita anobva paASPA uye ROA zvinhu hazvingogone kutsiva "leaky" AS-SETs, asi zvakare kuvhara nyaya dzeMiTM kurwisa uchishandisa BGP.
Ini ndichataura zvakadzama nezve ASPA mumwedzi paNext Hop musangano. Vashandi vanobva kuNetflix, Facebook, Dropbox, Juniper, Mellanox uye Yandex vachataurawo ipapo. Kana iwe uchifarira iyo network stack uye kusimudzira kwayo mune ramangwana, huya .
Source: www.habr.com